Preparations

Before connecting services to AAD, you are advised to obtain all your service information to prepare for the connection.

Website Service Review

You are advised to comprehensively sort out your services by referring to Table 1 to learn about the current service status and data, providing information for AAD protection.

**Table 1** Website service review
Item	Description
Website and Service Information
Whether the domain name has an ICP license	Check the ICP license of the domain name. Only domain names with ICP licenses can be added to AAD protection.
Daily peak traffic of website/web application services, including the bandwidth (in Mbit/s) and QPS	Identify peak traffic period of the website or application, which is the basis for selecting a suitable AAD service bandwidth and QPS specifications.
Major user group (for example, major locations where the requests originate from)	This is used for the configuration of cross-border/UDP traffic blocking policies.
Whether the origin server is deployed out of chinese mainland.	If the origin server is deployed outside Chinese mainland, you are advised to purchase AAD (International Edition).
Operating system (Linux or Windows) and web service middleware (Apache, Nginx, or IIS) of the origin server	Ensure the origin server's access control policies do not block traffic from AAD's back-to-origin IP addresses. If they do, adjust the policies to allow this traffic. For details about how to allow traffic from AAD's back-to-origin IP addresses, see Adding the Back-to-Source IP Address Range to the Whitelist.
IPv6 support	If your services use IPv6 protocol, you are advised to use CNAD Advanced. For details about CNAD Advanced, see What Is CNAD Advanced?
Service protocol types	This item is used for website configuration when services are connected to AAD. You need to select the corresponding protocol when configuring AAD.
Service port	Check whether the service port of the origin server is supported by AAD. For details about the service ports supported by AAD, see What Service Ports Does What Service Ports Does AAD Support?
Whether the request header (HTTP Header) contains user-defined fields which can be verified by the server	Check whether AAD affects user-defined fields and causes service verification failures on the server. If yes, submit a service ticket to contact technical support for assistance.
Whether the service has a mechanism for obtaining and verifying the real source IP address	After AAD is connected, the real source IP address changes. You need to determine whether the settings on the origin server need to be adjusted to allow obtaining of real source IP addresses. If real source IP addresses are needed, deploy the TOA module in advance or obtain the real source IP address from x-forwarded-for.
Whether the server uses two-way authentication (for HTTPS services)	Currently, AAD does not support two-way authentication.
Whether the sticky session mechanism exists (for HTTPS services)	If your service has long session requirements such as upload and login, you are advised to use the layer-7 cookie-based sticky session function.
Whether null connections exist in the service	For example, the server proactively sends data packets to prevent session interruption. In this case, services may be affected after AAD is connected.
Whether CDN is used in services	If a service uses the CDN, ensure that the service supports the following schemes: Dynamic resources are diverted to AAD, and static resources are diverted to CDN. If resources cannot be separated, they can be manually withed to AAD when an attack occurs.
Whether Direct Connect is required for back-to-source traffic	AAD does not support Direct Connect for back-to-source traffic.
Number of domain names and forwarding rules used by services	For details about AAD specifications, see AAD specifications.
Services and Attacks
Historical top attack types and traffic volumes	UDP bandwidth attack + value HTTP CC attack + value TCP connection attack + value
Service types and features (such as games, cards, websites, or apps)	This helps analyze attack characteristics in the subsequent defense process.
Service traffic (inbound)	This helps determine whether there is malicious traffic. For example, if the average daily access traffic is 100 Mbit/s, the system may be attacked when the traffic exceeds 100 Mbit/s.
Service traffic (outbound)	This helps determine whether the system is attacked and whether the service bandwidth needs to be expanded.
Inbound traffic range and connection status of a single user or a single IP address	Help determine whether a rate limiting policy can be configured per IP address.
Historical heavy traffic attacks and their types	You can set specific anti-DDoS policies based on the types of historical attacks.
Historical peak attack traffic	This helps select AAD specifications.
Historical CC attacks (HTTP flood)	Configure the protection policies based on attack signatures.
Peak QPS of heaviest historical CC attacks	Configure the protection policies based on attack signatures.
User group attribute	For example, individual users, Internet cafe users, and users who access the service through proxy. This helps determine whether there is a risk of incorrect interception due to concurrent access from a single egress IP address.
Whether the current service is under DDoS attacks	If your service is under DDoS attacks, you need to change the origin server IP address before connecting the origin server to AAD.

Preparations

Before connecting services to AAD, complete the preparations listed in Table 2 based on the service type.

Before connecting your services to AAD, you are advised to use the test environment to test your services. After your services pass the test, connect them to the production environment.

**Table 2** Preparations for connecting to AAD
Service Type	Preparation
Website services	Obtain the domain name of the websites to be connected to WAF, including the origin server IP address (only public IP addresses are supported) and port information. Ensure that the website domain name has been licensed with the ICP. If your websites support HTTPS access, you need to prepare its certificate and private key information, including the public key file in .crt format, certificate file in .pem format, and private key file in .key format. An administrator account is available for you to change DNS records for AAD to take effect. Check whether the website service has trusted clients (such as the monitoring system, APIs invoked by internal IP addresses or IP address ranges, and program client requests). After services are connected to AAD, you need to add the IP addresses of these trusted clients to the whitelist.
Non-website service	Obtain the port numbers and protocol types used by the service to provide services for external systems. If the service is connected to AAD though domain names, you need to prepare a DNS administrator account for modifying DNS resolution records to switch website traffic to AAD.

Parent topic: Connecting Services to AAD

Previous topic: Connecting Services to AAD

Next topic: Connecting Services to AAD

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot