Help Center/ Anti-DDoS Service/ Best Practices/ Best Practices of Cloud Native Anti-DDoS (CNAD) Advanced/ Using ELB and CNAD Advanced to Improve the DDoS Protection Capabilities of ECSs
Updated on 2024-12-24 GMT+08:00

Using ELB and CNAD Advanced to Improve the DDoS Protection Capabilities of ECSs

Application Scenarios

CNAD Advanced enhances the DDoS protection capabilities of cloud services, such as Elastic Cloud Server (ECS) and Elastic Load Balance (ELB), ensuring service security.

You can deploy ELB and connect its public IP address to CNAD Advanced to significantly improve defense against various types of DDoS attacks.

Architecture

When your website services are deployed on HUAWEI CLOUD ECSs, you can configure the combination of CNAD Advanced and ELB for your services. Deploy ELB on the origin server of your ECS, and add the EIP address of the ELB to the CNAD instance to improve the anti-DDoS capability of the ECS.

Figure 1 Using CNAD Advanced in combination with ELB

Advantages

Compared to enabling CNAD Advanced for ECSs, combining CNAD Advanced and Elastic Load Balance (ELB) allows for the discarding of traffic from unlistened protocols and ports. This enhances defense against various DDoS attacks (including reflection attacks like SSDP, NTP, and Memcached, as well as UDP flood and SYN flood attacks), significantly improving the DDoS protection capability of ECSs and ensuring the security and reliability of user services.

Limitations and Constraints

ELB must be deployed in regions where CNAD Advanced instances can be purchased, for example, CN North-Beijing4.

Resource and Cost Planning

Resource

Description

Quantity

Cost

ELB

Distributes access traffic to backend ECSs to mitigate single point of failures (SPOFs) caused by DDoS attacks.

1

For details, see Billing Overview.

CNAD Advanced

Public IP addresses used to connect to the ELB for DDoS attack defense.

1

For details about CNAD Advanced billing modes and standards, see Billing Overview.

Procedure

  1. Create a load balancer. For details, see Creating a Shared Load Balancer.

    Table 1 Parameter description

    Parameter

    Description

    Region

    Select the region where the ECS is located.

    EIP

    Select Automatically assign.

    Line

    Select Dynamic BGP.

  2. Obtain the public IP address of the created load balancer, as shown in Figure 2.

    Figure 2 Public IP address of the ELB instance

  3. Buy a CNAD Advanced instance in the same region as the ECS.
  4. In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Instances. The Instances page is displayed.

    Figure 3 Instance list

  5. In the upper right corner of the target instance box, click Add Protected Object.
  6. In the Add Protected Object dialog box that is displayed, select the elastic IP address of the load balancer obtained in 2 and click OK.

    After adding protected objects, you can configure protection policies for them. Cloud Native Anti-DDoS Advanced provides unlimited protection against DDoS attacks for ECSs. When a DDoS attack occurs, traffic scrubbing is automatically triggered.

    For details about how to configure a protection policy, see Adding a Protection Policy.