Help Center/ Anti-DDoS Service/ Best Practices/ Using the Scheduling Center to Implement Tiered Traffic Scheduling.
Updated on 2024-12-24 GMT+08:00
View PDF
Share

Using the Scheduling Center to Implement Tiered Traffic Scheduling.

Application Scenarios

If you use both CNAD Unlimited Protection Basic Edition and AAD, you can configure tiered scheduling rules to schedule AAD to protect your cloud resources protected by the Unlimited Protection Basic Edition. This can significantly enhance the DDoS attack defense capability.

This section uses the domain name www.example.com of a website service as an example to describe how to use the scheduling center to implement tiered traffic scheduling.

Architecture

Figure 1 shows the working principle of tiered DDoS scheduling.

  • CNAD Advanced offers comprehensive protection against DDoS attacks. If a DDoS attack is detected, traffic scrubbing will be automatically initiated.
  • When a service is blocked due to heavy traffic attacks, AAD CNAMEs will be called to divert malicious attack traffic to AAD for scrubbing, ensuring that important services are not interrupted.
Figure 1 Working principle of DDoS tiered scheduling

Advantages

The Unlimited Protection Basic Edition defends against routine DDoS attacks without requiring the origin server IP address to be changed. Service traffic is directly transmitted to the origin server, so there is no extra latency.

When there are a large number of DDoS attacks, AAD is called to protect the cloud resources of the Unlimited Protection Basic Edition's protected objects. In this case, service traffic is forwarded by AAD.

Limitations and Constraints

  • The protected domain name (www.example.com) is deployed on Huawei Cloud in a region that supports CNAD Advanced instances (for example, CN North-Beijing4).
  • The protected domain name (www.example.com) is not connected to WAF.

Resource and Cost Planning

Resource

Description

Quantity

Cost

CNAD Unlimited Protection Basic Edition

Defends against routine attacks. (Service traffic is directly transmitted to the origin server.)

1

For details about the billing modes and standards, see Billing Overview.

AAD

Defends against massive attacks. (Service traffic is forwarded through AAD.)

1

Step 1: Purchasing and Configuring a CNAD Advanced Instance

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS page is displayed.
  3. In the upper right corner of the page, click Buy CNAD Pro.
  4. Set the purchase parameters as required, click Buy Now, and complete the payment as prompted.

    • Instance Type: Cloud Native Anti-DDoS
    • Billing Mode: Yearly/Monthly
    • Region: Chinese Mainland
    • Protection Level: Unlimited Protection Basic Edition
    • Set other parameters as required.

  5. Choose Cloud Native Anti-DDoS Advanced > Instances. The instance list page is displayed.
  6. In the row containing the target instance, click Add Protected Object.
  7. In the Add Protected Object dialog box that is displayed, select the origin server IP address of the protected domain name www.example.com and click Next.
  8. Select a protection policy and click OK.

Step 1: Purchasing and Configuring an AAD Instance

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > Anti-DDoS Service. The Anti-DDoS page is displayed.
  3. In the upper right corner of the page, click Buy CNAD Pro.
  4. Set the purchase parameters as required, click Buy Now, and complete the payment as prompted.

    • Instance Type: Advanced Anti-DDoS
    • Access Type: Website
    • Region: Chinese Mainland
    • Set other parameters as required.

  5. Choose Advanced Anti-DDoS > Domain Name Access. The domain name list page is displayed.
  6. On the Chinese Mainland tab page, click Add Domain Name.
  7. Enter the domain name information and click Next.

    • Protected Domain Name: Enter the domain name to be protected, for example, www.example.com.
    • Origin Server Type: Select IP address.
    • IP Address: Enter the public IP address of the origin server.
    • Forwarding Protocol: Enter the forwarding protocol of the origin server.
    • Origin Server Port: Enter the port used by the origin server.
    Figure 2 Configuring a website domain

  8. Select an AAD instance and line, and click Submit and Continue.

    Figure 3 Selecting an AAD instance and line

  9. Click Next, and then click Finish.

    After the domain name is connected to AAD. Obtain the CNAME value of the AAD instance, as shown in Figure 4.
    Figure 4 Domain name connected to AAD

Step 3: Configuring Tiered Scheduling

  1. Log in to the management console.
  2. Hover the mouse over the Service List icon, choose Security & Compliance > DDoS Mitigation, and click Advanced Anti-DDoS.
  3. In the displayed DDoS Migration Center page, choose Scheduling Center > Tiered Protection.
  4. In the upper left corner of the tiered scheduling list, click Create Rule.
  5. In the dialog box that is displayed, set the parameters of the scheduling rule.

    • Name: Enter the scheduling rule name.
    • Scheduling Group: Select the region, origin server IP, and group ID of the CNAD Advanced instance. A maximum of 10 IP addresses can be added.
    • Auto AAD: Select CNAD and AAD.
    • AAD CNAME: Enter the CNAME value of the AAD instance obtained from 9.
    Figure 5 Creating a scheduling rule

  6. Click OK
  7. In the tiered scheduling rule list, obtain the scheduling CNAME.

    Figure 6 Scheduling CNAME

Step 4: Modifying DNS Resolution

  1. Log in to the management console.
  2. In the service list, choose Network > Domain Name Service.
  3. In the navigation pane, choose Public Zones.
  4. In the row containing the target domain name (for example, www.example.com), click Manage Record Set.
  5. Click Add Record Set.

    • Record Type: Select CNAME-Map one domain to another.
    • Line: Default
    • Value: Scheduling CNAME value obtained from 7.
    • Set other parameters as required.