{"id":43,"date":"2026-04-12T15:22:08","date_gmt":"2026-04-12T15:22:08","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-edge-security-acceleration-esa-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/"},"modified":"2026-04-12T15:22:08","modified_gmt":"2026-04-12T15:22:08","slug":"alibaba-cloud-edge-security-acceleration-esa-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-edge-security-acceleration-esa-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-networking-and-cdn\/","title":{"rendered":"Alibaba Cloud Edge Security Acceleration (ESA) Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Networking and CDN"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Networking and CDN<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

What this service is<\/h3>\n\n\n\n

Alibaba Cloud Edge Security Acceleration (ESA)<\/strong> is an edge platform that sits in front of your website or application and provides acceleration (CDN-like caching and routing)<\/strong> plus security controls (edge-layer protections such as WAF-style filtering, rate limiting, and DDoS mitigation features depending on edition)<\/strong>.<\/p>\n\n\n\n

One-paragraph simple explanation<\/h3>\n\n\n\n

You point your domain (for example, www.example.com<\/code>) to ESA instead of directly to your origin server. ESA then serves your content from nearby edge nodes when possible and blocks or challenges suspicious traffic before it reaches your origin\u2014helping you improve performance and reduce risk.<\/p>\n\n\n\n

One-paragraph technical explanation<\/h3>\n\n\n\n

Technically, ESA operates as a reverse-proxy and edge delivery layer<\/strong>: client requests terminate at ESA edge points of presence (PoPs), where TLS is negotiated, caching rules and edge policies are evaluated, and security checks are applied. Requests that cannot be fulfilled from cache are forwarded to your configured origin(s) over optimized back-to-origin connectivity. ESA also provides operational visibility (metrics\/logs\/analytics\u2014exact capabilities depend on configuration and edition) and policy-driven control over HTTP behavior.<\/p>\n\n\n\n

What problem it solves<\/h3>\n\n\n\n

ESA addresses a common production problem set:<\/p>\n\n\n\n

    \n
  • Slow user experience<\/strong> for geographically distributed audiences due to origin distance and network variability.<\/li>\n
  • Origin overload<\/strong> from spikes (marketing events, bot floods, scrapers) and inefficient caching.<\/li>\n
  • Security exposure<\/strong> of public origins to volumetric attacks, application-layer attacks, abusive automation, and credential-stuffing attempts.<\/li>\n
  • Operational complexity<\/strong> of assembling \u201cCDN + WAF + TLS + rules + analytics\u201d as separate products.<\/li>\n<\/ul>\n\n\n\n
    \n

    Naming\/status note: This tutorial uses the service name exactly as Edge Security Acceleration (ESA)<\/strong> under Alibaba Cloud<\/strong> in Networking and CDN<\/strong>. If Alibaba Cloud renames or repackages ESA in your region or console, verify the latest name and feature set in official docs<\/strong>.<\/p>\n<\/blockquote>\n\n\n\n

    \n\n\n\n

    2. What is Edge Security Acceleration (ESA)?<\/h2>\n\n\n\n

    Official purpose<\/h3>\n\n\n\n

    The official purpose of Edge Security Acceleration (ESA)<\/strong> is to provide a managed edge layer that accelerates web delivery and strengthens perimeter security by handling traffic closer to users and applying policy enforcement at the edge.<\/p>\n\n\n\n

    Core capabilities (high-level)<\/h3>\n\n\n\n

    Depending on the ESA edition and features enabled (verify in official documentation for your account\/region), ESA commonly covers:<\/p>\n\n\n\n

      \n
    • Edge acceleration and caching<\/strong> for static and cacheable dynamic content.<\/li>\n
    • TLS\/HTTPS termination<\/strong> and certificate management workflows (often integrating with Alibaba Cloud Certificate Management Service).<\/li>\n
    • HTTP behavior controls<\/strong> (redirects, header controls, cache rules, compression, protocol features).<\/li>\n
    • Security controls<\/strong> such as:<\/li>\n
    • Managed and custom security rules (WAF-style)<\/li>\n
    • Rate limiting<\/li>\n
    • Bot\/automation controls (if available in your edition)<\/li>\n
    • DDoS-related protections at the edge (scope varies; confirm with official docs)<\/li>\n<\/ul>\n\n\n\n

      Major components (conceptual)<\/h3>\n\n\n\n

      ESA implementations typically include these building blocks:<\/p>\n\n\n\n

        \n
      • Site \/ Domain configuration<\/strong>: the unit you onboard (e.g., example.com<\/code>, api.example.com<\/code>).<\/li>\n
      • Origin configuration<\/strong>: where ESA fetches content (ECS, SLB\/ALB, OSS static website endpoint, third-party origin).<\/li>\n
      • DNS onboarding mode<\/strong>:<\/li>\n
      • CNAME<\/strong> (you keep DNS with your current provider; you CNAME records to ESA)<\/li>\n
      • Name Server (NS) \/ DNS delegation<\/strong> (you delegate DNS to ESA-managed DNS\u2014availability depends on ESA features)<\/li>\n
      • Edge policy engine<\/strong>: caching rules, routing rules, security rules.<\/li>\n
      • Observability<\/strong>: dashboards, logs, events\/alerts (often via Alibaba Cloud Log Service (SLS), CloudMonitor, and ActionTrail\u2014verify supported integrations).<\/li>\n<\/ul>\n\n\n\n

        Service type<\/h3>\n\n\n\n

        ESA is a managed edge reverse-proxy \/ security acceleration service<\/strong> in the Networking and CDN<\/strong> category.<\/p>\n\n\n\n

        Scope: regional\/global\/account scoping (practical guidance)<\/h3>\n\n\n\n

        Edge services are typically global<\/strong> in data plane (PoPs across geographies), while control plane<\/strong> is tied to your Alibaba Cloud account<\/strong> and the console endpoint you use. Exact geographic coverage and PoP distribution can vary; verify coverage maps and regional availability in the official ESA documentation<\/strong>.<\/p>\n\n\n\n

        How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n

        ESA commonly complements or integrates with:<\/p>\n\n\n\n

          \n
        • ECS \/ ACK \/ ALB \/ SLB<\/strong> as origins for apps and APIs.<\/li>\n
        • OSS<\/strong> as an origin for static websites\/assets.<\/li>\n
        • Certificate Management Service<\/strong> for TLS certificates.<\/li>\n
        • Log Service (SLS)<\/strong> for access logs and security logs (if supported).<\/li>\n
        • CloudMonitor<\/strong> for metrics and alerting.<\/li>\n
        • ActionTrail<\/strong> for auditing control-plane actions.<\/li>\n
        • RAM (Resource Access Management)<\/strong> for IAM and least-privilege administration.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n

          3. Why use Edge Security Acceleration (ESA)?<\/h2>\n\n\n\n

          Business reasons<\/h3>\n\n\n\n
            \n
          • Improve conversion and retention<\/strong>: faster pages reduce bounce rates.<\/li>\n
          • Reduce incident and fraud risk<\/strong>: edge filtering lowers the chance that attack traffic reaches the origin.<\/li>\n
          • Cost control<\/strong>: caching and edge offload can reduce origin bandwidth\/compute scaling needs.<\/li>\n<\/ul>\n\n\n\n

            Technical reasons<\/h3>\n\n\n\n
              \n
            • Lower latency<\/strong> by serving cached content near users.<\/li>\n
            • Higher availability<\/strong> by absorbing traffic spikes and isolating origins.<\/li>\n
            • Centralized traffic management<\/strong>: consistent policies for redirects, caching, headers, and TLS settings.<\/li>\n<\/ul>\n\n\n\n

              Operational reasons<\/h3>\n\n\n\n
                \n
              • Simplified delivery stack<\/strong>: fewer moving parts than hand-rolling CDN + WAF + edge rules.<\/li>\n
              • Fast rule changes<\/strong>: update policies without redeploying application code (within governance controls).<\/li>\n
              • Observability at the edge<\/strong>: understand requests, cache behavior, and security events.<\/li>\n<\/ul>\n\n\n\n

                Security\/compliance reasons<\/h3>\n\n\n\n
                  \n
                • Reduce attack surface<\/strong>: hide origin IPs and apply edge access controls.<\/li>\n
                • Baseline protection<\/strong>: rate limits, managed rules, and security posture improvements.<\/li>\n
                • Auditability<\/strong>: change tracking via RAM + ActionTrail and log pipelines (verify supported logs).<\/li>\n<\/ul>\n\n\n\n

                  Scalability\/performance reasons<\/h3>\n\n\n\n
                    \n
                  • Better peak handling<\/strong>: edge caches and PoPs handle bursty access patterns.<\/li>\n
                  • Offload TLS<\/strong>: edge termination reduces CPU and operational overhead at origins.<\/li>\n<\/ul>\n\n\n\n

                    When teams should choose it<\/h3>\n\n\n\n

                    Choose ESA when you need both<\/strong> acceleration and edge security for:<\/p>\n\n\n\n

                      \n
                    • Public websites and APIs<\/li>\n
                    • Global or multi-region audiences<\/li>\n
                    • E-commerce, SaaS portals, login endpoints<\/li>\n
                    • Content-heavy sites (images, JS\/CSS)<\/li>\n
                    • Workloads that benefit from caching, edge policy, and request filtering<\/li>\n<\/ul>\n\n\n\n

                      When teams should not choose it<\/h3>\n\n\n\n

                      ESA may not be the right choice when:<\/p>\n\n\n\n

                        \n
                      • You need private-only<\/strong> traffic with no public edge exposure (unless ESA supports private connectivity patterns for your case\u2014verify).<\/li>\n
                      • Your app is non-HTTP(S)<\/strong> (ESA is typically HTTP(S)-focused).<\/li>\n
                      • You need extremely specialized L7 security<\/strong> requiring deep custom inspection beyond what ESA exposes.<\/li>\n
                      • Your compliance requires strict data residency that conflicts with global edge processing (confirm ESA data handling and region constraints).<\/li>\n<\/ul>\n\n\n\n
                        \n\n\n\n

                        4. Where is Edge Security Acceleration (ESA) used?<\/h2>\n\n\n\n

                        Industries<\/h3>\n\n\n\n
                          \n
                        • E-commerce and retail<\/li>\n
                        • Media, publishing, and streaming portals (site delivery)<\/li>\n
                        • SaaS and B2B platforms<\/li>\n
                        • Gaming portals and community sites<\/li>\n
                        • Education and online learning<\/li>\n
                        • Financial services (with careful compliance validation)<\/li>\n
                        • Travel and ticketing (burst traffic patterns)<\/li>\n<\/ul>\n\n\n\n

                          Team types<\/h3>\n\n\n\n
                            \n
                          • Platform engineering teams standardizing edge policy<\/li>\n
                          • Security engineering teams managing WAF\/rate limiting centrally<\/li>\n
                          • SRE\/DevOps teams responsible for performance and availability<\/li>\n
                          • Web\/mobile backend teams shipping APIs and user-facing apps<\/li>\n<\/ul>\n\n\n\n

                            Workloads<\/h3>\n\n\n\n
                              \n
                            • Static sites (documentation, marketing, landing pages)<\/li>\n
                            • Web apps (SPAs) with API backends<\/li>\n
                            • Login and account management endpoints<\/li>\n
                            • Asset delivery (images, JS\/CSS, downloads)<\/li>\n
                            • API gateway-like patterns for public APIs (within ESA\u2019s capabilities)<\/li>\n<\/ul>\n\n\n\n

                              Architectures<\/h3>\n\n\n\n
                                \n
                              • Single-origin with edge acceleration<\/li>\n
                              • Multi-origin with host\/path-based routing (if supported\u2014verify)<\/li>\n
                              • Active-active multi-region origins behind ESA (with health checks and failover\u2014verify exact mechanisms)<\/li>\n
                              • Hybrid: ESA for internet edge + internal API gateway for east-west<\/li>\n<\/ul>\n\n\n\n

                                Real-world deployment contexts<\/h3>\n\n\n\n
                                  \n
                                • Front door for production traffic<\/li>\n
                                • Pre-production performance testing with a staging domain<\/li>\n
                                • Security hardening for endpoints prone to scanning\/bots<\/li>\n<\/ul>\n\n\n\n

                                  Production vs dev\/test usage<\/h3>\n\n\n\n
                                    \n
                                  • Production<\/strong>: stricter change control, rate-limit tuning, log retention, origin protection, TLS configuration, and governance.<\/li>\n
                                  • Dev\/test<\/strong>: validate caching behavior, rule safety, and application compatibility without impacting primary domain (use separate subdomain like staging.example.com<\/code>).<\/li>\n<\/ul>\n\n\n\n
                                    \n\n\n\n

                                    5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                    Below are realistic use cases for Alibaba Cloud Edge Security Acceleration (ESA)<\/strong>. For each, confirm feature availability and limits in official ESA docs and your purchased edition.<\/p>\n\n\n\n

                                    1) Accelerate a global marketing website<\/h3>\n\n\n\n
                                      \n
                                    • Problem<\/strong>: Users in distant regions experience slow load times; origin bandwidth spikes during campaigns.<\/li>\n
                                    • Why ESA fits<\/strong>: Edge caching serves static assets closer to users; reduces origin load.<\/li>\n
                                    • Example<\/strong>: www.company.com<\/code> caches images\/CSS\/JS at edge; origin remains a small ECS instance.<\/li>\n<\/ul>\n\n\n\n

                                      2) Protect login endpoints from brute force and credential stuffing<\/h3>\n\n\n\n
                                        \n
                                      • Problem<\/strong>: Attackers automate login attempts causing user lockouts and high origin CPU usage.<\/li>\n
                                      • Why ESA fits<\/strong>: Rate limiting and security rules at the edge reduce abusive traffic.<\/li>\n
                                      • Example<\/strong>: Apply tighter rate limits on \/login<\/code> and \/auth\/*<\/code> while leaving other pages more permissive.<\/li>\n<\/ul>\n\n\n\n

                                        3) Reduce bot scraping of product catalogs<\/h3>\n\n\n\n
                                          \n
                                        • Problem<\/strong>: Scrapers download catalog pages at high rates, impacting performance and leaking data.<\/li>\n
                                        • Why ESA fits<\/strong>: Bot controls \/ behavioral rules (if available) and rate limits mitigate scraping.<\/li>\n
                                        • Example<\/strong>: Challenge or throttle unusual request patterns hitting \/product\/*<\/code>.<\/li>\n<\/ul>\n\n\n\n

                                          4) Enforce HTTPS and modern TLS at scale<\/h3>\n\n\n\n
                                            \n
                                          • Problem<\/strong>: Inconsistent TLS configs across origins, certificate renewals create outages.<\/li>\n
                                          • Why ESA fits<\/strong>: Central TLS termination and consistent security policy for all subdomains.<\/li>\n
                                          • Example<\/strong>: Redirect HTTP\u2192HTTPS globally; bind managed certs; standardize cipher policy (as supported).<\/li>\n<\/ul>\n\n\n\n

                                            5) Cache and accelerate software downloads<\/h3>\n\n\n\n
                                              \n
                                            • Problem<\/strong>: Large files overload origin and cause long download times.<\/li>\n
                                            • Why ESA fits<\/strong>: Edge caching for large assets reduces repeated origin egress.<\/li>\n
                                            • Example<\/strong>: downloads.example.com<\/code> serves versioned binaries; ESA caches by URL.<\/li>\n<\/ul>\n\n\n\n

                                              6) Add a security layer in front of a legacy application<\/h3>\n\n\n\n
                                                \n
                                              • Problem<\/strong>: Legacy app is hard to patch and has weak security headers.<\/li>\n
                                              • Why ESA fits<\/strong>: Edge security rules and header enforcement improve posture without code changes.<\/li>\n
                                              • Example<\/strong>: Add HSTS<\/code>, X-Content-Type-Options<\/code>, and block suspicious query strings (where supported).<\/li>\n<\/ul>\n\n\n\n

                                                7) Absorb traffic spikes during flash sales<\/h3>\n\n\n\n
                                                  \n
                                                • Problem<\/strong>: Sudden bursts cause timeouts and overload.<\/li>\n
                                                • Why ESA fits<\/strong>: Edge caches static content; rate limits certain paths; reduces origin concurrency.<\/li>\n
                                                • Example<\/strong>: Cache category pages; protect \/checkout<\/code> with stricter rules and bot filters.<\/li>\n<\/ul>\n\n\n\n

                                                  8) Hide origin IP and reduce direct attack surface<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem<\/strong>: Attackers target origin IP directly, bypassing edge controls.<\/li>\n
                                                  • Why ESA fits<\/strong>: Serve traffic through ESA and restrict origin access to ESA back-to-origin IP ranges (if published).<\/li>\n
                                                  • Example<\/strong>: ECS security group allows only ESA egress IPs (verify availability of ESA IP list).<\/li>\n<\/ul>\n\n\n\n

                                                    9) Standardize multi-tenant SaaS edge policy<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem<\/strong>: Many customer subdomains require consistent TLS and security rules.<\/li>\n
                                                    • Why ESA fits<\/strong>: Template-like policies (rule sets) reduce operational load.<\/li>\n
                                                    • Example<\/strong>: tenantA.app.com<\/code>, tenantB.app.com<\/code> onboarded with shared baseline rules.<\/li>\n<\/ul>\n\n\n\n

                                                      10) Improve API latency for mobile clients<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem<\/strong>: Mobile users globally have variable network latency.<\/li>\n
                                                      • Why ESA fits<\/strong>: Edge connectivity and HTTP optimizations can improve performance; some caching may apply.<\/li>\n
                                                      • Example<\/strong>: Cache non-sensitive GET endpoints (\/api\/config<\/code>) while keeping auth endpoints uncacheable.<\/li>\n<\/ul>\n\n\n\n

                                                        11) Add controlled maintenance mode at the edge (if supported)<\/h3>\n\n\n\n
                                                          \n
                                                        • Problem<\/strong>: Planned maintenance requires serving a static page while origin is down.<\/li>\n
                                                        • Why ESA fits<\/strong>: Edge rules can route or respond with a maintenance page (feature varies\u2014verify).<\/li>\n
                                                        • Example<\/strong>: During deployment window, serve 503<\/code> with a cached HTML maintenance response.<\/li>\n<\/ul>\n\n\n\n

                                                          12) Centralize observability for edge traffic patterns<\/h3>\n\n\n\n
                                                            \n
                                                          • Problem<\/strong>: Difficult to differentiate real users vs bots and measure cache hit ratios.<\/li>\n
                                                          • Why ESA fits<\/strong>: Edge analytics and logs help identify top paths, countries, status codes, and anomalies.<\/li>\n
                                                          • Example<\/strong>: Security team monitors spikes in 4xx\/5xx, suspicious ASNs, or request bursts.<\/li>\n<\/ul>\n\n\n\n
                                                            \n\n\n\n

                                                            6. Core Features<\/h2>\n\n\n\n
                                                            \n

                                                            Important: ESA feature sets can vary by edition\/region and can evolve. Verify in official ESA documentation<\/strong> before implementing production controls.<\/p>\n<\/blockquote>\n\n\n\n

                                                            6.1 Reverse proxy + origin routing<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does<\/strong>: ESA receives client requests and forwards them to configured origin servers when not served from cache.<\/li>\n
                                                            • Why it matters<\/strong>: Separates internet exposure from origin infrastructure.<\/li>\n
                                                            • Practical benefit<\/strong>: You can move or scale origins without changing client-facing configuration (beyond origin settings in ESA).<\/li>\n
                                                            • Caveats<\/strong>: Origin protocol support, header forwarding, and timeout limits can affect application compatibility\u2014validate with staging.<\/li>\n<\/ul>\n\n\n\n

                                                              6.2 Edge caching and cache rules<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does<\/strong>: Caches content at edge nodes based on cache-control headers and\/or custom rules.<\/li>\n
                                                              • Why it matters<\/strong>: Cache hits reduce latency and origin egress\/compute.<\/li>\n
                                                              • Practical benefit<\/strong>: Faster delivery of static assets; better resilience under load.<\/li>\n
                                                              • Caveats<\/strong>: Risk of caching personalized content if rules are incorrect; require clear cache key strategy (cookies\/headers\/query strings).<\/li>\n<\/ul>\n\n\n\n

                                                                6.3 HTTPS\/TLS termination and certificate binding<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does<\/strong>: Terminates TLS at the edge; allows certificate management workflows for domains.<\/li>\n
                                                                • Why it matters<\/strong>: Consistent HTTPS policy, easier renewals, centralized security settings.<\/li>\n
                                                                • Practical benefit<\/strong>: Reduced operational risk from expiring certs (when using managed issuance\/renewal).<\/li>\n
                                                                • Caveats<\/strong>: Some mTLS or special handshake requirements may not be supported; verify TLS versions\/ciphers supported.<\/li>\n<\/ul>\n\n\n\n

                                                                  6.4 HTTP to HTTPS redirects and URL rewrites (where supported)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does<\/strong>: Forces HTTPS or rewrites request URLs at the edge.<\/li>\n
                                                                  • Why it matters<\/strong>: Improves security baseline and supports SEO\/canonicalization.<\/li>\n
                                                                  • Practical benefit<\/strong>: Standard rules for www<\/code> redirects, trailing slash policy, and path normalization.<\/li>\n
                                                                  • Caveats<\/strong>: Misconfigured redirects can cause loops; always test with a staging hostname.<\/li>\n<\/ul>\n\n\n\n

                                                                    6.5 Web application security rules (WAF-style)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does<\/strong>: Applies managed and\/or custom rules to block common web attacks (SQLi, XSS, traversal) and policy violations.<\/li>\n
                                                                    • Why it matters<\/strong>: Reduces risk of exploitation and protects legacy apps.<\/li>\n
                                                                    • Practical benefit<\/strong>: Block obvious malicious payloads before they reach the app.<\/li>\n
                                                                    • Caveats<\/strong>: False positives are possible; start in observe\/log mode if available, then gradually enforce.<\/li>\n<\/ul>\n\n\n\n

                                                                      6.6 Rate limiting \/ traffic control<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does<\/strong>: Enforces request rate thresholds per IP, URI, or other dimensions (depending on ESA capabilities).<\/li>\n
                                                                      • Why it matters<\/strong>: Mitigates brute force, scraping, and abusive clients.<\/li>\n
                                                                      • Practical benefit<\/strong>: Keeps origins healthy during targeted L7 floods.<\/li>\n
                                                                      • Caveats<\/strong>: NATed networks can share IPs; consider per-session or token approaches if supported; tune carefully.<\/li>\n<\/ul>\n\n\n\n

                                                                        6.7 DDoS-related protections (scope varies)<\/h3>\n\n\n\n
                                                                          \n
                                                                        • What it does<\/strong>: Provides edge-level mitigation against certain volumetric or protocol attacks.<\/li>\n
                                                                        • Why it matters<\/strong>: Reduces downtime from network floods.<\/li>\n
                                                                        • Practical benefit<\/strong>: Basic protection for public sites without deploying specialized appliances.<\/li>\n
                                                                        • Caveats<\/strong>: DDoS product boundaries can be complex in Alibaba Cloud (e.g., Anti-DDoS services). Confirm what ESA includes vs what requires a dedicated Anti-DDoS plan.<\/li>\n<\/ul>\n\n\n\n

                                                                          6.8 Security headers and response hardening (where supported)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • What it does<\/strong>: Adds or normalizes response headers like HSTS, X-Frame-Options, etc.<\/li>\n
                                                                          • Why it matters<\/strong>: Improves browser-side protections.<\/li>\n
                                                                          • Practical benefit<\/strong>: Consistent security posture even if origin apps vary.<\/li>\n
                                                                          • Caveats<\/strong>: Incorrect headers can break embedded content or older clients.<\/li>\n<\/ul>\n\n\n\n

                                                                            6.9 Access logs \/ analytics (where supported)<\/h3>\n\n\n\n
                                                                              \n
                                                                            • What it does<\/strong>: Provides traffic analytics and potentially exportable logs.<\/li>\n
                                                                            • Why it matters<\/strong>: Helps with incident response, troubleshooting, and performance tuning.<\/li>\n
                                                                            • Practical benefit<\/strong>: Identify hot paths, cache hit ratio, suspicious geos, and status code patterns.<\/li>\n
                                                                            • Caveats<\/strong>: Log retention and export may incur costs (SLS ingestion\/storage); sampling may apply.<\/li>\n<\/ul>\n\n\n\n

                                                                              6.10 Custom rules for caching, security, and behavior<\/h3>\n\n\n\n
                                                                                \n
                                                                              • What it does<\/strong>: Lets you set conditional logic for paths\/hosts\/headers (exact rule language varies).<\/li>\n
                                                                              • Why it matters<\/strong>: Real apps need different behavior for \/static\/*<\/code> vs \/api\/*<\/code> vs \/admin\/*<\/code>.<\/li>\n
                                                                              • Practical benefit<\/strong>: Fine-grained control without code changes.<\/li>\n
                                                                              • Caveats<\/strong>: Rule complexity can create operational risk; apply naming conventions and change control.<\/li>\n<\/ul>\n\n\n\n
                                                                                \n\n\n\n

                                                                                7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                                High-level architecture<\/h3>\n\n\n\n

                                                                                At a high level, ESA is positioned between end users and your origin servers:<\/p>\n\n\n\n

                                                                                  \n
                                                                                1. Client resolves DNS for your domain to ESA (via CNAME or delegated DNS).<\/li>\n
                                                                                2. Client connects to an ESA edge node, negotiates TLS, and sends the HTTP request.<\/li>\n
                                                                                3. ESA evaluates edge policies:\n – Security checks (WAF rules, rate limits, etc.)\n – Cache eligibility and cache lookup\n – Routing rules<\/li>\n
                                                                                4. If cache hit: ESA returns response immediately.<\/li>\n
                                                                                5. If cache miss: ESA forwards request to origin, receives response, optionally caches it, returns to client.<\/li>\n
                                                                                6. Metrics\/logs are generated for dashboards and integrations.<\/li>\n<\/ol>\n\n\n\n

                                                                                  Request\/data\/control flow (simplified)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Data plane<\/strong>: client \u2194 ESA edge \u2194 origin.<\/li>\n
                                                                                  • Control plane<\/strong>: operator \u2194 Alibaba Cloud Console\/API \u2194 ESA configuration distribution.<\/li>\n<\/ul>\n\n\n\n

                                                                                    Integrations with related services (common patterns)<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Origin hosting<\/strong>: ECS, ALB\/SLB, ACK ingress, third-party origin.<\/li>\n
                                                                                    • Static origin<\/strong>: OSS static website endpoints.<\/li>\n
                                                                                    • DNS<\/strong>: Alibaba Cloud DNS (or external DNS provider).<\/li>\n
                                                                                    • TLS certificates<\/strong>: Alibaba Cloud Certificate Management Service (CAS) (commonly used).<\/li>\n
                                                                                    • Logging\/monitoring<\/strong>: Log Service (SLS), CloudMonitor, ActionTrail (verify per ESA log feature and region).<\/li>\n<\/ul>\n\n\n\n

                                                                                      Dependency services (typical)<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • RAM<\/strong> for permissions.<\/li>\n
                                                                                      • DNS<\/strong> for traffic steering to ESA.<\/li>\n
                                                                                      • Certificate services<\/strong> for HTTPS.<\/li>\n
                                                                                      • Origin infrastructure<\/strong> for back-end content.<\/li>\n<\/ul>\n\n\n\n

                                                                                        Security\/authentication model<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • User\/API access<\/strong> to ESA is controlled by Alibaba Cloud RAM<\/strong> (policies, users, roles).<\/li>\n
                                                                                        • Edge enforcement<\/strong> controls how public traffic is handled.<\/li>\n
                                                                                        • For origin protection, a common practice is to restrict origin access to known ESA egress IP ranges (if provided) and\/or require secret headers between ESA and origin (if supported)\u2014verify the supported origin authentication mechanisms<\/strong>.<\/li>\n<\/ul>\n\n\n\n

                                                                                          Networking model<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • ESA is an internet-facing edge<\/strong> service. Origins can be:<\/li>\n
                                                                                          • Public internet reachable, or<\/li>\n
                                                                                          • Protected by security groups\/ACLs while still allowing ESA egress (best practice).<\/li>\n
                                                                                          • Ensure the origin can handle Host<\/code> headers, X-Forwarded-For, and TLS settings expected by ESA.<\/li>\n<\/ul>\n\n\n\n

                                                                                            Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Edge metrics<\/strong>: request count, bandwidth, cache hit ratio, status codes (if exposed).<\/li>\n
                                                                                            • Logs<\/strong>: access logs and security events (if supported).<\/li>\n
                                                                                            • Audit<\/strong>: ActionTrail for config changes; tag resources consistently.<\/li>\n<\/ul>\n\n\n\n

                                                                                              Simple architecture diagram (Mermaid)<\/h4>\n\n\n\n
                                                                                              flowchart LR\n  U[Users \/ Browsers] -->|DNS to ESA| E[ESA Edge Nodes]\n  E -->|Cache hit| U\n  E -->|Cache miss: Back-to-origin| O[Origin (ECS\/ALB\/OSS)]\n  O --> E\n<\/code><\/pre>\n\n\n\n
                                                                                              Production-style architecture diagram (Mermaid)<\/h4>\n\n\n\n
                                                                                              flowchart TB\n  subgraph Internet\n    U1[Users - APAC]\n    U2[Users - EU\/US]\n    BOT[Abusive Bots]\n  end\n\n  subgraph Alibaba_Cloud_Edge[\"Alibaba Cloud Edge Security Acceleration (ESA)\"]\n    EDGE[Global Edge PoPs\\nTLS + Cache + Security Rules]\n    WAF[Edge Security Policies\\n(WAF\/Rate Limits\/Rules)]\n    LOG[Analytics \/ Logs Export\\n(Verify SLS support)]\n  end\n\n  subgraph Origin_Region_A[\"Origin Region A\"]\n    ALB[ALB\/SLB]\n    APP1[ECS\/ACK App]\n  end\n\n  subgraph Origin_Region_B[\"Origin Region B (DR\/Failover)\"]\n    ALB2[ALB\/SLB]\n    APP2[ECS\/ACK App]\n  end\n\n  U1 --> EDGE\n  U2 --> EDGE\n  BOT --> EDGE\n\n  EDGE --> WAF\n  WAF -->|Allowed| EDGE\n  WAF -->|Blocked\/Challenged| U1\n  WAF -->|Blocked\/Challenged| U2\n\n  EDGE -->|Back-to-origin| ALB\n  EDGE -->|Back-to-origin (optional failover)| ALB2\n\n  ALB --> APP1\n  ALB2 --> APP2\n\n  EDGE --> LOG\n<\/code><\/pre>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              8. Prerequisites<\/h2>\n\n\n\n
                                                                                              Before you start, ensure you have the following.<\/p>\n\n\n\n
                                                                                              Account and billing<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • An Alibaba Cloud account<\/strong> with billing enabled (pay-as-you-go and\/or subscription depending on ESA offering).<\/li>\n
                                                                                              • Ability to purchase\/activate Edge Security Acceleration (ESA)<\/strong> in your account.<\/li>\n<\/ul>\n\n\n\n
                                                                                                Permissions \/ IAM (RAM)<\/h3>\n\n\n\n
                                                                                                You need a RAM user\/role with permissions to:\n– Manage ESA resources (service-specific permissions)\n– Read\/manage DNS records (Alibaba Cloud DNS if used)\n– Manage certificates (CAS) if using HTTPS\n– View logs\/metrics (SLS\/CloudMonitor) if enabling logging<\/p>\n\n\n\n
                                                                                                If you do not know the exact RAM policy names, verify in official ESA documentation<\/strong> (RAM policy reference for ESA).<\/p>\n\n\n\n
                                                                                                Tools<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Alibaba Cloud Console access<\/li>\n
                                                                                                • A DNS provider where you can edit records (Alibaba Cloud DNS or external)<\/li>\n
                                                                                                • Optional but helpful:<\/li>\n
                                                                                                • curl<\/code> for HTTP verification<\/li>\n
                                                                                                • dig<\/code> or nslookup<\/code> for DNS verification<\/li>\n
                                                                                                • OpenSSL (openssl s_client<\/code>) for TLS verification<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Region availability<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • ESA is an edge service; availability can still vary by account, compliance boundary, or console region.<\/li>\n
                                                                                                  • Verify supported regions\/coverage and PoP distribution<\/strong> in the official ESA docs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Quotas\/limits<\/h3>\n\n\n\n
                                                                                                    Common limit categories (exact numbers vary by edition):\n– Number of sites\/domains you can add\n– Number of rules (cache rules, security rules, rate limits)\n– Request\/log retention, log export limits\n– Certificate bindings per domain<\/p>\n\n\n\n
                                                                                                    Verify quotas and limits<\/strong> in official ESA docs for your plan.<\/p>\n\n\n\n
                                                                                                    Prerequisite services (for this tutorial lab)<\/h3>\n\n\n\n
                                                                                                    For the hands-on lab below, you will need:\n– One origin<\/strong> reachable over HTTP(S), such as:\n  – OSS static website hosting, or\n  – An ECS instance running NGINX, or\n  – An ALB\/SLB endpoint\n– One domain name<\/strong> you control (e.g., example.com<\/code>) so you can set a CNAME record.<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                                    \n
                                                                                                    Pricing changes and varies by region\/edition. Do not rely on estimates without checking the official pages for your account.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                    Pricing model (how ESA is typically billed)<\/h3>\n\n\n\n
                                                                                                    ESA offerings often combine:\n– Plan\/edition<\/strong> (subscription tier) and\/or pay-as-you-go<\/strong>\n– Usage-based dimensions such as:\n  – Data transfer<\/strong> (edge egress traffic to end users)\n  – Requests<\/strong> (HTTP\/S request counts)\n  – Security add-ons<\/strong> (advanced WAF\/bot features, if separate)\n  – Log delivery<\/strong> (if logs are shipped to SLS: ingestion + storage costs in SLS)\n  – Certificate services<\/strong> (if using paid certs; DV certs may be free via CAS in some cases\u2014verify)<\/p>\n\n\n\n
                                                                                                    Free tier<\/h3>\n\n\n\n
                                                                                                    Alibaba Cloud free tiers and trials vary by region and time. ESA may offer:\n– Trial quotas, or\n– Limited free usage for a period<\/p>\n\n\n\n
                                                                                                    Verify the current free tier\/trial<\/strong> on the official ESA pricing page.<\/p>\n\n\n\n
                                                                                                    Primary cost drivers<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Bandwidth\/traffic<\/strong>: high-resolution images, video, downloads, and large JS bundles increase edge egress.<\/li>\n
                                                                                                    • Cache miss ratio<\/strong>: more origin fetches can increase origin egress and compute cost (and may impact ESA pricing if origin fetch is metered).<\/li>\n
                                                                                                    • Request volume<\/strong>: APIs and dynamic sites can generate huge request counts even with low bandwidth.<\/li>\n
                                                                                                    • Security overhead<\/strong>: enabling advanced inspection, bot management, or extensive rule sets may be billed differently (verify).<\/li>\n
                                                                                                    • Logs<\/strong>: exporting full access logs at high volume can become a significant SLS cost.<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Origin scaling<\/strong>: if caching is misconfigured and misses are high, your origin will scale up.<\/li>\n
                                                                                                      • Cross-region origin egress<\/strong>: if ESA fetches from an origin in a region different from where you pay egress or inter-region traffic, network costs may rise.<\/li>\n
                                                                                                      • TLS certificate management<\/strong>: paid certificates, multi-domain certs, or managed renewals could have costs.<\/li>\n
                                                                                                      • Operational cost<\/strong>: time spent tuning rules, reviewing false positives, and managing exceptions.<\/li>\n<\/ul>\n\n\n\n
                                                                                                        Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • You generally pay for edge-to-client egress<\/strong>.<\/li>\n
                                                                                                        • You may also pay for origin-to-edge<\/strong> data transfer depending on origin location and Alibaba Cloud pricing rules.<\/li>\n
                                                                                                        • If your origin is on Alibaba Cloud (ECS\/ALB\/OSS), you must consider:<\/li>\n
                                                                                                        • EIP\/Internet egress pricing<\/li>\n
                                                                                                        • OSS outbound traffic pricing<\/li>\n
                                                                                                        • ALB\/SLB data processing pricing (if applicable)<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Cost optimization tips<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Maximize cache hit ratio for static content:<\/li>\n
                                                                                                          • Use versioned filenames (app.3f2c1.js<\/code>) and long TTLs.<\/li>\n
                                                                                                          • Avoid caching sensitive or user-specific pages.<\/li>\n
                                                                                                          • Compress assets (Brotli\/Gzip) if ESA supports it; otherwise do it at origin.<\/li>\n
                                                                                                          • Minimize log volume:<\/li>\n
                                                                                                          • Export only when needed; filter fields if supported; set reasonable retention in SLS.<\/li>\n
                                                                                                          • Apply rate limits and bot mitigations to reduce abusive request volume.<\/li>\n
                                                                                                          • Use image optimization only if it reduces overall egress and is priced favorably (verify).<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n
                                                                                                            A realistic \u201cstarter\u201d setup is:\n– 1 domain\n– A small static site origin (OSS static website or small ECS)\n– Conservative caching for \/assets\/*<\/code>\n– HTTPS enabled\n– Basic security rules and rate limits for \/login<\/code><\/p>\n\n\n\n
                                                                                                            Your costs will primarily depend on:\n– Monthly traffic (GB\/TB)\n– Total requests\n– Logging enabled or not<\/p>\n\n\n\n
                                                                                                            Because ESA\u2019s unit prices and edition packaging vary, use the official pricing page and calculator<\/strong> to estimate based on your expected GB and request counts.<\/p>\n\n\n\n
                                                                                                            Example production cost considerations<\/h3>\n\n\n\n
                                                                                                            For production (multi-domain, high traffic):\n– Model traffic by:\n  – Peak Mbps and monthly GB\/TB\n  – Requests per second (RPS) and monthly request totals\n– Include:\n  – Log pipeline to SLS (ingestion + storage + query)\n  – Certificate renewal approach\n  – Additional security features (advanced WAF\/bot, if separate)\n– Consider a proof-of-concept month to measure:\n  – Cache hit ratio\n  – Average response size\n  – Attack\/abuse volume reduced at edge<\/p>\n\n\n\n
                                                                                                            Official pricing links<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Alibaba Cloud product page (start here; pricing links usually available from the product page):\n  https:\/\/www.alibabacloud.com\/product\/edge-security-acceleration<\/li>\n
                                                                                                            • Alibaba Cloud Pricing (general entry point):\n  https:\/\/www.alibabacloud.com\/pricing<\/li>\n<\/ul>\n\n\n\n
                                                                                                              If these URLs redirect or your region uses a different documentation domain, verify in official docs<\/strong>.<\/p>\n\n\n\n
                                                                                                              \n\n\n\n
                                                                                                              10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                              This lab onboards a small static site behind Edge Security Acceleration (ESA)<\/strong> using CNAME access<\/strong>, then enables HTTPS and a basic security control (rate limiting or a simple rule\u2014depending on what your ESA console exposes).<\/p>\n\n\n\n
                                                                                                              Objective<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Put a real domain behind Alibaba Cloud Edge Security Acceleration (ESA)<\/strong>.<\/li>\n
                                                                                                              • Verify that traffic flows through ESA.<\/li>\n
                                                                                                              • Enable HTTPS at the edge.<\/li>\n
                                                                                                              • Apply a basic edge policy safely.<\/li>\n
                                                                                                              • Clean up to avoid ongoing cost.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Lab Overview<\/h3>\n\n\n\n
                                                                                                                You will:\n1. Create a low-cost origin (OSS static website) or use an existing origin.\n2. Add a domain to ESA and set the origin.\n3. Point DNS (CNAME) to ESA.\n4. Enable HTTPS for the domain.\n5. Configure a basic caching rule for static assets.\n6. Add a basic rate limit or access rule for a path.\n7. Validate and troubleshoot.\n8. Clean up.<\/p>\n\n\n\n
                                                                                                                \n
                                                                                                                If you cannot or do not want to use OSS, you can substitute an ECS+NGINX origin. The ESA steps remain similar.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                Step 1: Prepare an origin (OSS static website origin)<\/h3>\n\n\n\n
                                                                                                                Goal<\/strong>: Host a static page that ESA can fetch.<\/p>\n\n\n\n
                                                                                                                  \n
                                                                                                                1. Open the Alibaba Cloud Console \u2192 Object Storage Service (OSS)<\/strong>.<\/li>\n
                                                                                                                2. Create a bucket (choose a nearby region).\n   – Bucket name: esa-lab-yourname-unique<\/code>\n   – Storage class: Standard\n   – Read\/write: follow least privilege; for a simple static site you may need public read or signed access patterns. For a beginner lab, public read<\/strong> is simplest but less secure.<\/li>\n
                                                                                                                3. Upload a simple index.html<\/code> file.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                  Example index.html<\/code>:<\/p>\n\n\n\n
                                                                                                                  <!doctype html>\n<html>\n  <head>\n    <meta charset=\"utf-8\" \/>\n    <title>ESA Lab<\/title>\n  <\/head>\n  <body>\n    <h1>Edge Security Acceleration (ESA) Lab<\/h1>\n    <p>If you can read this through your domain, ESA is working.<\/p>\n  <\/body>\n<\/html>\n<\/code><\/pre>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. Enable Static Website Hosting<\/strong> on the bucket (OSS feature).\n   – Set index document: index.html<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                                                                    Expected outcome<\/strong>\n– You have an OSS static website endpoint URL (HTTP). Keep it for the ESA origin configuration.<\/p>\n\n\n\n
                                                                                                                    Verification<\/strong>\n– Open the OSS static website endpoint in a browser.\n– You should see \u201cESA Lab\u201d.<\/p>\n\n\n\n
                                                                                                                    Common issues<\/strong>\n– 403 Forbidden: bucket\/object permissions not allowing public read.\n– 404 Not Found: static website hosting not enabled or index document mismatch.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 2: Decide your ESA onboarding mode (CNAME vs NS)<\/h3>\n\n\n\n
                                                                                                                    Goal<\/strong>: Choose a DNS approach that you can execute today.<\/p>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • CNAME mode<\/strong> is best for labs and incremental rollouts:<\/li>\n
                                                                                                                    • You keep your DNS provider.<\/li>\n
                                                                                                                    • You create a CNAME like www.example.com \u2192 <esa-assigned-cname><\/code>.<\/li>\n
                                                                                                                    • NS delegation<\/strong> (if offered in your ESA console) delegates your domain DNS to ESA-managed DNS:<\/li>\n
                                                                                                                    • More \u201cCloudflare-like\u201d experience for full-domain management<\/li>\n
                                                                                                                    • Higher operational impact<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      For this tutorial, use CNAME mode<\/strong> to reduce risk.<\/p>\n\n\n\n
                                                                                                                      Expected outcome<\/strong>\n– You know which record you will change (e.g., www<\/code> or cdn<\/code> subdomain).<\/p>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Step 3: Add your site\/domain to Edge Security Acceleration (ESA)<\/h3>\n\n\n\n
                                                                                                                      Goal<\/strong>: Create the ESA configuration for your domain.<\/p>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. Open Alibaba Cloud Console \u2192 Edge Security Acceleration (ESA)<\/strong>.<\/li>\n
                                                                                                                      2. Find the workflow such as Add Site<\/strong>, Add Domain<\/strong>, or Create ESA Service<\/strong> (exact wording varies).<\/li>\n
                                                                                                                      3. Enter your domain:\n   – Example: www.example.com<\/code> (recommended for a lab)<\/li>\n
                                                                                                                      4. Choose CNAME access<\/strong> if prompted.<\/li>\n
                                                                                                                      5. Configure the origin<\/strong>:\n   – Origin type: OSS \/ Custom \/ IP \/ Domain (choose what matches your console)\n   – Origin address: your OSS static website endpoint (or an ECS\/ALB endpoint if you used that)\n   – Origin protocol: HTTP (for the lab). You can later upgrade to HTTPS back-to-origin if supported and configured.<\/li>\n
                                                                                                                      6. Save\/apply.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                        Expected outcome<\/strong>\n– ESA generates a CNAME target<\/strong> (something like xxxx.esa.aliyuncs.com<\/code>\u2014exact format varies).\n– The domain status might show \u201cNot CNAME\u2019d\u201d or \u201cPending\u201d until you change DNS.<\/p>\n\n\n\n
                                                                                                                        Verification<\/strong>\n– In the ESA console, locate the domain details and copy the assigned CNAME<\/strong> value.<\/p>\n\n\n\n
                                                                                                                        Common issues<\/strong>\n– Origin validation fails: the origin endpoint not reachable from the internet.\n– Wrong origin host header: if your origin requires a specific Host<\/code> header, check ESA origin host settings (if available).<\/p>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Step 4: Point DNS to ESA (CNAME record)<\/h3>\n\n\n\n
                                                                                                                        Goal<\/strong>: Route user traffic to ESA.<\/p>\n\n\n\n
                                                                                                                        In your DNS provider (Alibaba Cloud DNS or external):<\/p>\n\n\n\n
                                                                                                                          \n
                                                                                                                        1. \n
                                                                                                                          Create a CNAME record:\n   – Name\/Host: www<\/code> (for www.example.com<\/code>)\n   – Type: CNAME<\/code>\n   – Value\/Target: the ESA CNAME value you copied in Step 3\n   – TTL: 300 seconds (5 minutes) for faster lab propagation<\/p>\n<\/li>\n
                                                                                                                        2. \n
                                                                                                                          Wait for DNS propagation.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                          Expected outcome<\/strong>\n– DNS for www.example.com<\/code> resolves to ESA (via CNAME chain).<\/p>\n\n\n\n
                                                                                                                          Verification (CLI)<\/strong><\/p>\n\n\n\n
                                                                                                                          dig +short www.example.com CNAME\ndig +short www.example.com\n<\/code><\/pre>\n\n\n\n
                                                                                                                          If dig<\/code> is unavailable:<\/p>\n\n\n\n
                                                                                                                          nslookup -type=CNAME www.example.com\n<\/code><\/pre>\n\n\n\n
                                                                                                                          You should see the ESA CNAME target (directly or via chain).<\/p>\n\n\n\n
                                                                                                                          Common issues<\/strong>\n– \u201cCNAME conflict\u201d: you cannot set a CNAME if an A\/AAAA record already exists for that name.\n– DNS not updating: ensure you are editing the authoritative zone for the domain.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 5: Enable HTTPS (TLS certificate) for the domain<\/h3>\n\n\n\n
                                                                                                                          Goal<\/strong>: Serve the site securely via ESA.<\/p>\n\n\n\n
                                                                                                                          There are two common patterns:<\/p>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Bring-your-own certificate<\/strong>: upload\/bind an existing certificate.<\/li>\n
                                                                                                                          • Request\/issue certificate<\/strong> via Alibaba Cloud Certificate Management Service (CAS) and bind it to ESA.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Because certificate workflows and UI labels differ, follow the ESA console prompts for \u201cHTTPS\u201d or \u201cSSL\/TLS\u201d.<\/p>\n\n\n\n
                                                                                                                            Recommended lab approach (practical)<\/strong>\n1. If ESA supports binding a certificate from CAS<\/strong>:\n   – Go to Certificate Management Service<\/strong> (CAS)\n   – Request a DV certificate for www.example.com<\/code>\n   – Complete DNS validation (CAS will provide a TXT record)\n2. Once issued, return to ESA:\n   – Bind the certificate to the domain\n   – Enable HTTP\u2192HTTPS redirect (optional, but recommended)<\/p>\n\n\n\n
                                                                                                                            Expected outcome<\/strong>\n– Visiting https:\/\/www.example.com<\/code> works without certificate errors.<\/p>\n\n\n\n
                                                                                                                            Verification<\/strong><\/p>\n\n\n\n
                                                                                                                            curl -I https:\/\/www.example.com\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                            You should see an HTTP 200\/301 response and no TLS handshake errors.<\/p>\n\n\n\n
                                                                                                                            Optional deeper TLS check:<\/p>\n\n\n\n
                                                                                                                            openssl s_client -connect www.example.com:443 -servername www.example.com <\/dev\/null 2>\/dev\/null | openssl x509 -noout -issuer -subject -dates\n<\/code><\/pre>\n\n\n\n
                                                                                                                            Common issues<\/strong>\n– Certificate pending: DNS TXT record not set correctly.\n– Mixed content: your HTML references http:\/\/<\/code> assets; update to https:\/\/<\/code> or protocol-relative URLs.\n– Redirect loops: if origin also redirects and ESA redirects, adjust one side.<\/p>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Step 6: Add a safe caching rule for static assets<\/h3>\n\n\n\n
                                                                                                                            Goal<\/strong>: Improve performance while avoiding risky caching.<\/p>\n\n\n\n
                                                                                                                            In ESA, find caching settings such as \u201cCache Rules\u201d, \u201cCaching\u201d, or \u201cPerformance\u201d.<\/p>\n\n\n\n
                                                                                                                            Create a rule:\n– Condition: path matches \/<\/code> and\/or \/index.html<\/code> and\/or \/assets\/*<\/code> (choose paths you control)\n– TTL: start modestly (e.g., minutes to hours). For versioned assets, you can increase TTL.<\/p>\n\n\n\n
                                                                                                                            Expected outcome<\/strong>\n– Repeat requests become faster; ESA may report improved cache hit ratio over time (if metrics exist).<\/p>\n\n\n\n
                                                                                                                            Verification<\/strong>\n– Refresh the page multiple times.\n– If ESA provides response headers that indicate cache status, inspect them:\n  – Use curl -I<\/code> and look for cache-related headers (exact header names vary; verify in ESA docs<\/strong>).<\/p>\n\n\n\n
                                                                                                                            curl -I https:\/\/www.example.com\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                            Common issues<\/strong>\n– Dynamic pages cached unintentionally: restrict cache rules to static paths only.\n– Query string behavior: confirm whether query strings are included in cache key (and configure if ESA supports it).<\/p>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Step 7: Add a basic security control (rate limit or simple rule)<\/h3>\n\n\n\n
                                                                                                                            Goal<\/strong>: Demonstrate edge security without breaking your site.<\/p>\n\n\n\n
                                                                                                                            Look for features such as:\n– \u201cRate Limiting\u201d\n– \u201cSecurity Rules\u201d\n– \u201cWAF\u201d\n– \u201cAccess Control\u201d\n– \u201cBot Management\u201d (if present)<\/p>\n\n\n\n
                                                                                                                            Create a conservative rule example (choose one that your console supports):<\/p>\n\n\n\n
                                                                                                                            Option A: Rate limit a sensitive path<\/strong>\n– Path: \/<\/code> or \/index.html<\/code> (for lab) or \/login<\/code> (for real apps)\n– Threshold: start high to avoid blocking yourself (e.g., allow dozens of requests per minute per IP; exact configuration fields vary)\n– Action: block or temporary ban<\/p>\n\n\n\n
                                                                                                                            Option B: Block an obvious bad pattern<\/strong>\n– Condition: query string contains <script<\/code> (example)\n– Action: block<\/p>\n\n\n\n
                                                                                                                            Expected outcome<\/strong>\n– Normal browsing works.\n– Abusive patterns are blocked according to the rule.<\/p>\n\n\n\n
                                                                                                                            Verification<\/strong>\n– Normal request:<\/p>\n\n\n\n
                                                                                                                            curl -I https:\/\/www.example.com\/\n<\/code><\/pre>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Simulate suspicious query (for Option B):<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              curl -I \"https:\/\/www.example.com\/?q=%3Cscript%3Ealert(1)%3C%2Fscript%3E\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                              You should see a blocked response (status code and body depend on ESA configuration).<\/p>\n\n\n\n
                                                                                                                              Common issues<\/strong>\n– False positives: start with narrow conditions and test.\n– Locking yourself out: keep an emergency bypass (e.g., allowlist your IP) if ESA supports it.<\/p>\n\n\n\n
                                                                                                                              \n\n\n\n
                                                                                                                              Validation<\/h3>\n\n\n\n
                                                                                                                              Use this checklist:<\/p>\n\n\n\n
                                                                                                                                \n
                                                                                                                              1. DNS<\/strong>\n   – www.example.com<\/code> CNAMEs to ESA-assigned CNAME.<\/li>\n
                                                                                                                              2. HTTPS<\/strong>\n   – Browser shows a valid certificate for www.example.com<\/code>.<\/li>\n
                                                                                                                              3. Origin reachability<\/strong>\n   – Page loads correctly and matches the OSS content.<\/li>\n
                                                                                                                              4. Caching<\/strong>\n   – ESA metrics show cache hits (if available) or repeated loads are faster.<\/li>\n
                                                                                                                              5. Security rule<\/strong>\n   – Suspicious request patterns are blocked while normal traffic works.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                \n\n\n\n
                                                                                                                                Troubleshooting<\/h3>\n\n\n\n
                                                                                                                                Problem: Domain still shows \u201cNot onboarded \/ Not CNAME\u2019d\u201d<\/h4>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Re-check CNAME record name and target.<\/li>\n
                                                                                                                                • Confirm you changed DNS in the authoritative zone.<\/li>\n
                                                                                                                                • Wait for TTL and propagation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Problem: 525\/SSL handshake errors (or generic TLS failures)<\/h4>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Certificate not issued\/bound correctly.<\/li>\n
                                                                                                                                  • SNI mismatch (wrong domain on cert).<\/li>\n
                                                                                                                                  • If you enabled HTTPS back-to-origin, origin cert may be invalid\u2014switch back-to-origin to HTTP for the lab.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Problem: 502\/504 errors<\/h4>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Origin endpoint incorrect or not publicly reachable.<\/li>\n
                                                                                                                                    • Origin firewall blocks ESA egress.<\/li>\n
                                                                                                                                    • Origin host header mismatch.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Problem: Redirect loop<\/h4>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Both ESA and origin enforce redirects; disable one layer.<\/li>\n
                                                                                                                                      • Ensure origin respects X-Forwarded-Proto<\/code> if used by your app.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Problem: Unexpected caching<\/h4>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Remove broad cache rules.<\/li>\n
                                                                                                                                        • Ensure Cache-Control: no-store<\/code> for sensitive endpoints at origin.<\/li>\n
                                                                                                                                        • Validate cache key settings (cookies\/query string) if configurable.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          \n\n\n\n
                                                                                                                                          Cleanup<\/h3>\n\n\n\n
                                                                                                                                          To avoid ongoing charges and prevent leaving your domain routed incorrectly:<\/p>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          1. In DNS:\n   – Remove the CNAME pointing to ESA, or point it back to your previous target.<\/li>\n
                                                                                                                                          2. In ESA:\n   – Remove the domain\/site configuration.<\/li>\n
                                                                                                                                          3. In CAS (if you issued a certificate for the lab):\n   – Revoke\/delete if it was created solely for this lab (optional; depends on your org\u2019s certificate practices).<\/li>\n
                                                                                                                                          4. In OSS:\n   – Delete test objects and the bucket if no longer needed.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                            \n\n\n\n
                                                                                                                                            11. Best Practices<\/h2>\n\n\n\n
                                                                                                                                            Architecture best practices<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Use a staging subdomain<\/strong> first (staging.example.com<\/code>) to test caching, redirects, and rules.<\/li>\n
                                                                                                                                            • Separate static and dynamic<\/strong>:<\/li>\n
                                                                                                                                            • static.example.com<\/code> for immutable assets (long TTL)<\/li>\n
                                                                                                                                            • www.example.com<\/code> for web app<\/li>\n
                                                                                                                                            • api.example.com<\/code> for APIs (often limited caching)<\/li>\n
                                                                                                                                            • Design cache keys intentionally<\/strong>:<\/li>\n
                                                                                                                                            • Version static assets<\/li>\n
                                                                                                                                            • Avoid caching responses that vary by cookies\/auth headers<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Use RAM roles<\/strong> and least privilege:<\/li>\n
                                                                                                                                              • Separate \u201cESA Admin\u201d (policy changes) from \u201cESA Viewer\u201d (read-only).<\/li>\n
                                                                                                                                              • Require MFA for privileged accounts.<\/li>\n
                                                                                                                                              • Use ActionTrail to audit configuration changes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Cost best practices<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Track:<\/li>\n
                                                                                                                                                • Edge egress traffic<\/li>\n
                                                                                                                                                • Request counts<\/li>\n
                                                                                                                                                • Log export volume<\/li>\n
                                                                                                                                                • Disable or reduce log export unless required for security\/compliance.<\/li>\n
                                                                                                                                                • Fix cache misses caused by:<\/li>\n
                                                                                                                                                • Missing cache-control headers<\/li>\n
                                                                                                                                                • Unnecessary query-string variants<\/li>\n
                                                                                                                                                • Overly personalized pages<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Performance best practices<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Cache static resources aggressively.<\/li>\n
                                                                                                                                                  • Enable compression where supported (or at origin).<\/li>\n
                                                                                                                                                  • Minimize redirects.<\/li>\n
                                                                                                                                                  • Optimize images at build time; use edge optimization only if it\u2019s cost-effective and supported.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Use multiple origins<\/strong> or multi-region DR if ESA supports origin failover\/health checks (verify).<\/li>\n
                                                                                                                                                    • Keep origin timeouts aligned with app behavior; do not set aggressive timeouts without load testing.<\/li>\n
                                                                                                                                                    • Implement graceful origin degradation (serve cached content when origin is slow if ESA supports stale serving\u2014verify).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Operations best practices<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Use consistent naming:<\/li>\n
                                                                                                                                                      • env-app-domain<\/code> pattern for sites<\/li>\n
                                                                                                                                                      • Standard tag keys: env<\/code>, owner<\/code>, cost-center<\/code>, data-classification<\/code><\/li>\n
                                                                                                                                                      • Maintain a rule-change process:<\/li>\n
                                                                                                                                                      • Peer review for security rules<\/li>\n
                                                                                                                                                      • Change windows for production<\/li>\n
                                                                                                                                                      • Rollback plan (disable rule sets quickly)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Tag ESA-related resources (where tags are supported).<\/li>\n
                                                                                                                                                        • Document:<\/li>\n
                                                                                                                                                        • Which domains are onboarded<\/li>\n
                                                                                                                                                        • Origin endpoints and ownership<\/li>\n
                                                                                                                                                        • Which rules are enabled and why<\/li>\n
                                                                                                                                                        • Exceptions\/allowlists with expiry dates<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          \n\n\n\n
                                                                                                                                                          12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                                          Identity and access model<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • ESA management is governed by Alibaba Cloud RAM<\/strong>.<\/li>\n
                                                                                                                                                          • Best practice:<\/li>\n
                                                                                                                                                          • Separate duties: security team owns security rules, platform team owns routing\/caching, app team owns origin behavior.<\/li>\n
                                                                                                                                                          • Use temporary elevated access for emergency changes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Encryption<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Use HTTPS<\/strong> for client-to-edge.<\/li>\n
                                                                                                                                                            • Prefer HTTPS back-to-origin<\/strong> if supported and your origin can present valid certificates; otherwise ensure origin is protected at the network layer.<\/li>\n
                                                                                                                                                            • Validate TLS policy requirements (TLS versions\/ciphers) against compliance needs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Network exposure<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Do not leave origins publicly open without restrictions.<\/li>\n
                                                                                                                                                              • Origin protection options (choose what ESA supports):<\/li>\n
                                                                                                                                                              • Restrict origin security groups to ESA egress IPs (if published)<\/li>\n
                                                                                                                                                              • Require a shared secret header from ESA to origin (if supported)<\/li>\n
                                                                                                                                                              • Put origin behind ALB\/SLB and restrict inbound<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Avoid embedding secrets in edge rules.<\/li>\n
                                                                                                                                                                • If ESA supports edge compute or functions (not assumed here), ensure secrets are stored in a dedicated secret manager\u2014verify ESA feature set<\/strong>.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • Enable ActionTrail for control plane auditing.<\/li>\n
                                                                                                                                                                  • Export access\/security logs if needed for compliance, but apply retention policies and minimize PII exposure.<\/li>\n
                                                                                                                                                                  • Consider anonymization or tokenization of IP addresses where required by policy.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Understand where traffic is processed and logged:<\/li>\n
                                                                                                                                                                    • Global PoPs may introduce cross-border processing.<\/li>\n
                                                                                                                                                                    • Align with:<\/li>\n
                                                                                                                                                                    • Data residency<\/li>\n
                                                                                                                                                                    • Log retention<\/li>\n
                                                                                                                                                                    • Privacy policies (GDPR-like obligations)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Caching authenticated pages or API responses.<\/li>\n
                                                                                                                                                                      • Overly broad allowlists that bypass protections.<\/li>\n
                                                                                                                                                                      • Enabling aggressive WAF rules without monitoring\/learning mode first (if available).<\/li>\n
                                                                                                                                                                      • Forgetting to restrict origin access, allowing attackers to bypass ESA.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Start with:<\/li>\n
                                                                                                                                                                        • HTTPS enabled<\/li>\n
                                                                                                                                                                        • Minimal necessary caching<\/li>\n
                                                                                                                                                                        • Conservative WAF\/rate limits<\/li>\n
                                                                                                                                                                        • Implement origin protection.<\/li>\n
                                                                                                                                                                        • Use layered defenses:<\/li>\n
                                                                                                                                                                        • ESA edge security + secure coding + origin firewall + monitoring<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                          13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                                          Because ESA evolves and varies by edition, treat the following as common categories to validate.<\/p>\n\n\n\n
                                                                                                                                                                          Known limitation categories (verify exact details)<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Feature availability by plan\/edition<\/strong>: advanced WAF\/bot controls may be add-ons.<\/li>\n
                                                                                                                                                                          • Protocol scope<\/strong>: typically HTTP\/HTTPS; non-HTTP protocols may not apply.<\/li>\n
                                                                                                                                                                          • Header\/cookie handling<\/strong>: cache key and forwarded header behavior can surprise applications.<\/li>\n
                                                                                                                                                                          • Rule evaluation order<\/strong>: complex rule sets can conflict; confirm precedence semantics.<\/li>\n
                                                                                                                                                                          • Certificate workflow constraints<\/strong>: SAN limits, wildcard support, and issuance methods vary.<\/li>\n
                                                                                                                                                                          • Log export constraints<\/strong>: retention limits, sampling, or delayed delivery may apply.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                            Quotas<\/h3>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • Domains per account<\/li>\n
                                                                                                                                                                            • Rules per domain<\/li>\n
                                                                                                                                                                            • Rate limit policies per domain<\/li>\n
                                                                                                                                                                            • Certificates per domain<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              Regional constraints<\/h3>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • PoP coverage and performance vary by geography.<\/li>\n
                                                                                                                                                                              • Compliance boundaries may require specific configurations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                                                                  \n
                                                                                                                                                                                • High request volume APIs can cost more than bandwidth-heavy websites (depending on pricing dimensions).<\/li>\n
                                                                                                                                                                                • Full log export can be expensive due to SLS ingestion and storage.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                  Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  • Apps that rely on client IP must use forwarded headers properly (X-Forwarded-For<\/code>).<\/li>\n
                                                                                                                                                                                  • WebSockets\/HTTP2\/HTTP3 support varies by service and edition\u2014verify support before enabling.<\/li>\n
                                                                                                                                                                                  • Some authentication schemes can break if caching or header rewriting is misconfigured.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    • Changing DNS can take time; plan for TTL and rollback.<\/li>\n
                                                                                                                                                                                    • Misconfigured redirects can cause SEO and usability issues.<\/li>\n
                                                                                                                                                                                    • Over-blocking security rules can block legitimate users behind NAT (enterprises, mobile carriers).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                      Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                                                        \n
                                                                                                                                                                                      • Migrating from an existing CDN\/WAF requires careful mapping of:<\/li>\n
                                                                                                                                                                                      • Cache behavior<\/li>\n
                                                                                                                                                                                      • Page rules<\/li>\n
                                                                                                                                                                                      • Bot\/rate limit policies<\/li>\n
                                                                                                                                                                                      • TLS settings<\/li>\n
                                                                                                                                                                                      • Headers and compression<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                        Vendor-specific nuances<\/h3>\n\n\n\n
                                                                                                                                                                                          \n
                                                                                                                                                                                        • Alibaba Cloud product boundaries (CDN\/DCDN\/WAF\/Anti-DDoS\/ESA) can overlap. Confirm which layer you need and avoid double-paying for duplicate protections.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                                          14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                                          ESA sits in a space that overlaps CDN, WAF, and edge policy management. The \u201cbest\u201d alternative depends on whether you need acceleration only, security only, or an integrated edge front door.<\/p>\n\n\n\n
                                                                                                                                                                                          Comparison table<\/h3>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                          Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                          Alibaba Cloud Edge Security Acceleration (ESA)<\/strong><\/td>\nIntegrated edge acceleration + security for websites\/APIs<\/td>\nUnified edge layer; simplified onboarding; central TLS + rules + caching<\/td>\nFeature set and pricing vary by edition; may require validation for advanced security needs<\/td>\nYou want a single managed edge service in Alibaba Cloud\u2019s Networking and CDN category<\/td>\n<\/tr>\n
                                                                                                                                                                                          Alibaba Cloud CDN<\/strong><\/td>\nBasic content delivery<\/td>\nMature CDN delivery patterns<\/td>\nSecurity features may be more limited compared to ESA integrated security<\/td>\nYou mainly need acceleration and caching with minimal security needs<\/td>\n<\/tr>\n
                                                                                                                                                                                          Alibaba Cloud DCDN (Dynamic Route for CDN)<\/strong><\/td>\nDynamic acceleration and some security (verify)<\/td>\nOften used for dynamic content acceleration<\/td>\nProduct overlap can be confusing; not always a full \u201cfront door\u201d security suite<\/td>\nYou need acceleration focused on dynamic content and have separate WAF strategy<\/td>\n<\/tr>\n
                                                                                                                                                                                          Alibaba Cloud Web Application Firewall (WAF)<\/strong><\/td>\nDeep application-layer protection<\/td>\nDedicated WAF capabilities; fine-grained rules<\/td>\nRequires separate CDN\/acceleration layer<\/td>\nYou need strong WAF and already have CDN\/edge delivery elsewhere<\/td>\n<\/tr>\n
                                                                                                                                                                                          Alibaba Cloud Anti-DDoS services<\/strong><\/td>\nStronger DDoS mitigation<\/td>\nDedicated volumetric protection options<\/td>\nDoes not replace CDN\/WAF by itself<\/td>\nYour main risk is volumetric DDoS; pair with ESA\/WAF as needed<\/td>\n<\/tr>\n
                                                                                                                                                                                          Cloudflare (CDN + WAF)<\/strong><\/td>\nInternet edge front door<\/td>\nGlobal PoPs, broad feature set<\/td>\nSeparate vendor; pricing and compliance considerations<\/td>\nYou want a non-cloud-specific edge with strong global footprint<\/td>\n<\/tr>\n
                                                                                                                                                                                          AWS CloudFront + AWS WAF + Shield<\/strong><\/td>\nAWS-centric edge stack<\/td>\nTight AWS integration; mature services<\/td>\nMore components to assemble; complexity<\/td>\nYou run mostly on AWS and want native integrations<\/td>\n<\/tr>\n
                                                                                                                                                                                          Azure Front Door + WAF<\/strong><\/td>\nAzure-centric edge<\/td>\nGlobal load balancing + WAF<\/td>\nAzure-specific; configuration learning curve<\/td>\nYou run mostly on Azure<\/td>\n<\/tr>\n
                                                                                                                                                                                          Google Cloud CDN + Cloud Armor<\/strong><\/td>\nGCP-centric edge<\/td>\nStrong integration with GCP<\/td>\nMultiple components<\/td>\nYou run mostly on GCP<\/td>\n<\/tr>\n
                                                                                                                                                                                          Self-managed NGINX\/Varnish + ModSecurity<\/strong><\/td>\nFull control, custom logic<\/td>\nMaximum flexibility<\/td>\nHigh ops burden; scaling\/security responsibility<\/td>\nYou have strict custom requirements and strong ops maturity<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                                          15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                                          Enterprise example: regional e-commerce with frequent campaigns<\/h3>\n\n\n\n
                                                                                                                                                                                          Problem<\/strong>\nA retail enterprise serves customers across multiple countries. During promotional events:\n– Origin infrastructure (ECS\/ALB) experiences traffic spikes.\n– Bots scrape inventory and attempt credential stuffing.\n– Performance varies significantly by geography.<\/p>\n\n\n\n
                                                                                                                                                                                          Proposed architecture<\/strong>\n– ESA in front of www.brand.com<\/code> and static.brand.com<\/code>\n– Origins:\n  – Static assets on OSS (versioned filenames)\n  – Web app\/API behind ALB \u2192 ECS\/ACK\n– Security:\n  – Edge WAF rules for common exploits\n  – Rate limiting on \/login<\/code>, \/checkout<\/code>, \/api\/auth\/*<\/code>\n  – Origin protection by restricting inbound to known ESA egress IPs (if supported\/published) and\/or requiring a secret header\n– Observability:\n  – ESA analytics dashboards for cache and security\n  – Export logs to SLS for SOC workflows (if supported)<\/p>\n\n\n\n
                                                                                                                                                                                          Why ESA was chosen<\/strong>\n– Single service for acceleration + edge security simplifies operations.\n– Faster rollout than combining multiple independent products.\n– Improves user experience globally while reducing origin risk.<\/p>\n\n\n\n
                                                                                                                                                                                          Expected outcomes<\/strong>\n– Higher cache hit ratio for static assets, reduced origin bandwidth.\n– Reduced bot traffic reaching origin.\n– Improved page load times and fewer outage incidents during campaigns.<\/p>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                                          Startup\/small-team example: SaaS landing page + API<\/h3>\n\n\n\n
                                                                                                                                                                                          Problem<\/strong>\nA small SaaS team has:\n– A marketing site (www.startup.io<\/code>) and docs site (docs.startup.io<\/code>)\n– A public API (api.startup.io<\/code>)\nThey need:\n– HTTPS everywhere\n– Basic protection against scanning and brute force\n– Low operational overhead<\/p>\n\n\n\n
                                                                                                                                                                                          Proposed architecture<\/strong>\n– ESA in front of all three subdomains\n– Origins:\n  – Marketing\/docs: OSS static hosting\n  – API: ECS behind ALB\n– Policies:\n  – Aggressive caching for docs\/static assets\n  – Minimal caching for API (cache only safe GET endpoints if appropriate)\n  – Rate limiting for \/auth\/*<\/code><\/p>\n\n\n\n
                                                                                                                                                                                          Why ESA was chosen<\/strong>\n– Centralized TLS and edge controls without hiring a full-time edge specialist.\n– Ability to start small and expand protections as traffic grows.<\/p>\n\n\n\n
                                                                                                                                                                                          Expected outcomes<\/strong>\n– Fewer TLS incidents, better performance for global users.\n– Reduced noise from basic scanning and bot activity.<\/p>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                                          16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                                            \n
                                                                                                                                                                                          1. \n
                                                                                                                                                                                            Is Edge Security Acceleration (ESA) a CDN or a WAF?<\/strong>\n   It\u2019s best thought of as an edge front door<\/strong> that combines acceleration (CDN-like caching\/routing)<\/strong> and security controls (WAF-style\/rate limiting depending on edition)<\/strong>. Verify the exact security feature list in your ESA plan.<\/p>\n<\/li>\n
                                                                                                                                                                                          2. \n
                                                                                                                                                                                            Do I need to move my DNS to ESA?<\/strong>\n   Not necessarily. Many deployments use CNAME onboarding<\/strong> for specific subdomains. Some environments may support NS delegation, but CNAME is the lowest-risk starting point.<\/p>\n<\/li>\n
                                                                                                                                                                                          3. \n
                                                                                                                                                                                            Can I use ESA with an origin outside Alibaba Cloud?<\/strong>\n   Often yes, as long as your origin is reachable over the internet and compatible with ESA\u2019s proxy behavior. Confirm any restrictions on origin types and ports in the official docs.<\/p>\n<\/li>\n
                                                                                                                                                                                          4. \n
                                                                                                                                                                                            Will ESA change my client IP visibility?<\/strong>\n   Yes. The origin will see ESA edge IPs unless ESA forwards client IP via headers (commonly X-Forwarded-For<\/code>). Ensure your app and logs use forwarded headers correctly.<\/p>\n<\/li>\n
                                                                                                                                                                                          5. \n
                                                                                                                                                                                            Can I restrict my origin so only ESA can reach it?<\/strong>\n   In many edge architectures, yes\u2014typically by allowing only ESA egress IP ranges or requiring an origin-auth header. Whether ESA publishes IP ranges and supports origin-auth headers must be verified in ESA docs.<\/p>\n<\/li>\n
                                                                                                                                                                                          6. \n
                                                                                                                                                                                            Does ESA support WebSockets?<\/strong>\n   Some edge services support WebSockets, but it is not safe to assume. Verify WebSocket support and any idle timeout limits<\/strong> in official ESA documentation.<\/p>\n<\/li>\n
                                                                                                                                                                                          7. \n
                                                                                                                                                                                            Does ESA support HTTP\/2 or HTTP\/3?<\/strong>\n   Possibly, depending on edition and region. Verify protocol support<\/strong> and how to enable it.<\/p>\n<\/li>\n
                                                                                                                                                                                          8. \n
                                                                                                                                                                                            How do I avoid caching private content?<\/strong>\n   Use strict cache rules:\n   – Cache only static paths like \/assets\/*<\/code>\n   – Respect Cache-Control: no-store<\/code> for personalized pages\n   – Be careful with cookies and authorization headers in cache keys<\/p>\n<\/li>\n
                                                                                                                                                                                          9. \n
                                                                                                                                                                                            What is the safest way to roll out ESA to production?<\/strong>\n   Start with a staging hostname<\/strong>, then move one low-risk subdomain (like static.example.com<\/code>) before your primary www<\/code> domain. Keep DNS TTL low and prepare rollback.<\/p>\n<\/li>\n
                                                                                                                                                                                          10. \n
                                                                                                                                                                                            Can ESA help with SEO?<\/strong>\n   Indirectly:\n   – Faster pages improve user experience signals\n   – Consistent HTTPS and canonical redirects help avoid duplication\n   But misconfigured caching\/redirects can hurt SEO; test carefully.<\/p>\n<\/li>\n
                                                                                                                                                                                          11. \n
                                                                                                                                                                                            How do I estimate ESA costs?<\/strong>\n   Measure expected:\n   – Monthly edge egress (GB\/TB)\n   – Monthly request counts\n   – Log volume if exporting\n   Then use the official Alibaba Cloud pricing pages\/calculator for your region and edition.<\/p>\n<\/li>\n
                                                                                                                                                                                          12. \n
                                                                                                                                                                                            Can I use ESA for APIs?<\/strong>\n   Yes for public HTTP(S) APIs, but cache rules must be conservative. Rate limits and security rules can be valuable for auth endpoints.<\/p>\n<\/li>\n
                                                                                                                                                                                          13. \n
                                                                                                                                                                                            Where should I do TLS termination\u2014edge or origin?<\/strong>\n   Typically at the edge<\/strong> for simplicity and performance; optionally also use HTTPS back-to-origin if supported and you need end-to-end encryption.<\/p>\n<\/li>\n
                                                                                                                                                                                          14. \n
                                                                                                                                                                                            How do I troubleshoot 502\/504 errors after enabling ESA?<\/strong>\n   Check origin reachability, firewall\/security groups, origin host header settings, and timeouts. Compare direct-origin requests vs ESA proxied requests.<\/p>\n<\/li>\n
                                                                                                                                                                                          15. \n
                                                                                                                                                                                            Do I still need a separate WAF or Anti-DDoS product?<\/strong>\n   It depends. ESA may provide baseline protections, but advanced requirements (strict compliance, complex bot defense, large-scale DDoS) may require dedicated Alibaba Cloud WAF or Anti-DDoS services. Confirm scope in official docs.<\/p>\n<\/li>\n
                                                                                                                                                                                          16. \n
                                                                                                                                                                                            Can I export ESA logs to SIEM?<\/strong>\n   If ESA supports log delivery to SLS, you can forward from SLS to a SIEM. Verify log export options, fields, and latency.<\/p>\n<\/li>\n
                                                                                                                                                                                          17. \n
                                                                                                                                                                                            What\u2019s the difference between ESA and Alibaba Cloud CDN\/DCDN?<\/strong>\n   ESA focuses on an integrated edge front door combining acceleration and security. CDN\/DCDN are primarily delivery\/acceleration services; security depth and unified policy may differ. Validate product positioning in current Alibaba Cloud docs.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n
                                                                                                                                                                                            17. Top Online Resources to Learn Edge Security Acceleration (ESA)<\/h2>\n\n\n\n
                                                                                                                                                                                            \n
                                                                                                                                                                                            If any of these links redirect based on your geography, use the Alibaba Cloud documentation selector for your region.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                            Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                            Official product page<\/td>\nAlibaba Cloud Edge Security Acceleration (ESA)<\/td>\nHigh-level overview, entry points to docs and pricing: https:\/\/www.alibabacloud.com\/product\/edge-security-acceleration<\/td>\n<\/tr>\n
                                                                                                                                                                                            Official documentation<\/td>\nAlibaba Cloud Help Center (ESA docs)<\/td>\nConfiguration, concepts, limits. Verify the exact ESA doc path for your region: https:\/\/www.alibabacloud.com\/help<\/td>\n<\/tr>\n
                                                                                                                                                                                            Official pricing<\/td>\nAlibaba Cloud Pricing<\/td>\nOfficial pricing entry point (select ESA and region): https:\/\/www.alibabacloud.com\/pricing<\/td>\n<\/tr>\n
                                                                                                                                                                                            Pricing calculator<\/td>\nAlibaba Cloud Pricing Calculator<\/td>\nIf available for your account, use it to model bandwidth\/requests: https:\/\/www.alibabacloud.com\/pricing\/calculator (Verify availability)<\/td>\n<\/tr>\n
                                                                                                                                                                                            IAM documentation<\/td>\nResource Access Management (RAM) docs<\/td>\nLeast privilege and policy management: https:\/\/www.alibabacloud.com\/help\/en\/ram<\/td>\n<\/tr>\n
                                                                                                                                                                                            Audit logging<\/td>\nActionTrail docs<\/td>\nTrack ESA configuration changes: https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\n<\/tr>\n
                                                                                                                                                                                            Logging platform<\/td>\nLog Service (SLS) docs<\/td>\nIf ESA exports logs to SLS, this is where you manage ingestion\/retention: https:\/\/www.alibabacloud.com\/help\/en\/sls<\/td>\n<\/tr>\n
                                                                                                                                                                                            Monitoring<\/td>\nCloudMonitor docs<\/td>\nAlerts and dashboards for metrics (verify ESA metric integration): https:\/\/www.alibabacloud.com\/help\/en\/cloudmonitor<\/td>\n<\/tr>\n
                                                                                                                                                                                            Certificates<\/td>\nCertificate Management Service (CAS) docs<\/td>\nTLS issuance and management: https:\/\/www.alibabacloud.com\/help\/en\/ssl-certificates<\/td>\n<\/tr>\n
                                                                                                                                                                                            CDN\/Networking context<\/td>\nAlibaba Cloud Networking and CDN product category<\/td>\nHelps position ESA among related services: https:\/\/www.alibabacloud.com\/product\/networking<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n
                                                                                                                                                                                            18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                                            The following training providers may offer Alibaba Cloud, networking, CDN, WAF, and edge security curricula. Verify current course availability and syllabi on each website.<\/strong><\/p>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n\n\n\n\n\n
                                                                                                                                                                                            Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                            DevOpsSchool.com<\/td>\nDevOps\/SRE\/Cloud engineers<\/td>\nCloud operations, DevOps tooling, deployment practices; may include CDN\/WAF\/edge topics<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            ScmGalaxy.com<\/td>\nBeginners to intermediate engineers<\/td>\nSCM\/DevOps fundamentals; may include cloud and operations modules<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            CLoudOpsNow.in<\/td>\nCloud operations teams<\/td>\nCloud ops, monitoring, cost, reliability topics<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            SreSchool.com<\/td>\nSREs, platform teams<\/td>\nSRE principles, observability, incident response, performance<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            AiOpsSchool.com<\/td>\nOps and SRE teams<\/td>\nAIOps concepts, monitoring automation, operations analytics<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n
                                                                                                                                                                                            19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                                            These sites are presented as trainer directories or training-resource platforms (verify current offerings directly).<\/p>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n\n\n\n\n
                                                                                                                                                                                            Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                            RajeshKumar.xyz<\/td>\nDevOps\/cloud training and guidance (verify scope)<\/td>\nBeginners to intermediate<\/td>\nhttps:\/\/www.rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            devopstrainer.in<\/td>\nDevOps tooling and cloud practices<\/td>\nDevOps engineers, SREs<\/td>\nhttps:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            devopsfreelancer.com<\/td>\nFreelance DevOps consulting\/training resources<\/td>\nSmall teams, startups<\/td>\nhttps:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            devopssupport.in<\/td>\nDevOps support and training resources<\/td>\nOperations and support teams<\/td>\nhttps:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n
                                                                                                                                                                                            20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                                            These organizations may help with architecture, migrations, security hardening, and operations. Confirm capabilities and case studies directly.<\/p>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n\n\n\n
                                                                                                                                                                                            Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                            cotocus.com<\/td>\nCloud\/DevOps consulting (verify specialization)<\/td>\nEdge onboarding, performance tuning, operational runbooks<\/td>\nESA onboarding plan, DNS cutover strategy, baseline edge security policies<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            DevOpsSchool.com<\/td>\nDevOps consulting and training<\/td>\nImplementation support, DevOps\/SRE practices around delivery and observability<\/td>\nRollout playbooks, logging\/monitoring integration approach, rule change governance<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                                                            DEVOPSCONSULTING.IN<\/td>\nDevOps consulting services<\/td>\nPlatform operations, CI\/CD, reliability practices<\/td>\nMigration planning, cost analysis, incident response processes<\/td>\nhttps:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                            \n\n\n\n
                                                                                                                                                                                            21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                                            What to learn before this service<\/h3>\n\n\n\n
                                                                                                                                                                                            To use ESA effectively, build fundamentals in:<\/p>\n\n\n\n
                                                                                                                                                                                              \n
                                                                                                                                                                                            • HTTP\/HTTPS<\/strong>: TLS, certificates, SNI, HSTS, redirects<\/li>\n
                                                                                                                                                                                            • DNS<\/strong>: A\/AAAA\/CNAME records, TTL, authoritative DNS, propagation<\/li>\n
                                                                                                                                                                                            • Caching<\/strong>: Cache-Control, ETag, immutable assets, cache keys<\/li>\n
                                                                                                                                                                                            • Web security basics<\/strong>: OWASP Top 10, rate limiting, bot patterns<\/li>\n
                                                                                                                                                                                            • Load balancing<\/strong>: origins behind ALB\/SLB, health checks<\/li>\n
                                                                                                                                                                                            • Linux\/web servers<\/strong> (if using ECS origins): NGINX basics, logs<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                              What to learn after this service<\/h3>\n\n\n\n
                                                                                                                                                                                              Once you\u2019ve deployed ESA, expand into:<\/p>\n\n\n\n
                                                                                                                                                                                                \n
                                                                                                                                                                                              • Dedicated Alibaba Cloud WAF<\/strong> (for deeper L7 security) if needed<\/li>\n
                                                                                                                                                                                              • Anti-DDoS<\/strong> planning and incident playbooks<\/li>\n
                                                                                                                                                                                              • Log Service (SLS)<\/strong> pipelines, indexing, dashboards, alerting<\/li>\n
                                                                                                                                                                                              • Threat modeling<\/strong> for edge + origin architectures<\/li>\n
                                                                                                                                                                                              • Performance engineering<\/strong>: RUM, synthetic tests, cache optimization<\/li>\n
                                                                                                                                                                                              • Multi-region DR<\/strong> and failover design<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                                  \n
                                                                                                                                                                                                • Cloud\/Platform Engineer<\/li>\n
                                                                                                                                                                                                • DevOps Engineer<\/li>\n
                                                                                                                                                                                                • Site Reliability Engineer (SRE)<\/li>\n
                                                                                                                                                                                                • Security Engineer (AppSec \/ SecOps)<\/li>\n
                                                                                                                                                                                                • Network Engineer (internet edge and DNS)<\/li>\n
                                                                                                                                                                                                • Solutions Architect<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                  Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                                                                  Alibaba Cloud certification offerings change over time. A practical path is:\n1. Alibaba Cloud fundamentals (associate-level cloud certs)\n2. Networking\/security specialization (if available)\n3. Hands-on project portfolio demonstrating edge delivery and security<\/p>\n\n\n\n
                                                                                                                                                                                                  Verify current Alibaba Cloud certification tracks<\/strong> on the official Alibaba Cloud certification portal (search from https:\/\/www.alibabacloud.com\/).<\/p>\n\n\n\n
                                                                                                                                                                                                  Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                                    \n
                                                                                                                                                                                                  • Static site acceleration<\/strong>: OSS origin + ESA caching + HTTPS<\/li>\n
                                                                                                                                                                                                  • API protection<\/strong>: rate limit \/auth<\/code>, allowlist partner IPs, strict caching rules<\/li>\n
                                                                                                                                                                                                  • Origin protection<\/strong>: restrict security groups, validate forwarded headers, build a safe bypass<\/li>\n
                                                                                                                                                                                                  • Observability<\/strong>: export ESA logs to SLS and create dashboards for cache hit ratio and top blocked requests<\/li>\n
                                                                                                                                                                                                  • Migration exercise<\/strong>: map rules from an existing CDN\/WAF to ESA with staging validation<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                                    22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                                      \n
                                                                                                                                                                                                    • Edge PoP (Point of Presence)<\/strong>: A geographically distributed edge location where ESA processes traffic close to users.<\/li>\n
                                                                                                                                                                                                    • Reverse Proxy<\/strong>: A server\/service that sits in front of origins and forwards client requests to them.<\/li>\n
                                                                                                                                                                                                    • Origin<\/strong>: Your backend server(s) hosting the real content (ECS, ALB\/SLB, OSS, third-party).<\/li>\n
                                                                                                                                                                                                    • CNAME<\/strong>: DNS record type that maps one name to another canonical name; commonly used to point subdomains to ESA.<\/li>\n
                                                                                                                                                                                                    • NS Delegation<\/strong>: Changing authoritative name servers so a different provider manages DNS for a domain.<\/li>\n
                                                                                                                                                                                                    • TLS Termination<\/strong>: Handling HTTPS encryption\/decryption at the edge instead of at the origin.<\/li>\n
                                                                                                                                                                                                    • WAF<\/strong>: Web Application Firewall; blocks\/filters malicious HTTP requests.<\/li>\n
                                                                                                                                                                                                    • Rate Limiting<\/strong>: Restricting the number of requests allowed over a time window.<\/li>\n
                                                                                                                                                                                                    • Cache Hit \/ Cache Miss<\/strong>: A hit means the response is served from edge cache; a miss means ESA fetches from origin.<\/li>\n
                                                                                                                                                                                                    • Cache Key<\/strong>: The attributes (URL, query string, headers, cookies) used to decide whether two requests share cached content.<\/li>\n
                                                                                                                                                                                                    • TTL (Time To Live)<\/strong>: How long DNS records or cached content remain valid before refreshing.<\/li>\n
                                                                                                                                                                                                    • ActionTrail<\/strong>: Alibaba Cloud service for auditing API actions and configuration changes.<\/li>\n
                                                                                                                                                                                                    • SLS (Log Service)<\/strong>: Alibaba Cloud\u2019s log ingestion, storage, and analytics platform.<\/li>\n
                                                                                                                                                                                                    • CloudMonitor<\/strong>: Alibaba Cloud monitoring and alerting service.<\/li>\n
                                                                                                                                                                                                    • HSTS<\/strong>: HTTP Strict Transport Security header that forces browsers to use HTTPS.<\/li>\n
                                                                                                                                                                                                    • Credential Stuffing<\/strong>: Automated login attempts using stolen username\/password pairs.<\/li>\n
                                                                                                                                                                                                    • Origin Protection<\/strong>: Measures that prevent direct public access to origins, forcing traffic through ESA.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                      \n\n\n\n
                                                                                                                                                                                                      23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                                      Alibaba Cloud Edge Security Acceleration (ESA)<\/strong> is a Networking and CDN<\/strong> edge service that places a managed reverse-proxy in front of your web applications to provide acceleration (caching and edge delivery)<\/strong> and security controls (WAF-style filtering, rate limiting, and related protections depending on plan)<\/strong>.<\/p>\n\n\n\n
                                                                                                                                                                                                      It matters because it can:\n– Improve performance for global users\n– Reduce origin load and stabilize operations during spikes\n– Block common web attacks and abusive traffic earlier in the request path<\/p>\n\n\n\n
                                                                                                                                                                                                      Key cost and security points:\n– Costs are typically driven by traffic, requests, and log export volume<\/strong>; use the official pricing tools for your region\/edition.\n– Secure deployments require HTTPS<\/strong>, cautious caching, and origin protection<\/strong> to prevent bypass.<\/p>\n\n\n\n
                                                                                                                                                                                                      Use ESA when you want an integrated edge front door for public websites and APIs. If you need deeper specialized protections or guaranteed DDoS capacity, evaluate pairing with dedicated Alibaba Cloud WAF\/Anti-DDoS services.<\/p>\n\n\n\n
                                                                                                                                                                                                      Next step: deploy ESA on a staging subdomain<\/strong>, export logs (if supported) to SLS for visibility, and iteratively tune caching and security rules with a clear rollback plan.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                                      Networking and CDN<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,8],"tags":[],"class_list":["post-43","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-networking-and-cdn"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/43","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=43"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/43\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=43"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=43"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=43"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}