Help Center/ Anti-DDoS Service/ Best Practices/ Best Practices of Tiered DDoS Scheduling
Updated on 2024-10-09 GMT+08:00

Best Practices of Tiered DDoS Scheduling

If you enabled auto AAD when purchasing CNAD Unlimited Protection Basic, you can configure a tiered scheduling policy to automatically engage AAD for cloud resources protected by CNAD Unlimited Protection Basic.

After tiered scheduling is configured, when an attack occurs, the system will engage AAD to protect the Huawei cloud resources protected by CNAD Advanced. Service traffic will be forwarded to AAD via high-defense IP addresses. Figure 1 shows the working principle of tiered DDoS scheduling.

  • CNAD Advanced offers comprehensive protection against DDoS attacks. If a DDoS attack is detected, traffic scrubbing will be automatically initiated.
  • When a service is blocked due to heavy traffic attacks, AAD CNAMEs will be called to divert malicious attack traffic to AAD for scrubbing, ensuring that important services are not interrupted.
Figure 1 Working principle of DDoS tiered scheduling

This section uses the www.example.com domain name used by a website service as an example to describe how to configure tiered scheduling.

Constraints

  • CNAD Advanced protection is only available for EIPs purchased in your region.
  • The protected domain name (www.example.com) is deployed on Huawei Cloud in a region that supports CNAD Advanced instances (for example, CN North-Beijing4).
  • The protected domain name (www.example.com) is not connected to WAF.

Prerequisites

  • You have purchased CNAD Advanced and enabled joint protection.
  • You have obtained the public IP address of the origin server for the domain name www.example.com.
  • If the domain name (www.example.com) to be protected is not deployed in the CN East-Shanghai1 region, a standby public IP address is available in the region where the domain name is located.
  • You have purchased a CNAD instance.

    Region: Select the region where the domain name (www.example.com) is deployed, for example, CN North-Beijing4.

  • You have purchased an AAD instance.

Procedure

  1. Log in to the management console.
  2. Add a protected object.

    1. Go to the CNAD Advanced instance list page.
    2. In the upper right corner of the target instance box, click Add Protected Object.
    3. In the Add Protected Object dialog box that is displayed, select the public IP address of the origin server for the protected domain name www.example.com and click OK.

  3. Create a protection policy.

    1. Go to the Protection Policies page.
    2. Click Create Protection Policy.
    3. In the displayed dialog box, set the policy name, select an instance, and click OK.

  4. In the row containing the policy created in 4, click Set Policy in the Operation column.

    For details about how to configure a protection policy, see Configuring a Protection Policy.

  5. Connect the protected domain name (www.example.com) to AAD.

    1. Go to the AAD domain name list.
    2. Click Add Domain Name.
    3. Enter the domain name information, as shown in Figure 2. Click Next.
      Figure 2 Configuring a website domain

      When Origin Server Type is set to Origin Server IP Address, note that:

      • For a protected domain name in the CN East-Shanghai1 region: Set Origin Server IP Address to the public IP of the domain's origin server.
      • For a protected domain name not in the CN East-Shanghai1 region: Set Origin Server IP Address to the standby public IP address that is in the same network segment as the protected domain name.
    4. Select the instance and line from the AAD instance list and click Submit and Continue.
    5. Click Next, and then click Finish.
      Connect the domain name to AAD and obtain the CNAME value (12b6003fd3c2e618.huaweisafedns.com), as shown in Figure 3.
      Figure 3 Connecting a domain name to AAD

  6. Configure tiered scheduling rules.

    1. Go to the tiered scheduling page.
    2. In the upper left corner of the tiered scheduling list, click Create Rule.
    3. In the Create Rule dialog box, configure a scheduling rule and click OK.
      • Group Scheduling: Select the cloud resources of the protected object in CNAD Advanced.
      • AAD CNAME: Enter the CNAME value in 5.e.

      After the rule is configured, obtain the Scheduling CNAME value, as shown in Figure 4.

      Figure 4 Obtaining the Scheduling CNAME value

  7. Add DNS resolution by referring to section Adding a CNAME Record Set.

    • Host Record: Configured domain name.
    • Record Type: Select CNAME-Map one domain to another.
    • Line: Default
    • TTL (s): The recommended value is 5 min. The larger the TTL value, the slower the update of DNS records.
    • Value: Enter the CNAME value in 6.c.
    • Keep other settings unchanged.

Take Effect When

The tiered scheduling policy takes effect immediately after the DNS resolution record takes effect.