Protection Suggestions After AAD Is Connected
After connecting services to AAD, ensuring access security is crucial as it impacts the origin server's security and service continuity.
The following content provides some specific suggestions for protecting the origin server and enhancing service availability.
Protection Suggestions
You can take the following measures to reduce the risk of DDoS attacks and improve the security of origin servers. Table 1 and Table 2 describe the main methods.
|
Hardening Operation |
Description |
|---|---|
|
Configuring a security group |
Adding an ECS to a security group can effectively reduce irrelevant access requests and reduce attack risks. For details, see Adding an ECS to a Security Group. |
|
Using VPCs |
You can use virtual private clouds (VPCs) to isolate ECSs, effectively defending against intranet attacks. For details, see Creating a VPC. |
|
Enabling AS |
With auto scaling (AS), ECSs can be automatically added during an attack, enhancing processing performance and reducing the impact of attacks. For details, see What Is Auto Scaling? |
|
Enhancing service monitoring |
You can set DDoS alarm rules to customize the monitored objects and notification policies, so that you can learn about the AAD protection status in a timely manner. For details, see Configuring Monitoring Alarm Rules. |
|
Enabling CDN scheduling |
The DDoS scheduling center facilitates both AAD and CDN scheduling. During regular service access, traffic is directed to the nearest CDN node for acceleration. When an attack occurs, traffic is rerouted to AAD for scrubbing, mitigating DDoS attacks and ensuring service stability. For details, see Configuring CDN Scheduling Rules. |
|
Enabling WAF |
Connect website applications to WAF for collaborative protection with AAD. The traffic is forwarded to WAF after passing through AAD. For details, see AAD and WAF Interworking . |
|
Enable HSS |
Host Security Service (HSS) monitors host risks in real time and prevents unauthorized intrusions, reducing major security risks. For details, see Accessing HSS. |
|
Optimizing DNS resolution |
Hosting services to multiple DNS service providers and optimizing DNS resolution policies can effectively mitigate traffic attacks. For details about how to connect your services to the Huawei Cloud DNS service, see Add an A Record Set for the Domain Name. |
|
Scenario |
Service Flow |
Hardening Description |
|---|---|---|
|
Services are deployed on Huawei Cloud ECSs. |
AAD → Huawei Cloud ECS |
Configure security group rules to allow all back-to-origin IP addresses of AAD to access the ECS. For details about how to view the DDoS back-to-origin IP address range, see Step 2: Adding the Back-to-Origin IP Address Range to the Whitelist. |
|
AAD → Huawei Cloud ELB → Huawei Cloud ECS |
Set access control policies on the ELB console. For details, see Access Control. |
|
|
AAD → Huawei Cloud WAF → Huawei Cloud ECS |
Configure an access control policy on the origin server to allow only the access from the WAF back-to-source IP address range. For details, see Configuring Security Group Rules. For details about how to view the back-to-source IP address range of WAF, see How Do I Whitelist Back-to-Source IP Addresses of Cloud WAF? |
|
|
Services are deployed on servers outside Huawei Cloud. |
AAD → Origin server outside Huawei Cloud |
In the origin server's security software, configure a protection policy to allow only access from IP addresses in the AAD back-to-origin IP address range while denying access from all other IP addresses. For details about how to view the DDoS back-to-origin IP address range, see Step 2: Adding the Back-to-Origin IP Address Range to the Whitelist. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
