Help Center/ Elastic Load Balance/ Best Practices/ Security/ Using ELB and CNAD Advanced to Enhance the Defense Against DDoS Attacks
Updated on 2025-08-28 GMT+08:00

Using ELB and CNAD Advanced to Enhance the Defense Against DDoS Attacks

Application Scenarios

Cloud Native Anti-DDoS Advanced (CNAD Advanced) can improve the anti-DDoS capability of cloud services and ensure service security. You can deploy a load balancer and add its EIP to a CNAD instance to significantly enhance the defense against various types of DDoS attacks.

Solution Architecture

If your website is deployed on an ECS, you can deploy a load balancer on the origin server of the ECS, and add the EIP of the load balancer to a CNAD advanced instance to protect your website against DDoS attacks.

Figure 1 Using CNAD Advanced together with ELB

Advantages

Compared to enabling CNAD Advanced for ECSs, combining CNAD Advanced and Elastic Load Balance (ELB) allows for the discarding of traffic from unlistened protocols and ports. This enhances defense against various DDoS attacks (including reflection attacks like SSDP, NTP, and Memcached, as well as UDP flood and SYN flood attacks), significantly improving the DDoS protection capability of ECSs and ensuring the security and reliability of user services.

Resource and Cost Planning

Resource

Description

Quantity

Cost

Load balancer

Distributes access traffic across ECSs to eliminate single point of failures (SPOFs) caused by DDoS attacks.

1

For details, see Billing Overview.

CNAD advanced instance

Protects the EIP of the load balancer against DDoS attacks.

1

For details about CNAD Advanced billing modes and standards, see Billing Overview.

Procedure

  1. Create a load balancer. For details, see Creating a Load Balancer.

    Table 1 Parameter description

    Parameter

    Description

    Region

    Select the region where the ECS is located.

    EIP

    Select Auto assign.

    EIP Type

    Select Dynamic BGP.

  2. Obtain the public IP address of the created load balancer, as shown in Figure 2.

    Figure 2 Public IP address of the ELB instance

  3. Buy a CNAD Advanced instance in the same region as the ECS.
  4. In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Instances. The Instances page is displayed.

    Figure 3 Instance list

  5. In the upper right corner of the target instance box, click Add Protected Object.
  6. In the Add Protected Object dialog box that is displayed, select the elastic IP address of the load balancer obtained in 2 and click OK.

    After adding protected objects, you can configure protection policies for them. Cloud Native Anti-DDoS Advanced provides unlimited protection against DDoS attacks for ECSs. When a DDoS attack occurs, traffic scrubbing is automatically triggered.

    For details about how to configure a protection policy, see Adding a Protection Policy.