- What's New
- Function Overview
- Service Overview
-
Billing
- Billing Overview
- Billing Modes
- Billing Items
- Renewing Subscriptions
- Bills
- Arrears
- Stopping Billing
- Cost Management
-
Billing FAQs
- General FAQs
- Billing FAQs of CNAD Advanced
-
Billing FAQs of AAD
- How Is AAD Billed?
- Why Does My Payment Status Not Update After I Make a Payment?
- Will I Be Charged If I Buy an Elastic Protection Bandwidth and My Elastic IP Address Is Not Attacked for the Whole Month?
- What Happens If the Attack Traffic Exceeds the Elastic Protection Bandwidth?
- Can I Adjust My Elastic Protection Bandwidth From 100 Gbit/s to 200 Gbit/s When I Find 100 Gbit/s Is Insufficient?
- What Is the Charge If My IP Address Is Attacked Many Times a Day?
- How Do I Stop Elastic Protection to Avoid Being Charged for the Elastic Protection Bandwidth?
- How Can I Renew the AAD Service?
- How Can I Unsubscribe from the AAD Service?
- How Should I Automatically Renew AAD?
- Can the Original Configuration Data Be Saved After I Unsubscribe from an AAD Instance?
- How Is the Elastic Bandwidth Charged?
- Getting Started
-
User Guide
-
CNAD Basic (Anti-DDoS) User Guide
- Anti-DDoS Overview
- Using IAM to Grant Anti-DDoS Permissions
- Setting a Traffic Scrubbing Threshold to Intercept Attack Traffic
- Setting DDoS Alarm Notifications
- Enabling DDoS Alarm Notifications
- Enabling Logging
- Adding a Tag to an EIP
- Viewing an EIP Monitoring Report
- Viewing an Interception Report
- Querying Audit Logs
-
CNAD Advanced (CNAD) Operation Guide
- CNAD Overview
- Using IAM to Grant CNAD Permissions
- Purchasing a CNAD Instance
-
Adding a Protection Policy
- Protection Policy Overview
- Configuring a Basic Protection Policy to Intercept Attack Traffic
- Using Watermarks to Defend Against CC Attacks
- Blocking or Permitting Traffic From Specified IP Addresses Using a Blacklist and Whitelist
- Blocking Traffic to a Specified Port
- Blocking Traffic of a Specified Protocol
- Setting a Traffic Handling Policy Based on Fingerprint Features
- Using Advanced Protection Policies to Restrict Abnormal Connections
- Blocking Traffic From Specified Locations
- Adding a Protected Object
- Enabling Alarm Notifications for DDoS Attacks
- Enabling Logging
- Viewing Statistics Reports
- Managing Instances
- Managing Protected Objects
- Viewing Monitoring Metrics
- Querying Audit Logs
-
Advanced Anti-DDoS User Guide
- AAD Overview
- Using IAM to Grant AAD Permissions
- Purchasing an AAD Instance
- Connecting Services to AAD
-
Configuring a Protection Policy
- Protection Policy Overview
- Enabling Basic Web Protection
- Blocking Traffic From Specified Locations
- Blocking Traffic of a Specified Protocol
- Blocking or Allowing Traffic From Specified IP Addresses Using a Blacklist and Whitelist
- Mitigating CC Attacks Using Frequency Control Policies
- Using Intelligent CC Policies to Defend Against CC Attacks
- Enabling Alarm Notifications for DDoS Attacks
- Enabling Logging
- Viewing Statistics
- Managing Instances
- Managing Domain Names
- Certificate Management
- Managing Forwarding Rules
- Viewing Monitoring Metrics
- Querying Audit Logs
- Scheduling Center Quotas
-
CNAD Basic (Anti-DDoS) User Guide
- Best Practices
-
API Reference
- Before You Start
- API Overview
- API Calling
-
API
-
Anti-DDoS Management
- Querying the List of Defense Statuses of EIPs
- Querying Optional Anti-DDoS Defense Policies
- Querying Weekly Defense Statistics
- Querying Configured Anti-DDoS Defense Policies
- Updating Anti-DDoS Defense Policies
- Querying the Traffic of a Specified EIP
- Querying Events of a Specified EIP
- Querying Configured Anti-DDoS Defense Policies
- Anti-DDoS Task Management
- Alarm configuration management
- Default Protection Policy Management
-
Anti-DDoS Management
- Examples
- Appendix
- Out-of-Date APIs
- SDK Reference
-
FAQs
-
General FAQs
- What Are Regions and AZs?
- What Is the Black Hole Policy of HUAWEI CLOUD?
- What are the Relationships Between ADS and Anti-DDoS Traffic Cleaning, CNAD Pro, and AAD?
- What Are the Differences Between Anti-DDoS and Advanced Anti-DDoS?
- What Are a SYN Flood Attack and an ACK Flood Attack?
- What Is a CC Attack?
- What Is a Slow HTTP Attack?
- What Are a UDP Attack and a TCP Attack?
- What Are the Differences Between DDoS Attacks and Challenge Collapsar Attacks?
- What Is the Maximum Protection Capacity Provided by Huawei Cloud Anti-DDoS for Free?
- What Can I Do If an IP Address Is Blocked?
- Does Anti-DDoS Support the Transparent Access Mode?
- Does Anti-DDoS Service Provide SDKs?
- How Do I Migrate Instance Resources in an Enterprise Project?
-
CNAD Basic (Anti-DDoS) FAQs
-
About Anti-DDoS
- How Will Anti-DDoS Be Triggered to Scrub Traffic?
- Does Anti-DDoS Traffic Scrubbing Affect Normal Services?
- What Are the Restrictions of Using Anti-DDoS?
- What Is the Protection Capacity of Anti-DDoS?
- What Data Can Be Provided by Anti-DDoS?
- Which Regions Does Anti-DDoS Support?
- What Can Be Protected by Anti-DDoS?
- Can Anti-DDoS Be Used Across Clouds or By Multiple Accounts?
- How to Determine Whether an Attack Occurs?
-
About Basic Functions
- What Would Happen When I Am Under a DDoS Attack Exceeding 500 Mbit/s?
- Which Types of Attacks Does Anti-DDoS Mitigate?
- What Should I Do If My Service Is Frequently Attacked?
- What Is the Difference Between ELB Protection and ECS Protection?
- Why Is the Number of Times of Cleaning Different from the Number of Attacks for the Same Public IP Address?
- Is Anti-DDoS Enabled by Default?
- Does Anti-DDoS Protect a Region or a Single IP Address?
- Do I Need to Release Anti-DDoS Resources When I Delete an Account?
- How Do I View the Traffic Scrubbing Frequency?
- How Can I View Anti-DDoS Protection Statistics?
- How Can I View the Monitoring Data of a Public IP Address in Anti-DDoS?
- How Can I View an Interception Report?
- Can I Disable Anti-DDoS Completely?
- How Do I Check Whether the Inbound Traffics Are Routed Through Anti-DDoS Devices?
- About Threshold and Black Hole
- About Alarm Notification
- About Service Faults
-
About Anti-DDoS
-
CNAD Advanced FAQs
-
Function Consulting
- What Is Unlimited Protection?
- Can CNAD Advanced Protect Non-Huawei Cloud and On-Premises IP Addresses?
- Does CNAD Advanced Protect IPv6 Addresses?
- What Do I Do If an IP Address Protected by CNAD Advanced Is Blocked?
- What Are the Protection Objects of CNAD Advanced?
- How Many Layers of Attacks Can CNAD Advanced Defend Against?
- How Long Does It Take to Switch Traffic from CNAD Advanced Back to AAD?
- Can CNAD Advanced Be Used Across Regions?
- What Is A Dedicated EIP?
- Billing
-
Function Consulting
-
AAD FAQs
-
Function Specifications
- What Service Ports Does AAD Support?
- What Forwarding Protocols Does AAD Support?
- Can I Change My Protection Bandwidths?
- Can an AAD Origin Server Use a CDN CNAME?
- What Is the Maximum Protection Capability When I Purchase 10 Gbit/s as the Basic Protection Bandwidth and 20 Gbit/s as the Elastic Protection Bandwidth?
- Does AAD Use a Public IP Address to Switch Traffic Back to Origin Servers?
- What Is the Maximum Number of Domain Names AAD Can Protect?
- How Much Additional Latency Will Be Incurred When AAD Is Deployed?
- Is There a Limit to the Number of Concurrent Requests?
- How Do I Disable Advanced Anti-DDoS?
-
Access Configuration
- Can I Connect My Service System to AAD If It Is Not Running on HUAWEI CLOUD?
- How Do I Check Whether a Protected Domain Name Is Correctly Configured After I Connect It to AAD?
- What Can I Do When Message "Invalid request" Is Displayed When I Upload an HTTPS/WebSockets Certificate?
- How Do I Convert a Non-PEM Certificate into a PEM One?
- How Do I Enable Both AAD and WAF?
- How Do I Connect My Service System to AAD?
- How Is CNAME-based Access Implemented?
- How Does AAD Distribute Traffic When There Are Multiple Origin Servers?
- How Do I Check Whether a Back-to-Origin IP Address Has Been Whitelisted on My Origin Server?
- How Do I Change the Exposed IP Address of an Origin Server?
- How Do I Query the Back-to-Origin IP Address Range?
- Can I Migrate Enterprise Project Resources After Adding the Protected Domain Name?
- Can I Build My Own Anti-DDoS System Using HUAWEI CLOUD ECSs?
- How Do the AAD Blacklist and Whitelist Protect Customer's Servers?
- Do I Still Need to Configure the Blacklist and Whitelist in WAF Protection Policies After Configuring Them in DDoS Protection Policies?
- How Do I Use a Domain Name to Access Both IPv4 and IPv6 Services?
- What Should I Do If I Receive a Message Stating That the Domain Name Already Exists When Trying to Connect?
-
Faults
- What Should I Do When Encountering an Access Freezing, Delay, or Failure?
- Why Is Error 504 Displayed When I Access a Website After AAD Is Configured?
- How Do I Identify the Type of Attacks?
- What Should I Do If Error 500, 502, or 504 Is Reported When I Access My Website After I Enable Basic Web Protection for My Domain Name?
- What Can I Do If I Failed to Configure a Forwarding Rule?
- What Can I Do If My UDP Traffic Is Blocked?
- How Do I Unblock the Access That Has Been Automatically Blocked Due to the Threshold-Overtopped Attack Traffic?
- Why Can't I Specify Certain Ports When Configuring the Forwarding Rule?
- Error Message "Received fatal alert" Is Displayed After a Domain Name Is Bound to AAD
-
Product
- What Is a Protected IP Address?
- Does AAD Support Weighted Back-to-Origin?
- Can AAD Be Used Across Regions?
- What Is a CNAME Record?
- What is BGP?
- What Is the Origin Server Port of AAD?
- What Is the Origin Server IP Address?
- What Website IP Addresses Is Protected by AAD?
- What Is Service Bandwidth?
- What Is a Forwarding Protocol?
- Are Services Interrupted When They Are Being Connected to AAD?
- Can a Domain Name Be Bound to Multiple AAD Instances?
- Why Does the High-Defense IP Address Actually Receive Access Requests from a Client After AAD Is Deployed?
- Why Does the Attack Traffic Volume Increase After AAD Is Deployed?
- Will the Origin Server Be Exposed When the Attack Traffic Volume Increases After AAD Is Deployed?
- How Does AAD Protect Origin Server IP Addresses?
- Does AAD Support Two-Way SSL Authentication?
- Can I Modify or Delete the Certificates Uploaded to AAD?
- What Will Happen If My Service Traffic Exceeds the Configured Service Bandwidth?
- Is Advanced Anti-DDoS Software or Hardware?
- Does AAD Support IPv6 Protection?
- Why Is the Traffic of AAD Inconsistent with That of ELB?
-
Fees
- How Is AAD Billed?
- Why Does My Payment Status Not Update After I Make a Payment?
- Will I Be Charged If I Buy an Elastic Protection Bandwidth and My Elastic IP Address Is Not Attacked for the Whole Month?
- What Happens If the Attack Traffic Exceeds the Elastic Protection Bandwidth?
- Can I Adjust My Elastic Protection Bandwidth From 100 Gbit/s to 200 Gbit/s When I Find 100 Gbit/s Is Insufficient?
- What Is the Charge If My IP Address Is Attacked Many Times a Day?
- How Do I Stop Elastic Protection to Avoid Being Charged for the Elastic Protection Bandwidth?
- How Can I Renew the AAD Service?
- How Can I Unsubscribe from the AAD Service?
- How Should I Automatically Renew AAD?
- Can the Original Configuration Data Be Saved After I Unsubscribe from an AAD Instance?
- How Is the Elastic Bandwidth Charged?
-
Function Specifications
-
General FAQs
- Videos
-
More Documents
-
User Guide (Ankara Region)
- Service Overview
- Enabling Anti-DDoS
- Viewing a Public IP Address
- Enabling Alarm Notification
- Configuring an Anti-DDoS Protection Policy
- Viewing a Monitoring Report
- Viewing an Interception Report
-
FAQs
-
About Anti-DDoS
- What Is Anti-DDoS?
- What Are a SYN Flood Attack and an ACK Flood Attack?
- What Is a CC Attack?
- What Is a Slow HTTP Attack?
- What Are a UDP Attack and a TCP Attack?
- What Is the Million-level IP Address Blacklist Database?
- How Will Anti-DDoS Be Triggered to Scrub Traffic?
- Does Anti-DDoS Traffic Cleaning Affect Normal Services?
- How Does Anti-DDoS Scrub Traffic?
- What Are the Restrictions of Anti-DDoS?
- About Basic Functions
- About Alarm notification
-
About Anti-DDoS
-
API Reference (Ankara Region)
- Before You Start
- API Overview
- API Calling
-
API
-
Anti-DDoS APIs
- Querying Optional Anti-DDoS Defense Policies
- Enabling Anti-DDoS
- Querying Configured Anti-DDoS Defense Policies
- Updating Anti-DDoS Defense Policies
- Querying Anti-DDoS Tasks
- Querying the List of Defense Statuses of EIPs
- Querying the Defense Status of a Specified EIP
- Querying the Traffic of a Specified EIP
- Querying Events of a Specified EIP
- Querying Weekly Defense Statistics
- Alarm Reminding APIs
-
Anti-DDoS APIs
- Appendix
- Change History
-
User Guide (Ankara Region)
- General Reference
Copied.
Quick Access to CNAD - Unlimited Protection Basic Edition
Cloud Native Anti-DDoS Advanced (CNAD) provides higher DDoS protection capability for cloud services on Huawei Cloud such as Elastic Cloud Server (ECS), Elastic Load Balance (ELB), Web Application Firewall (WAF), and Elastic IP (EIP). CNAD Unlimited Protection Basic Edition defends against the DDoS attacks targeting the dynamic BGP EIPs on Huawei Cloud and it provides higher protection capabilities for cloud services. With few clicks on the console, you can enjoy always-on DDoS mitigation on Huawei Cloud.
This section uses an EIP in CN North-Beijing4 (Chinese mainland) as an example to describe how to purchase and use the Unlimited Protection Basic Edition.
Procedure
This section describes how to quickly purchase Unlimited Protection Basic Edition and enable protection. The process is shown in Figure 1.
Step |
Description |
---|---|
Register a Huawei ID, enable Huawei Cloud, top up the account, grant CNAD Advanced permissions, and prepare protected objects. |
|
Step 1: Purchasing an Unlimited Protection Basic Edition Instance |
Purchase Unlimited Protection Basic Edition in the specified region. |
Create and configure protection policies for protected objects. |
|
Add protected objects to the Unlimited Protection Basic Edition instance. |
Prerequisites
- Before using Unlimited Protection Basic Edition, register a Huawei ID and enable Huawei Cloud. For details, see Registering a Huawei ID and Enabling Huawei Cloud Services and Real-Name Authentication.
If you have enabled Huawei Cloud and completed real-name authentication, skip this step.
- Make sure your account has enough funds to avoid issues when purchasing Unlimited Protection Basic Edition.
- Ensure that the account has been assigned related permissions. For details, see Creating a User and Granting the CNAD Access Permission.
- In the CN North-Beijing4 region, create an ECS and bind an EIP to it. For details, see section Purchasing an ECS.
NOTE:
If you have an ECS that meets the requirements, you do not need to create one again.
Step 1: Purchasing an Unlimited Protection Basic Edition Instance
- Log in to the management console.
- Click
in the upper left corner of the page and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS page is displayed.
- In the upper right corner of the page, click Buy DDoS Mitigation.
- Set the purchase parameters as required, click Buy Now, and complete the payment as prompted.
Table 1 Parameter description Parameter
Example Value
Description
Instance Type
Cloud Native Anti-DDoS
Type of the instance to be purchased.
Billing Mode
Yearly/Monthly
You are charged based on the subscription period. This means that you have to pay for a certain period of time in advance.
Unlimited Protection Basic Edition supports only the yearly/monthly billing mode.
Region
Chinese Mainland
- Chinese Mainland: applies to scenarios where service servers are deployed in Chinese mainland (cross-region deployment is supported). Only dynamic BGP EIPs are supported.
- Other: applies to scenarios where the service server is deployed in the Asia Pacific region (Hong Kong is supported currently). Only premium BGP EIPs are supported.
Protection Level
Unlimited Protection Basic Edition:
Edition to be purchased.
Resource Location
CN North-Beijing4
Region where the protected cloud resources are located. Cross-region protection is not supported.
Protected IP Addresses
50
The number of protected IP addresses refers to the number of EIPs that can be protected by each CNAD Advanced instance. You are advised to evaluate the number of protected IP addresses based on the number of EIPs of your cloud resources.
Service Bandwidth
100Mbps
The service bandwidth indicates clean service bandwidth forwarded to the origin server from the AAD scrubbing center. It is recommended that the service bandwidth be greater than or equal to the egress bandwidth of the origin server. Otherwise, packet loss may occur or services may be affected.
Instance Name
CNAD-test
Name of the purchased instance, which is user-defined.
Enterprise Project
-
This parameter is displayed only when you use an enterprise account for purchase. Select a value based on the site requirements.
Required Duration
-
Select the required duration based on the site requirements.
Quantity
-
Select the quantity based on the site requirements.
Figure 2 Setting Unlimited Protection Basic edition specifications
Step 2: Creating a Protection Policy
CNAD Advanced supports many types of protection policies. The following uses the cleaning policy as an example.
- In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Protection Policies. The Protection Policies page is displayed.
- Click Create Protection Policy to create a policy.
Table 2 Parameter description Parameter
Example Value
Description
Name
Policy01
Name of the protection policy, which is user-defined.
Instance
Select the instance purchased in 4.
Target instance to which the protection policy is associated to.
- In the row containing the created policy, click Configure Policy. The Policy Content page is displayed.
- Under Basic Protection, click Set.
Figure 3 Basic protection
- In the Basic Protection Settings dialog box that is displayed, set the Traffic Scrubbing Level and Defense Mode.
Figure 4 Basic protection settings
Table 3 Parameter description Parameter
Example Value
Description
Traffic Scrubbing Level
300Mbps
If the DDoS bandwidth on an IP address exceeds the configured scrubbing level, CNAD is triggered to scrub attack traffic.
You are advised to set a value closest to, but not exceeding, the purchased bandwidth.
Defense Mode
Normal
If the traffic reaches the specified scrubbing level, traffic scrubbing is triggered.
- Loose: Scrubbing is triggered when the traffic reaches three times of the scrubbing level.
- Normal: Scrubbing is triggered when the traffic reaches twice the scrubbing level.
- Strict: Scrubbing is triggered when the traffic reaches the scrubbing level.
Step 3: Adding a Protected Object
- In the navigation pane on the left, choose Cloud Native Anti-DDoS Advanced > Instances. The Instances page is displayed.
- In the Select Instance drop-down box, select the instance purchased in 4.
- Click Add Protected Object. The Add Protected Object page appears.
- Select the EIP obtained in Prerequisites, and click Next.
Figure 5 Adding a protected object
- Click OK.
Related Information
- To obtain DDoS attack information in a timely manner, you can set alarm notifications. For details, see Setting Alarm Notifications.
- You can view information such as the traffic trend and attack distribution on the CNAD Advanced console. For details, see Viewing Statistics Reports.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot