Updated on 2023-03-02 GMT+08:00

What Is AAD?

Huawei Cloud provides multiple security solutions to defend against DDoS attacks. You can select an appropriate one based on your service requirements. Huawei Cloud Anti-DDoS Service (AAD) provides three subservices: Cloud Native Anti-DDoS Basic (or Anti-DDoS), Cloud Native Anti-DDoS (CNAD) Advanced, and Advanced Anti-DDoS. The CNAD Advanced service includes standard, unlimited protection advanced, unlimited protection basic, and platinum editions. The AAD service includes the international and Chinese mainland editions.

Anti-DDoS is free while CNAD Advanced and AAD are paid services.

Figure 1 Introduction to ADS

Service Description

Table 1 describes AAD.

Table 1 AAD subservices



Application Scenario

DDoS Protection Capability

CNAD Basic (Anti-DDoS)

Anti-DDoS monitors the service traffic from the Internet to public IP addresses and detects attack traffic in real time. It then scrubs attack traffic based on user-configured defense policies without interrupting services. It also generates monitoring reports that provide visibility into the network traffic security.

You can use this service to protect your public IPv4 and IPv6 addresses on Huawei Cloud against the DDoS attacks if you have only general security requirements.

Anti-DDoS provides a 2 Gbit/s DDoS mitigation capacity for free, and its maximum mitigation capacity can reach 5 Gbit/s (depending on the available bandwidth of Huawei Cloud).

2 Gbit/s is the traffic peak, that is, the maximum traffic that Anti-DDoS can defend against.

CNAD Advanced (including CNAD standard, platinum, unlimited protection advanced, and unlimited protection basic editions)

CNAD Advanced provides higher DDoS protection capability for cloud services, such as Elastic Cloud Server (ECS), Elastic Load Balance (ELB), Web Application Firewall (WAF), and Elastic IP (EIP), on Huawei Cloud. CNAD Advanced defends against the DDoS attacks targeting the IP addresses on Huawei Cloud and provides higher protection capabilities for cloud services. With few clicks on the console, you can enjoy always-on DDoS mitigation.

CNAD Advanced is used to protect your Huawei Cloud services (with public IP addresses assigned to) from DDoS attacks, meeting your requirements for immense protection capability and high network quality.

CNAD Advanced can be used for the following scenarios:

  • Huawei Cloud services with public IP addresses assigned for external communication

    The CNAD platinum edition must use EIPs in the dedicated resource pool of the CNAD Advanced unlimited protection editions.

  • Services with high bandwidth requirements and high Queries per Second (QPS), such as online video and live streaming

  • IPv6 protection
  • A large number of public IP addresses on Huawei Cloud.

    A large number of ports, domain names, and IP addresses need to be protected from DDoS attacks.

  • CNAD Advanced standard


  • CNAD unlimited protection basic edition

    Shared protection for not less than 20 Gbit/s of traffic

  • CNAD unlimited protection advanced edition

    Unlimited protection can be shared among them, with up to 1.5 Tbit/s protection capability.

    Dedicated EIPs and service bandwidth are billed separately.


AAD works as a proxy and uses AAD IP addresses to forward requests to origin servers. All public network traffic is diverted to the AAD IP address so that the origin server is hidden from the public. This protects origin servers from DDoS attacks.

If your service servers and main customers are in the Chinese Mainland, the access of your customers outside the Chinese Mainland may be affected by network quality.

HUAWEI CLOUD, non-HUAWEI CLOUD, and IDC hosts can be protected.

  • AAD does not support domain names that have no ICP licenses. To use AAD to protect website services, ensure that the website domain name has an ICP license.
  • AAD provides IPv4 protection by default.
  • If you want to use IPv6 protection, use CNAD Advanced.

One high-defense IP address is able to defend against 1 Tbit/s network-, and application-layer DDoS attacks. The AAD service offers more than 5 Tbit/s of defense capability.

  • 5 Tbit/s of defense capability is the overall defense capability of the AAD equipment room.
  • 1 Tbit/s of defense capability refers to the maximum protection capability of a single high-defense IP address.

AAD International

If your service servers are deployed outside the Chinese Mainland and your main users are outside the Chinese Mainland, AAD international is suitable for you.

If your service server is deployed outside the Chinese Mainland but your main service users are in the Chinese Mainland, there might be an average of about 300ms delay for users in the Chinese Mainland.


If you want to use AAD international edition, we recommended that you can use AAD for your servers and customers outside the Chinese Mainland only.

Over 5 Tbit/s AAD defense capability, supporting unlimited AnyCast defense.

DDoS attacks ADS can defend against

Table 2 Workloads types supported by DDoS mitigation services

DDoS Attack

CNAD Basic (Anti-DDoS)

CNAD Advanced


Malformed packets

Transport-layer DDoS attack

It can defend against SYN flood attacks (small packet attacks), but not so well as the CNAD Advanced or AAD. You are advised to use CNAD Advanced or AAD.

DNS DDoS attack



Connection DDoS attack



DDoS attacks at the web application layer



  • The symbol "√" indicates that the service defends against the attack.
  • The symbol "×" indicates that the service does not defend against the attack.