{"id":49,"date":"2026-04-12T15:52:15","date_gmt":"2026-04-12T15:52:15","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-anti-ddos-proxy-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-12T15:52:15","modified_gmt":"2026-04-12T15:52:15","slug":"alibaba-cloud-anti-ddos-proxy-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-anti-ddos-proxy-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Alibaba Cloud Anti-DDoS Proxy Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Anti-DDoS Proxy<\/strong> is a managed DDoS mitigation service that helps keep Internet-facing applications online during volumetric and protocol\/application-layer distributed denial-of-service (DDoS) attacks by <strong>advertising protected IPs, ingesting attack traffic, scrubbing malicious packets\/requests, and forwarding clean traffic to your origin<\/strong>.<\/p>\n\n\n\n<p>In simple terms: you place Anti-DDoS Proxy <strong>in front of<\/strong> your public service (websites, APIs, game servers, TCP\/UDP services). Users connect to an Anti-DDoS Proxy address, and the service relays legitimate traffic to your real servers while absorbing attacks.<\/p>\n\n\n\n<p>Technically, Anti-DDoS Proxy works as a combination of <strong>traffic diversion + scrubbing + proxy\/forwarding<\/strong>. You bind your asset (IP\/port and sometimes domain) to an Anti-DDoS Proxy instance. When attacks occur, Alibaba Cloud\u2019s mitigation network identifies malicious patterns at L3\/L4 and (where supported) L7, applies filtering and rate controls, and forwards only validated traffic to your origin via configured forwarding rules.<\/p>\n\n\n\n<p><strong>The problem it solves:<\/strong> DDoS attacks can saturate bandwidth, exhaust connection tables, overwhelm load balancers, or burn CPU with floods of requests\u2014taking services offline. Anti-DDoS Proxy provides <strong>specialized capacity and defense logic<\/strong> so you don\u2019t have to build and operate scrubbing infrastructure yourself.<\/p>\n\n\n\n<blockquote>\n<p>Naming note (verify in official docs): Alibaba Cloud has historically offered DDoS protection under multiple product\/edition names (for example \u201cAnti-DDoS Pro\u201d and \u201cAnti-DDoS Premium\u201d). In many regions and documentation sets, these capabilities are now organized under <strong>Anti-DDoS Proxy<\/strong>. Always confirm the exact edition names and feature matrix in the current Alibaba Cloud documentation for your region.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Anti-DDoS Proxy?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Anti-DDoS Proxy is an Alibaba Cloud Security service designed to <strong>protect public-facing services<\/strong> from DDoS attacks by providing <strong>dedicated mitigation resources<\/strong> and proxy-based forwarding so that your origin IPs can remain stable (and, ideally, less exposed).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (high-level)<\/h3>\n\n\n\n<p>Anti-DDoS Proxy typically provides:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DDoS traffic scrubbing<\/strong> for common L3\/L4 flood types (for example SYN\/ACK floods, UDP floods, ICMP floods) and certain application-layer floods depending on configuration and edition.<\/li>\n<li><strong>Proxy\/forwarding<\/strong> so clients connect to <strong>protected\/proxy IPs<\/strong> (or domain-based routing) and clean traffic is forwarded to your origin server(s).<\/li>\n<li><strong>Configurable forwarding rules<\/strong> for TCP\/UDP and (where supported) HTTP\/HTTPS.<\/li>\n<li><strong>Monitoring, alerts, and attack reports<\/strong> to understand attack events and mitigation effectiveness.<\/li>\n<li><strong>API\/automation<\/strong> (OpenAPI) for some lifecycle and configuration operations (verify the exact API coverage for Anti-DDoS Proxy in your region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual)<\/h3>\n\n\n\n<p>While UI names vary slightly by edition\/region, Anti-DDoS Proxy deployments usually involve:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Anti-DDoS Proxy instance<\/strong><br\/>\n   The subscribed resource container with a defined mitigation capacity\/edition.<\/p>\n<\/li>\n<li>\n<p><strong>Protected asset \/ protected object<\/strong><br\/>\n   The IP address(es) and\/or domain(s) you want to protect.<\/p>\n<\/li>\n<li>\n<p><strong>Proxy (protected) IP \/ CNAME<\/strong><br\/>\n   The public entry point users connect to. You update DNS (or client configuration) to point to this.<\/p>\n<\/li>\n<li>\n<p><strong>Forwarding rule(s)<\/strong><br\/>\n   Port\/protocol mapping (and sometimes domain mapping) that defines where clean traffic goes (origin IP, origin port, load balancer, etc.).<\/p>\n<\/li>\n<li>\n<p><strong>Origin<\/strong><br\/>\n   Your actual service endpoints: ECS public IP\/EIP, Server Load Balancer, or non-Alibaba Cloud public IP (depending on supported origin types).<\/p>\n<\/li>\n<li>\n<p><strong>Observability &amp; control plane<\/strong><br\/>\n   Console dashboards, attack events, metrics, and configuration APIs.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed security service<\/strong> (DDoS mitigation + proxy forwarding).<\/li>\n<li>Typically <strong>subscription-based<\/strong> with edition\/capacity SKUs (verify current billing methods available in your region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (regional\/global\/account)<\/h3>\n\n\n\n<p>This varies by product edition and region. Commonly:\n&#8211; The <strong>instance is purchased in a region<\/strong> and managed under your Alibaba Cloud account.\n&#8211; Scrubbing capacity may be delivered through Alibaba Cloud\u2019s mitigation network with multiple scrubbing nodes (implementation detail; verify).\n&#8211; You manage configuration (protected assets, forwarding rules) within the scope of the instance.<\/p>\n\n\n\n<blockquote>\n<p>Verify in official docs: Whether Anti-DDoS Proxy in your region is best described as regional, global, or \u201cglobal access with regional purchase,\u201d and what constraints exist around protected IP geographies.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>Anti-DDoS Proxy is often deployed alongside:\n&#8211; <strong>ECS<\/strong> (Elastic Compute Service) or <strong>ACK<\/strong> (Container Service for Kubernetes) as the origin compute\n&#8211; <strong>Server Load Balancer<\/strong> (Classic\/ALB\/NLB depending on workload)\n&#8211; <strong>WAF<\/strong> (Web Application Firewall) for OWASP protections and bot management (Anti-DDoS Proxy is not a full WAF)\n&#8211; <strong>CloudMonitor<\/strong> for alarms\/metrics\n&#8211; <strong>ActionTrail<\/strong> for audit logs\n&#8211; <strong>Log Service (SLS)<\/strong> if supported for event\/log shipping (verify exact integration)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Anti-DDoS Proxy?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce downtime risk<\/strong> from DDoS incidents that can cause lost revenue, SLA penalties, and reputational damage.<\/li>\n<li><strong>Predictable preparedness<\/strong>: a subscribed mitigation service is often easier to justify than emergency response during an outage.<\/li>\n<li><strong>Faster incident response<\/strong> with centralized attack visibility and standard mitigation workflows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DDoS attacks can exceed the capacity of:<\/li>\n<li>Your upstream ISP links<\/li>\n<li>A single load balancer<\/li>\n<li>Instance connection limits<\/li>\n<li>NAT tables \/ stateful firewalls<\/li>\n<li>Anti-DDoS Proxy provides <strong>specialized filtering<\/strong> and <strong>high-capacity mitigation<\/strong> upstream before traffic reaches your origins.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoids building and maintaining:<\/li>\n<li>Anycast\/BGP diversion<\/li>\n<li>Scrubbing clusters<\/li>\n<li>DDoS playbooks and tuning at packet scale<\/li>\n<li>Provides <strong>consistent controls<\/strong> for forwarding rules, protected objects, and reporting.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security and compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Helps meet organizational requirements for <strong>availability controls<\/strong> and <strong>resilience<\/strong>.<\/li>\n<li>Provides centralized security telemetry that can support audit narratives (exact compliance attestations vary\u2014verify current Alibaba Cloud compliance documentation).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability and performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Preserves origin capacity for legitimate users.<\/li>\n<li>Can reduce blast radius by <strong>hiding origin IPs<\/strong> (if you restrict origin access to Anti-DDoS Proxy back-to-origin addresses).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Anti-DDoS Proxy<\/h3>\n\n\n\n<p>Choose it when:\n&#8211; You run <strong>public Internet services<\/strong> with meaningful uptime requirements.\n&#8211; You have experienced DDoS attacks or operate in a high-risk industry (gaming, fintech, e-commerce, crypto, media, public sector).\n&#8211; You need protection for <strong>TCP\/UDP services<\/strong> (non-HTTP) as well as web workloads.\n&#8211; You want a managed mitigation service integrated with Alibaba Cloud networking and Security tooling.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Consider alternatives when:\n&#8211; Your workload is <strong>private\/internal-only<\/strong> (no Internet exposure).\n&#8211; You only need <strong>basic<\/strong> DDoS defense and can rely on Alibaba Cloud\u2019s baseline protections for certain resources (for example, basic DDoS protection for some public IP services\u2014verify).\n&#8211; Your primary risk is <strong>application-layer vulnerabilities<\/strong> (SQL injection, XSS, account takeover). You likely need <strong>WAF<\/strong>, bot management, and secure coding; Anti-DDoS Proxy is not a complete application security solution.\n&#8211; Your architecture is best served by <strong>CDN edge caching + WAF<\/strong> (for static-heavy web) rather than generic proxying\u2014often you\u2019ll use both, depending on traffic patterns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Anti-DDoS Proxy used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gaming and esports (UDP\/TCP game servers, matchmaking)<\/li>\n<li>Financial services and payment gateways<\/li>\n<li>E-commerce and flash sales<\/li>\n<li>Media streaming platforms and ticketing<\/li>\n<li>SaaS platforms and public APIs<\/li>\n<li>Education and online exam platforms<\/li>\n<li>Government\/public services portals<\/li>\n<li>Crypto exchanges and wallets (high DDoS frequency)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Security engineering \/ SOC<\/li>\n<li>SRE and platform engineering<\/li>\n<li>DevOps teams managing Internet ingress<\/li>\n<li>Network engineering teams<\/li>\n<li>Operations teams responsible for uptime\/SLA<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public REST\/GraphQL APIs<\/li>\n<li>Web frontends (HTTP\/HTTPS)<\/li>\n<li>Login\/payment flows<\/li>\n<li>TCP services (custom protocols, MQTT over TCP)<\/li>\n<li>UDP services (games, streaming control planes)<\/li>\n<li>DNS-dependent services that can repoint quickly<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single-region origin protected by Anti-DDoS Proxy<\/li>\n<li>Multi-region active\/active with DNS-based failover<\/li>\n<li>Anti-DDoS Proxy in front of load balancers (ALB\/NLB\/Classic SLB)<\/li>\n<li>Hybrid: on-prem origin protected via Anti-DDoS Proxy forwarding (if supported)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> common and recommended where uptime matters.<\/li>\n<li><strong>Dev\/test:<\/strong> less common due to subscription cost and because DDoS is not typically tested in dev. However, it can be valuable to validate:<\/li>\n<li>DNS cutover procedure<\/li>\n<li>Back-to-origin allowlisting<\/li>\n<li>TLS\/certificate behavior<\/li>\n<li>Observability and alerting<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Anti-DDoS Proxy is a strong fit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Protect a public API endpoint (HTTP\/HTTPS)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> API is targeted by request floods, causing 5xx errors and timeouts.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy provides upstream mitigation and forwarding, keeping origin stable.<\/li>\n<li><strong>Example:<\/strong> A mobile app backend <code>api.example.com<\/code> routes through Anti-DDoS Proxy, with origin behind an Alibaba Cloud load balancer.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Protect a TCP-based service (custom protocol)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Attackers flood TCP connections to exhaust server resources.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy can protect TCP services via port forwarding rules.<\/li>\n<li><strong>Example:<\/strong> A chat service on TCP\/5222 is fronted by Anti-DDoS Proxy IPs and forwarded to an origin NLB.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Protect UDP game servers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> UDP floods saturate bandwidth and disrupt gameplay.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy is commonly used for UDP forwarding (verify UDP feature availability in your edition).<\/li>\n<li><strong>Example:<\/strong> A multiplayer game uses Anti-DDoS Proxy for UDP\/27015 traffic into a fleet of ECS servers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Hide origin IPs to reduce direct attack surface<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Attackers target origin IPs directly after discovering them.<\/li>\n<li><strong>Why it fits:<\/strong> With Anti-DDoS Proxy, you can restrict origin access to only the proxy back-to-origin IP ranges.<\/li>\n<li><strong>Example:<\/strong> Security group rules allow only Anti-DDoS Proxy egress ranges to reach the origin ALB.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Protect a login page during high-traffic events<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Credential-stuffing bots plus DDoS-like floods cause instability.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy helps with volumetric floods; combine with WAF\/bot control for credential abuse.<\/li>\n<li><strong>Example:<\/strong> <code>login.example.com<\/code> is protected; WAF handles L7 rules, Anti-DDoS Proxy handles volumetric events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) DDoS resilience for a payment callback endpoint<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Downtime breaks payments and reconciliation.<\/li>\n<li><strong>Why it fits:<\/strong> Keeps callback endpoints reachable even during attacks.<\/li>\n<li><strong>Example:<\/strong> Payment provider callback URL is routed through Anti-DDoS Proxy with strict forwarding rules.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Reduce emergency mitigation actions during attacks<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> During attacks, teams scramble to change DNS, block IPs, or scale up.<\/li>\n<li><strong>Why it fits:<\/strong> Pre-configured protection reduces manual intervention.<\/li>\n<li><strong>Example:<\/strong> An operations team uses predefined alarms and dashboards to confirm mitigation is active.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Protect a multi-tenant SaaS ingress<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> One tenant\u2019s attack traffic impacts everyone on shared ingress.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy increases ingress headroom and stability; can be paired with per-tenant rate controls at L7\/WAF.<\/li>\n<li><strong>Example:<\/strong> <code>app.example.com<\/code> is protected, origin is an ALB with path-based routing.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Protect hybrid origins (on-prem\/public IP) during migration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> On-prem service is DDoS targeted; migration to cloud is phased.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy can forward to non-cloud public IPs if supported (verify origin type support).<\/li>\n<li><strong>Example:<\/strong> A legacy service stays on-prem but uses Alibaba Cloud Anti-DDoS Proxy as a protective front door.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Protect marketing campaign landing pages<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Ad campaigns attract both real traffic and malicious floods.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy stabilizes availability; you can still use CDN for caching where appropriate.<\/li>\n<li><strong>Example:<\/strong> A landing page uses Anti-DDoS Proxy + CDN; origin is a static site on OSS behind an origin server.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Keep B2B partner integrations alive (IP allowlists)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Partner integrations break during DDoS; IP allowlists complicate changes.<\/li>\n<li><strong>Why it fits:<\/strong> Anti-DDoS Proxy provides stable endpoints; you can coordinate allowlisting to proxy IPs.<\/li>\n<li><strong>Example:<\/strong> Partners allowlist the Anti-DDoS Proxy IPs rather than your origin EIPs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Improve attack visibility and reporting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Lack of evidence post-incident (what happened, how big, how long).<\/li>\n<li><strong>Why it fits:<\/strong> Attack event reporting, metrics, and alerts centralize data.<\/li>\n<li><strong>Example:<\/strong> Security team exports attack reports into incident tickets.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can differ by <strong>edition<\/strong>, <strong>region<\/strong>, and <strong>protocol type<\/strong>. Confirm the exact capabilities for your Anti-DDoS Proxy instance in the official Alibaba Cloud documentation.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) DDoS mitigation (scrubbing)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Detects and filters malicious traffic patterns upstream.<\/li>\n<li><strong>Why it matters:<\/strong> Prevents bandwidth saturation and state exhaustion at the origin.<\/li>\n<li><strong>Practical benefit:<\/strong> Services remain reachable during large attacks.<\/li>\n<li><strong>Caveats:<\/strong> Mitigation capacity is tied to purchased edition\/capacity; exceeding capacity can still impact availability.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Protected IPs \/ proxy access points<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides public endpoints clients connect to instead of your origin.<\/li>\n<li><strong>Why it matters:<\/strong> Enables traffic scrubbing and can obscure origin IPs.<\/li>\n<li><strong>Practical benefit:<\/strong> Simplifies DNS cutover and reduces direct-origin exposure.<\/li>\n<li><strong>Caveats:<\/strong> You must update DNS or client configuration; propagation time matters.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Forwarding rules (protocol\/port mapping)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Maps inbound traffic on a proxy IP + port to origin IP + port.<\/li>\n<li><strong>Why it matters:<\/strong> Enables protection for non-HTTP services and custom ports.<\/li>\n<li><strong>Practical benefit:<\/strong> Protects TCP\/UDP services without changing application logic.<\/li>\n<li><strong>Caveats:<\/strong> Port\/protocol limits and supported ranges depend on edition; verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Website\/domain-based forwarding (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows HTTP\/HTTPS protection using domain routing.<\/li>\n<li><strong>Why it matters:<\/strong> Web traffic is a common DDoS target (HTTP floods, CC attacks).<\/li>\n<li><strong>Practical benefit:<\/strong> Can protect multiple domains and simplify TLS handling (depending on features).<\/li>\n<li><strong>Caveats:<\/strong> Not a full WAF; for OWASP protections and bot management, integrate Alibaba Cloud WAF.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Back-to-origin protection via allowlisting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you restrict origin access so only Anti-DDoS Proxy can reach it (using documented back-to-origin IP ranges).<\/li>\n<li><strong>Why it matters:<\/strong> Prevents attackers from bypassing the proxy and hitting your origin directly.<\/li>\n<li><strong>Practical benefit:<\/strong> Strong security hardening with minimal cost.<\/li>\n<li><strong>Caveats:<\/strong> You must maintain allowlists accurately; changes to egress IP ranges require updates (follow official announcements\/docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Health checks \/ origin availability logic (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Detects origin reachability to avoid forwarding to dead endpoints (feature name varies).<\/li>\n<li><strong>Why it matters:<\/strong> Reduces false positives where \u201cprotection is up but origin is down.\u201d<\/li>\n<li><strong>Practical benefit:<\/strong> Faster detection of origin misconfigurations.<\/li>\n<li><strong>Caveats:<\/strong> Health check behavior differs by protocol; verify supported checks and intervals.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Attack event dashboards and reports<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Shows attack times, types, and mitigation actions.<\/li>\n<li><strong>Why it matters:<\/strong> Supports incident response and capacity planning.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster triage and better postmortems.<\/li>\n<li><strong>Caveats:<\/strong> Data retention and granularity vary; verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Alerts and notifications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Sends notifications when attacks occur or thresholds are crossed.<\/li>\n<li><strong>Why it matters:<\/strong> Reduces mean time to detect (MTTD).<\/li>\n<li><strong>Practical benefit:<\/strong> On-call teams get actionable signals.<\/li>\n<li><strong>Caveats:<\/strong> Integrations (SMS\/email\/webhook) depend on account settings and region.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) API and automation (OpenAPI)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables programmatic management of certain configurations.<\/li>\n<li><strong>Why it matters:<\/strong> Infrastructure-as-code and repeatable deployments.<\/li>\n<li><strong>Practical benefit:<\/strong> Standardize protection onboarding across many services.<\/li>\n<li><strong>Caveats:<\/strong> API coverage may not match console 1:1; verify Anti-DDoS Proxy OpenAPI docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Multi-origin \/ layered ingress (architectural pattern)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Supports forwarding to load balancers, which then distribute to multiple origins.<\/li>\n<li><strong>Why it matters:<\/strong> Adds resilience and elasticity behind the protected entry point.<\/li>\n<li><strong>Practical benefit:<\/strong> Rolling deployments and scaling without changing Anti-DDoS Proxy config.<\/li>\n<li><strong>Caveats:<\/strong> Your load balancer and origins must be sized for clean traffic peaks.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<p>Anti-DDoS Proxy sits at the edge of your Internet ingress:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Clients connect to a <strong>protected\/proxy IP<\/strong> (or domain pointing to it).<\/li>\n<li>Traffic enters Alibaba Cloud\u2019s mitigation network.<\/li>\n<li>Malicious traffic is <strong>detected and scrubbed<\/strong> (filtered, rate-limited, challenged depending on attack type and features).<\/li>\n<li>Clean traffic is <strong>proxied\/forwarded<\/strong> to the configured origin endpoint(s).<\/li>\n<li>Metrics and events are surfaced to console\/APIs for monitoring and operations.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data plane:<\/strong><\/li>\n<li>Client \u2192 Anti-DDoS Proxy protected endpoint \u2192 scrubbing \u2192 forwarding \u2192 origin<\/li>\n<li>Origin responses return through the proxy to the client (typical proxy pattern).<\/li>\n<li><strong>Control plane:<\/strong><\/li>\n<li>Admin uses Alibaba Cloud Console\/OpenAPI to create instances, bind protected assets, create forwarding rules, and view events\/metrics.<\/li>\n<li>IAM (RAM) controls who can perform these operations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integration points:\n&#8211; <strong>ECS \/ ACK<\/strong> as origins\n&#8211; <strong>Server Load Balancer (SLB\/ALB\/NLB)<\/strong> as origin to distribute traffic\n&#8211; <strong>WAF<\/strong> for application-layer security (SQLi\/XSS\/bots)\n&#8211; <strong>CloudMonitor<\/strong> for alarms and dashboards\n&#8211; <strong>ActionTrail<\/strong> for auditing configuration changes\n&#8211; <strong>Log Service (SLS)<\/strong> if Anti-DDoS logs can be delivered (verify)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DNS<\/strong> is central: you usually repoint A\/AAAA (or CNAME) records to Anti-DDoS Proxy endpoints.<\/li>\n<li><strong>Networking and security groups<\/strong>: to restrict origin access and allow proxy back-to-origin traffic.<\/li>\n<li><strong>Certificates<\/strong> (for HTTPS) if L7\/TLS termination is used (verify exact TLS handling model for your edition).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Controlled by <strong>Alibaba Cloud RAM<\/strong>:<\/li>\n<li>Users\/roles need permissions to manage Anti-DDoS Proxy instances and configurations.<\/li>\n<li>Admin actions should be audited via <strong>ActionTrail<\/strong> (and optionally exported to SLS).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public ingress through protected endpoints.<\/li>\n<li>Forwarding to origin uses public routing; you typically secure the origin by:<\/li>\n<li>Allowlisting proxy egress ranges<\/li>\n<li>Using a load balancer with restricted listener ACLs (if available)<\/li>\n<li>Avoiding direct exposure of origin IPs in DNS or public configs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor:<\/li>\n<li>Attack events and peak Mbps\/pps (as shown in Anti-DDoS Proxy console)<\/li>\n<li>Origin health and response codes (through application monitoring)<\/li>\n<li>DNS status and TTL<\/li>\n<li>Governance:<\/li>\n<li>Use tags and naming conventions for instances and protected assets.<\/li>\n<li>Use least privilege RAM policies.<\/li>\n<li>Centralize alert routing (email\/SMS\/IM integrations as supported).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Internet Users] --&gt; DNS[DNS: app.example.com]\n  DNS --&gt; P[Anti-DDoS Proxy Protected IP\/CNAME]\n  P --&gt; S[Scrubbing &amp; Filtering]\n  S --&gt; F[Forwarding Rule]\n  F --&gt; O[Origin Service\\n(ECS\/SLB\/Public IP)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet[\"Internet\"]\n    Users[Users\/Bots]\n  end\n\n  subgraph AlibabaCloud[\"Alibaba Cloud\"]\n    DNS[Alibaba Cloud DNS \/ External DNS]\n    ADP[Anti-DDoS Proxy\\n(Protected IPs \/ Domains)]\n    WAF[Web Application Firewall (optional)]\n    ALB[Load Balancer (ALB\/NLB\/SLB)]\n    APP[App Tier\\n(ECS\/ACK)]\n    DB[(Database)]\n    CM[CloudMonitor]\n    AT[ActionTrail]\n    SLS[Log Service (SLS)\\n(optional\/verify)]\n  end\n\n  Users --&gt; DNS\n  DNS --&gt; ADP\n  ADP --&gt;|Clean traffic| WAF\n  WAF --&gt; ALB\n  ALB --&gt; APP\n  APP --&gt; DB\n\n  ADP --&gt; CM\n  WAF --&gt; CM\n  ALB --&gt; CM\n  AT --&gt; SLS\n  ADP -.-&gt;|events\/logs (verify)| SLS\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account and billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Alibaba Cloud account<\/strong> with a valid payment method.<\/li>\n<li>Ability to purchase <strong>Anti-DDoS Proxy<\/strong> (subscription\/edition availability varies).<\/li>\n<li>If you will create origin infrastructure for the lab: budget for <strong>ECS<\/strong>, <strong>public IP\/EIP<\/strong>, and bandwidth.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM (RAM)<\/h3>\n\n\n\n<p>You need permissions to:\n&#8211; Purchase and manage Anti-DDoS Proxy instances\n&#8211; Configure protected objects and forwarding rules\n&#8211; View monitoring\/attack events<\/p>\n\n\n\n<p>Practical guidance:\n&#8211; Use a <strong>RAM user\/role<\/strong> for day-to-day operations.\n&#8211; Keep purchasing and billing permissions restricted.<\/p>\n\n\n\n<blockquote>\n<p>Verify in official docs: The exact RAM actions for Anti-DDoS Proxy (service namespace and API actions), as they can differ across Alibaba Cloud products.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A terminal with:<\/li>\n<li><code>curl<\/code><\/li>\n<li><code>dig<\/code> or <code>nslookup<\/code><\/li>\n<li>Optional:<\/li>\n<li>Alibaba Cloud CLI (if you plan to use APIs; verify Anti-DDoS Proxy CLI coverage)<\/li>\n<li><code>hey<\/code> or <code>ab<\/code> for light load testing (do not generate abusive traffic)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anti-DDoS Proxy availability is <strong>region-dependent<\/strong>.<\/li>\n<li>Confirm supported regions and editions in official docs\/product pages.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits (examples to verify)<\/h3>\n\n\n\n<p>Common limits you should confirm:\n&#8211; Number of protected IPs per instance\n&#8211; Number of forwarding rules\n&#8211; Supported protocols\/ports\n&#8211; Maximum number of protected domains (for website protection)\n&#8211; TLS\/certificate limits (if applicable)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<p>For the hands-on tutorial you\u2019ll need:\n&#8211; An origin service reachable on the Internet (ECS with a public IP, or a load balancer)\n&#8211; A domain name you control (recommended for realistic testing)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<blockquote>\n<p>Anti-DDoS Proxy pricing can be <strong>edition-based, capacity-based, and region-specific<\/strong>, and some customers may use negotiated enterprise pricing. Do not rely on third-party price lists; always confirm in official Alibaba Cloud pricing pages.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (typical model)<\/h3>\n\n\n\n<p>Anti-DDoS Proxy is commonly priced based on some combination of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Edition \/ instance type<\/strong> (feature set and mitigation level)<\/li>\n<li><strong>Mitigation capacity<\/strong> (e.g., protected bandwidth\/clean traffic capacity, depending on SKU)<\/li>\n<li><strong>Number of protected IPs<\/strong> and\/or <strong>protected domains<\/strong><\/li>\n<li><strong>Forwarding specifications<\/strong> (ports\/rules; sometimes included up to limits)<\/li>\n<li><strong>Additional value-added features<\/strong> (where offered)<\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p>Verify in official docs: Whether \u201cclean traffic\u201d (legitimate traffic) is metered separately for your edition, and how burst scenarios are billed.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Typically <strong>no universal free tier<\/strong> for dedicated DDoS proxy services, but Alibaba Cloud may offer <strong>trials<\/strong> or promotions in some regions.<br\/>\n<strong>Verify in official promotions\/free trial pages<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Main cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choosing higher mitigation capacity than needed (or underbuying and suffering downtime).<\/li>\n<li>Number of protected assets (IPs\/domains) onboarded.<\/li>\n<li>Origin infrastructure costs (ALB\/NLB, ECS scaling, bandwidth).<\/li>\n<li>Data transfer charges on the origin side:<\/li>\n<li>Ingress\/egress bandwidth for ECS or load balancers<\/li>\n<li>Inter-region traffic if origins are cross-region<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden\/indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Origin bandwidth<\/strong>: even scrubbed traffic must reach the origin; during legitimate traffic surges, origin egress\/ingress costs can rise.<\/li>\n<li><strong>TLS certificates and management<\/strong> (if you terminate TLS at the proxy or WAF; depends on architecture).<\/li>\n<li><strong>Operational tooling<\/strong>: log storage in SLS, alerting tools, and incident response time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Client-to-proxy traffic is handled at the Anti-DDoS layer.<\/li>\n<li>Proxy-to-origin traffic still traverses networks and is subject to origin-side billing rules.<\/li>\n<li>If your origin is outside Alibaba Cloud, public Internet egress costs and latency can apply.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-size mitigation capacity based on:<\/li>\n<li>Historical traffic peaks<\/li>\n<li>Known attack sizes in your industry<\/li>\n<li>Business impact of downtime<\/li>\n<li>Put a <strong>load balancer<\/strong> behind Anti-DDoS Proxy to avoid frequent rule edits and allow elastic scaling.<\/li>\n<li>Use <strong>CDN caching<\/strong> for static-heavy sites to reduce origin load (CDN is not a replacement for DDoS protection but can reduce origin pressure).<\/li>\n<li>Minimize number of protected assets by consolidating entry points (when appropriate).<\/li>\n<li>Keep DNS TTL reasonably low for failover planning, but not so low that it causes operational overhead.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A realistic starter environment often includes:\n&#8211; 1 Anti-DDoS Proxy instance (entry-level edition\/capacity)\n&#8211; 1 origin ECS instance with a public IP (or 1 load balancer + small ECS pool)\n&#8211; DNS hosted zone (could be Alibaba Cloud DNS or external)<\/p>\n\n\n\n<p>Because SKUs and unit prices vary by region and edition, <strong>calculate using the official pricing page and\/or calculator<\/strong> for:\n&#8211; Anti-DDoS Proxy instance subscription\n&#8211; ECS instance (compute + system disk)\n&#8211; Public bandwidth package \/ pay-by-traffic<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, budget for:\n&#8211; Higher mitigation capacity instance(s)\n&#8211; Multi-origin\/load-balanced architecture\n&#8211; WAF (if handling web applications)\n&#8211; Monitoring\/logging retention (SLS)\n&#8211; Additional IPs\/domains as your services expand\n&#8211; Incident response and operational readiness (runbooks, drills)<\/p>\n\n\n\n<p><strong>Official pricing resources (start here; verify latest URLs and region context):<\/strong>\n&#8211; Alibaba Cloud product pages and pricing entry points:<br\/>\n  https:\/\/www.alibabacloud.com\/products<br\/>\n&#8211; Alibaba Cloud pricing (general):<br\/>\n  https:\/\/www.alibabacloud.com\/pricing<br\/>\n&#8211; Anti-DDoS documentation hub (use it to find \u201cBilling\u201d for Anti-DDoS Proxy):<br\/>\n  https:\/\/www.alibabacloud.com\/help\/en\/anti-ddos-proxy  <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab walks you through placing a simple HTTP service behind <strong>Alibaba Cloud Anti-DDoS Proxy<\/strong> and validating that DNS now routes through the protected endpoint.<\/p>\n\n\n\n<p>Because generating DDoS traffic is unsafe and can violate policies, this tutorial focuses on <strong>correct onboarding, verification, and safe functional testing<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Deploy a basic origin web server (Nginx) on ECS.<\/li>\n<li>Purchase\/configure Anti-DDoS Proxy.<\/li>\n<li>Create a forwarding rule to the origin.<\/li>\n<li>Update DNS to route user traffic through Anti-DDoS Proxy.<\/li>\n<li>Validate traffic flow and lock down the origin to accept traffic only from Anti-DDoS Proxy (where possible).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will build:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Origin:<\/strong> ECS + Nginx on port 80<\/li>\n<li><strong>Protection:<\/strong> Anti-DDoS Proxy protected IP\/domain<\/li>\n<li><strong>Routing:<\/strong> DNS A record points your domain to the Anti-DDoS Proxy endpoint<\/li>\n<li><strong>Security hardening:<\/strong> Origin security group restricts inbound to Anti-DDoS Proxy back-to-origin IP ranges (verify ranges in official docs\/console)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create an origin ECS web server (Nginx)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Alibaba Cloud console, create an <strong>ECS instance<\/strong> in a region where Anti-DDoS Proxy is available.<\/li>\n<li>Assign a <strong>public IPv4 address<\/strong> (or attach an EIP) so the instance can be reached for initial testing.<\/li>\n<li>Configure the ECS <strong>security group<\/strong> to allow inbound TCP\/80 temporarily from your IP (or 0.0.0.0\/0 for short lab purposes, then restrict later).<\/li>\n<\/ol>\n\n\n\n<p>On the ECS instance, install and start Nginx (Ubuntu\/Debian example):<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo apt-get update\nsudo apt-get install -y nginx\nsudo systemctl enable nginx\nsudo systemctl start nginx\n<\/code><\/pre>\n\n\n\n<p>Create a simple page:<\/p>\n\n\n\n<pre><code class=\"language-bash\">echo \"origin: $(hostname) - $(date -Is)\" | sudo tee \/var\/www\/html\/index.html\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Visiting <code>http:\/\/&lt;your-ecs-public-ip&gt;\/<\/code> returns a page containing <code>origin:<\/code>.<\/p>\n\n\n\n<p>Verify from your laptop:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -i http:\/\/&lt;your-ecs-public-ip&gt;\/\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Purchase an Anti-DDoS Proxy instance<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Alibaba Cloud console, navigate to <strong>Security<\/strong> products and locate <strong>Anti-DDoS Proxy<\/strong>.<\/li>\n<li>Purchase an instance:\n   &#8211; Select the region (if applicable).\n   &#8211; Select an edition\/capacity aligned with your needs (for lab, choose the smallest available).\n   &#8211; Confirm included quotas (protected IP count, forwarding rules, domains).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; An Anti-DDoS Proxy instance appears in the console with a status indicating it is active\/available.<\/p>\n\n\n\n<blockquote>\n<p>If you cannot find Anti-DDoS Proxy in your console, verify:\n&#8211; Your account region settings\n&#8211; Product availability in your country\/region\n&#8211; Whether the service is listed under a related Anti-DDoS product name in that region (verify in official docs)<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Add a protected asset and create a forwarding rule<\/h3>\n\n\n\n<p>Anti-DDoS Proxy onboarding typically requires:\n&#8211; A <strong>proxy\/protected endpoint<\/strong> (IP or domain-based)\n&#8211; A <strong>forwarding rule<\/strong> mapping inbound to origin<\/p>\n\n\n\n<p>In the Anti-DDoS Proxy console:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Find your instance and choose <strong>Protected Objects\/Assets<\/strong> (name varies).<\/li>\n<li>Add an asset:\n   &#8211; <strong>Protocol:<\/strong> HTTP (TCP\/80) for this lab\n   &#8211; <strong>Public IP \/ origin address:<\/strong> your ECS public IP (or your load balancer IP)<\/li>\n<li>Create a <strong>forwarding rule<\/strong>:\n   &#8211; Inbound: proxy IP + port 80\n   &#8211; Outbound: origin IP + port 80<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The console shows:\n  &#8211; A created protected object\n  &#8211; A proxy\/protected IP assigned (or a domain access method)\n  &#8211; A forwarding rule in \u201cenabled\u201d state<\/p>\n\n\n\n<blockquote>\n<p>If the console provides a <strong>CNAME<\/strong> instead of an IP (common in some web protection models), note it\u2014you\u2019ll use it in DNS in Step 4.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Update DNS to route traffic through Anti-DDoS Proxy<\/h3>\n\n\n\n<p>You need a domain name you control (e.g., <code>lab-ddos.example.com<\/code>).<\/p>\n\n\n\n<p>Depending on the onboarding model you see:<\/p>\n\n\n\n<p><strong>Case A: You are given a protected IPv4 address<\/strong>\n&#8211; Create\/modify an <strong>A record<\/strong>:\n  &#8211; <code>lab-ddos.example.com<\/code> \u2192 <code>&lt;Anti-DDoS Proxy protected IPv4&gt;<\/code><\/p>\n\n\n\n<p><strong>Case B: You are given a CNAME target<\/strong>\n&#8211; Create\/modify a <strong>CNAME record<\/strong>:\n  &#8211; <code>lab-ddos.example.com<\/code> \u2192 <code>&lt;Anti-DDoS Proxy CNAME&gt;<\/code><\/p>\n\n\n\n<p>Set a low TTL for lab testing (for example 60\u2013300 seconds) if your DNS provider supports it.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; DNS resolves <code>lab-ddos.example.com<\/code> to the Anti-DDoS Proxy endpoint, not the origin IP.<\/p>\n\n\n\n<p>Verify:<\/p>\n\n\n\n<pre><code class=\"language-bash\">dig +short lab-ddos.example.com\n<\/code><\/pre>\n\n\n\n<p>or<\/p>\n\n\n\n<pre><code class=\"language-bash\">nslookup lab-ddos.example.com\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Validate end-to-end traffic through Anti-DDoS Proxy<\/h3>\n\n\n\n<p>From your laptop, request the domain:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -i http:\/\/lab-ddos.example.com\/\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You get HTTP 200 (or expected status) and the content from your origin (<code>origin: ...<\/code>).\n&#8211; In the Anti-DDoS Proxy console, you should see traffic metrics increment (may take a short delay).<\/p>\n\n\n\n<p>Optional: confirm origin logs show requests arriving (Nginx access log):<\/p>\n\n\n\n<pre><code class=\"language-bash\">sudo tail -n 50 \/var\/log\/nginx\/access.log\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Lock down the origin (recommended hardening)<\/h3>\n\n\n\n<p>After confirming functionality, reduce the risk of origin bypass.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p>Identify the <strong>back-to-origin IP ranges<\/strong> used by Anti-DDoS Proxy for your region\/edition.\n   &#8211; These ranges are usually documented in Anti-DDoS Proxy docs or shown in console guidance.\n   &#8211; <strong>Do not guess<\/strong> IP ranges; use official sources.<\/p>\n<\/li>\n<li>\n<p>Update the ECS security group inbound rules:\n   &#8211; Allow TCP\/80 <strong>only<\/strong> from the Anti-DDoS Proxy back-to-origin IP ranges.\n   &#8211; Remove broad <code>0.0.0.0\/0<\/code> rules.<\/p>\n<\/li>\n<li>\n<p>(Optional) If you use a load balancer as origin, apply similar restrictions:\n   &#8211; Listener ACLs (if supported)\n   &#8211; Security group rules on ALB\/NLB backends<\/p>\n<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Direct access to <code>http:\/\/&lt;ecs-public-ip&gt;\/<\/code> from your laptop should now be blocked (timeout\/refused).\n&#8211; Access to <code>http:\/\/lab-ddos.example.com\/<\/code> should still work (traffic comes through Anti-DDoS Proxy).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>DNS points to Anti-DDoS Proxy<\/strong>\n   &#8211; <code>dig +short lab-ddos.example.com<\/code> returns proxy IP or CNAME resolution chain.<\/p>\n<\/li>\n<li>\n<p><strong>HTTP works through the proxy<\/strong>\n   &#8211; <code>curl -i http:\/\/lab-ddos.example.com\/<\/code> returns expected content.<\/p>\n<\/li>\n<li>\n<p><strong>Origin is not directly exposed (after hardening)<\/strong>\n   &#8211; <code>curl -i http:\/\/&lt;origin-public-ip&gt;\/<\/code> fails (expected)<br\/>\n   &#8211; <code>curl -i http:\/\/lab-ddos.example.com\/<\/code> succeeds (expected)<\/p>\n<\/li>\n<li>\n<p><strong>Console visibility<\/strong>\n   &#8211; Anti-DDoS Proxy dashboard shows traffic\/requests and no obvious configuration errors.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p>Common issues and fixes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>DNS updated but traffic still goes to old endpoint<\/strong>\n   &#8211; Cause: DNS caching\/TTL.\n   &#8211; Fix: wait TTL duration; flush local resolver cache; check authoritative DNS.<\/p>\n<\/li>\n<li>\n<p><strong>502\/504 or connection failures through Anti-DDoS Proxy<\/strong>\n   &#8211; Cause: wrong origin IP\/port in forwarding rule; origin firewall blocks proxy; origin service not running.\n   &#8211; Fix: verify origin service: <code>curl http:\/\/&lt;origin-ip&gt;\/<\/code> from a network that is allowed; confirm Nginx is listening: <code>sudo ss -lntp | grep :80<\/code>.<\/p>\n<\/li>\n<li>\n<p><strong>Access works directly to origin but not via Anti-DDoS Proxy<\/strong>\n   &#8211; Cause: forwarding rule not enabled, wrong protocol, wrong port mapping.\n   &#8211; Fix: re-check forwarding rule configuration; verify protocol (TCP vs HTTP model) matches the service.<\/p>\n<\/li>\n<li>\n<p><strong>After locking down origin, everything breaks<\/strong>\n   &#8211; Cause: incorrect back-to-origin allowlist ranges.\n   &#8211; Fix: revert temporarily, fetch correct ranges from official docs\/console, then re-apply.<\/p>\n<\/li>\n<li>\n<p><strong>HTTPS issues (certificate mismatch, TLS handshake failures)<\/strong>\n   &#8211; Cause: certificate not configured in the layer terminating TLS.\n   &#8211; Fix: determine whether TLS terminates at Anti-DDoS Proxy, WAF, or origin; configure certificates accordingly (verify your edition\u2019s TLS model).<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Revert DNS record (<code>lab-ddos.example.com<\/code>) back to the origin or remove it.<\/li>\n<li>Delete Anti-DDoS Proxy forwarding rules and protected objects (if required before release).<\/li>\n<li>Release\/unsubscribe the Anti-DDoS Proxy instance (billing rules vary\u2014verify refund\/cycle behavior).<\/li>\n<li>Terminate the ECS instance and release public IP\/EIP.<\/li>\n<li>Remove security group rules created for the lab.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Put a <strong>load balancer<\/strong> (ALB\/NLB\/SLB) behind Anti-DDoS Proxy:<\/li>\n<li>Makes scaling and blue\/green deployments easier<\/li>\n<li>Reduces frequent Anti-DDoS rule updates<\/li>\n<li>Use <strong>multi-zone<\/strong> origins where possible; Anti-DDoS Proxy protects ingress, but your origin must still be resilient.<\/li>\n<li>Consider <strong>multi-region DR<\/strong> with DNS failover for business-critical services (Anti-DDoS is not a DR substitute).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>least privilege<\/strong> RAM policies for:<\/li>\n<li>Security operations (manage Anti-DDoS config)<\/li>\n<li>Read-only monitoring<\/li>\n<li>Require <strong>MFA<\/strong> for privileged users.<\/li>\n<li>Separate duties: purchasing\/billing vs security operations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Right-size capacity using:<\/li>\n<li>Baseline legitimate traffic peaks<\/li>\n<li>Expected attack profile<\/li>\n<li>Consolidate protected entry points where possible.<\/li>\n<li>Use caching\/CDN to reduce origin cost (especially for static content).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep origin response times low; scrubbing helps availability, not application latency.<\/li>\n<li>Use keep-alive and connection tuning on origins\/load balancers.<\/li>\n<li>Ensure DNS TTL strategy matches your failover goals.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintain runbooks for:<\/li>\n<li>DNS cutover and rollback<\/li>\n<li>Origin allowlisting updates<\/li>\n<li>Incident communication and escalation<\/li>\n<li>Test configuration changes in a staging environment where feasible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Set alerts for:<\/li>\n<li>Attack detection events<\/li>\n<li>Unusual traffic spikes<\/li>\n<li>Origin error rate increase (via application monitoring)<\/li>\n<li>Track config drift:<\/li>\n<li>Use ActionTrail for auditing<\/li>\n<li>Document protected assets and owners<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Tag resources with:<\/li>\n<li><code>env<\/code> (prod\/stage\/dev)<\/li>\n<li><code>app<\/code><\/li>\n<li><code>owner<\/code><\/li>\n<li><code>cost-center<\/code><\/li>\n<li>Use consistent naming:<\/li>\n<li><code>adp-prod-api-gateway<\/code><\/li>\n<li><code>adp-prod-game-udp<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Managed with <strong>Alibaba Cloud RAM<\/strong>.<\/li>\n<li>Recommendations:<\/li>\n<li>Create a dedicated <strong>RAM role<\/strong> for automation (CI\/CD) if you manage config via API.<\/li>\n<li>Use read-only roles for dashboards and reports.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In transit:<\/li>\n<li>For HTTPS, ensure TLS is terminated in the correct layer (Anti-DDoS Proxy vs WAF vs origin) based on your chosen architecture and supported features.<\/li>\n<li>At rest:<\/li>\n<li>Configuration metadata is managed by Alibaba Cloud; verify what encryption and compliance statements apply in official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The most common security mistake is leaving the <strong>origin publicly reachable<\/strong> even after onboarding to Anti-DDoS Proxy.<\/li>\n<li>Use:<\/li>\n<li>Security groups and ACLs<\/li>\n<li>Back-to-origin IP allowlists (from official docs)<\/li>\n<li>Private networking patterns where applicable (for internal components)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If TLS certificates\/keys are uploaded to a managed layer:<\/li>\n<li>Restrict access to certificate management<\/li>\n<li>Track certificate rotation dates<\/li>\n<li>Prefer centralized certificate management if available (verify Alibaba Cloud certificate service options)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and review:<\/li>\n<li><strong>ActionTrail<\/strong> for configuration changes<\/li>\n<li>Anti-DDoS Proxy attack events and reports<\/li>\n<li>If log export to <strong>SLS<\/strong> is supported, enable it and set retention policies (verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<p>Anti-DDoS Proxy can support availability and resilience controls, but compliance depends on:\n&#8211; Region\n&#8211; Data handling requirements\n&#8211; Service attestations and certifications<\/p>\n\n\n\n<p>Always validate against Alibaba Cloud compliance documentation for your region and your internal policies.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not restricting origin access after onboarding.<\/li>\n<li>Forgetting to update DNS for all relevant subdomains\/ports.<\/li>\n<li>Treating Anti-DDoS Proxy as a full WAF and skipping application-layer protections.<\/li>\n<li>Over-permissioning RAM users who can change forwarding rules (risk of misrouting traffic).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Place <strong>WAF<\/strong> behind Anti-DDoS Proxy for web apps needing OWASP protection.<\/li>\n<li>Use <strong>origin allowlisting<\/strong> and eliminate direct-origin DNS records.<\/li>\n<li>Keep a documented and rehearsed <strong>rollback plan<\/strong> for DNS changes.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>Confirm the exact limits for your edition\/region in official docs. The items below are common in DDoS proxy designs.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Edition-specific features:<\/strong> Some protocols, L7 features, or advanced controls may only exist in higher editions.<\/li>\n<li><strong>Protocol constraints:<\/strong> Certain combinations of TCP\/UDP ports, health checks, or forwarding modes may be restricted.<\/li>\n<li><strong>TLS handling differences:<\/strong> Whether TLS is terminated at the proxy, passed through, or requires additional configuration depends on product features.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maximum number of protected IPs\/domains per instance<\/li>\n<li>Maximum number of forwarding rules\/ports<\/li>\n<li>Maximum bandwidth\/pps mitigation as per purchased capacity<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not all regions offer the same Anti-DDoS Proxy editions.<\/li>\n<li>Latency to origin increases if your origin is far from scrubbing\/proxy entry nodes (depends on routing).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Underestimating origin bandwidth costs during legitimate spikes.<\/li>\n<li>Buying multiple instances for separate apps when a shared design could work (trade off against blast radius).<\/li>\n<li>Subscription commitment terms (monthly\/annual) affecting cancellation\/refunds (verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Some applications embed origin IPs in responses or use strict IP allowlists, complicating proxying.<\/li>\n<li>Protocols sensitive to source IP changes may require application adjustments (depending on whether original client IP is preserved via headers or proxy protocol\u2014verify support).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DNS propagation delays during cutovers.<\/li>\n<li>Origin allowlisting must stay updated with the correct Anti-DDoS back-to-origin ranges.<\/li>\n<li>If you rotate origins (autoscaling), ensure forwarding still targets stable entry points (load balancer recommended).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Migrating from direct-to-origin to proxy can break:<\/li>\n<li>Webhooks and partner allowlists (need proxy IP allowlisting)<\/li>\n<li>Certificate management (where TLS terminates changes)<\/li>\n<li>Logging (client IP visibility changes)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud product naming and console navigation can differ by locale\/region. Use the official docs for your region\u2019s UI paths.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Anti-DDoS Proxy is one part of a broader DDoS and application protection toolkit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">In Alibaba Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Basic DDoS protection<\/strong> (often included for certain public IP services): good baseline, but not enough for serious attacks.<\/li>\n<li><strong>Other Anti-DDoS offerings<\/strong> (naming varies): some services protect EIPs\/SLB directly rather than proxy-based onboarding.<\/li>\n<li><strong>WAF<\/strong>: application-layer security (OWASP, bot control) rather than volumetric mitigation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">In other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS Shield Standard\/Advanced<\/strong>: DDoS protection tightly integrated with CloudFront, Route 53, ALB\/NLB, and AWS edge.<\/li>\n<li><strong>Azure DDoS Protection<\/strong>: for resources in Azure VNets, focused on protecting public IPs.<\/li>\n<li><strong>Google Cloud Armor<\/strong>: DDoS + WAF-like policies integrated with Google\u2019s edge.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source\/self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Self-managed DDoS defense is usually limited to:<\/li>\n<li>Rate limiting (nginx\/Envoy)<\/li>\n<li>Firewall rules (iptables\/nftables)<\/li>\n<li>Anycast requires deep networking expertise and contracts<\/li>\n<li>These do not replace a large-scale scrubbing network.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Anti-DDoS Proxy<\/strong><\/td>\n<td>Internet-facing apps\/services needing dedicated DDoS mitigation with proxy forwarding<\/td>\n<td>Managed scrubbing + forwarding; integrates with Alibaba Cloud ecosystem<\/td>\n<td>Subscription cost; DNS\/proxy migration complexity; feature matrix varies by edition<\/td>\n<td>You need strong DDoS resilience for web\/TCP\/UDP services on or reachable from Alibaba Cloud<\/td>\n<\/tr>\n<tr>\n<td>Alibaba Cloud baseline\/basic DDoS protections<\/td>\n<td>Low-risk workloads, small sites<\/td>\n<td>Included\/low cost; minimal setup<\/td>\n<td>Limited capacity and controls<\/td>\n<td>Small workloads where downtime impact is low<\/td>\n<\/tr>\n<tr>\n<td>Alibaba Cloud WAF<\/td>\n<td>Web apps needing OWASP protections and bot controls<\/td>\n<td>Strong L7 security controls (WAF scope)<\/td>\n<td>Not designed to absorb very large volumetric floods alone<\/td>\n<td>Pair with Anti-DDoS Proxy when L7 threats and DDoS both matter<\/td>\n<\/tr>\n<tr>\n<td>AWS Shield Advanced<\/td>\n<td>Workloads on AWS edge stack<\/td>\n<td>Deep AWS integration; DRT support (plan-dependent)<\/td>\n<td>Best value when heavily invested in AWS edge<\/td>\n<td>You\u2019re on AWS and need advanced DDoS protection<\/td>\n<\/tr>\n<tr>\n<td>Azure DDoS Protection<\/td>\n<td>Azure public IP resources<\/td>\n<td>Native protection for Azure networking<\/td>\n<td>Azure-centric; less relevant cross-cloud<\/td>\n<td>Your origins are in Azure VNets<\/td>\n<\/tr>\n<tr>\n<td>Cloudflare (DDoS\/WAF)<\/td>\n<td>Internet-facing web apps needing edge protection and caching<\/td>\n<td>Global edge; WAF\/bot; CDN<\/td>\n<td>TCP\/UDP support depends on plan; vendor dependency<\/td>\n<td>You want a unified edge platform and can route traffic via Cloudflare<\/td>\n<\/tr>\n<tr>\n<td>Self-managed rate limiting (nginx\/iptables)<\/td>\n<td>Very small services, internal labs<\/td>\n<td>Low direct cost<\/td>\n<td>Not effective for large volumetric attacks; ops burden<\/td>\n<td>Only for basic protection and learning\u2014not for serious DDoS risk<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: Fintech API and login protection<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A fintech company experiences repeated DDoS attacks targeting <code>api.company.com<\/code> and <code>login.company.com<\/code>, causing intermittent outages and failed transactions.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>DNS \u2192 Anti-DDoS Proxy \u2192 (optional) WAF \u2192 ALB \u2192 ECS\/ACK microservices<\/li>\n<li>Strict origin allowlisting to Anti-DDoS Proxy back-to-origin IP ranges<\/li>\n<li>CloudMonitor alarms for attack events and origin error rate<\/li>\n<li>ActionTrail auditing for configuration changes<\/li>\n<li><strong>Why Anti-DDoS Proxy was chosen:<\/strong><\/li>\n<li>Dedicated mitigation capacity required by risk assessments<\/li>\n<li>Needs protection not only for web pages but also for API endpoints with predictable routing<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Reduced downtime during volumetric floods<\/li>\n<li>Clearer attack visibility for incident reports<\/li>\n<li>Improved security posture by hiding origin IPs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: Game backend (UDP\/TCP)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A small game studio is targeted by UDP floods during tournaments, taking match servers offline.<\/li>\n<li><strong>Proposed architecture:<\/strong><\/li>\n<li>DNS\/Client config \u2192 Anti-DDoS Proxy (UDP\/TCP forwarding) \u2192 NLB \u2192 ECS game server fleet<\/li>\n<li>Autoscaling for legitimate spikes; runbooks for fast tournament changes<\/li>\n<li><strong>Why Anti-DDoS Proxy was chosen:<\/strong><\/li>\n<li>Managed DDoS mitigation without building custom network defenses<\/li>\n<li>Supports non-HTTP services (key requirement)<\/li>\n<li><strong>Expected outcomes:<\/strong><\/li>\n<li>Better tournament uptime<\/li>\n<li>Reduced operational firefighting<\/li>\n<li>More predictable capacity planning<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is Anti-DDoS Proxy the same as a WAF?<\/strong><br\/>\n   No. Anti-DDoS Proxy focuses on DDoS mitigation and proxy forwarding. A WAF focuses on application-layer protections (OWASP attacks, bot management). Many production setups use both.<\/p>\n<\/li>\n<li>\n<p><strong>Do I have to change my application code to use Anti-DDoS Proxy?<\/strong><br\/>\n   Usually no. Most changes are at DNS\/routing and network policy (security group allowlists). Some applications may require adjustments for client IP handling (verify headers\/proxy protocol support).<\/p>\n<\/li>\n<li>\n<p><strong>How do users reach my service after enabling Anti-DDoS Proxy?<\/strong><br\/>\n   Typically by DNS pointing your domain to the Anti-DDoS Proxy protected IP or CNAME. For non-HTTP services, clients may connect directly to the protected IP\/port.<\/p>\n<\/li>\n<li>\n<p><strong>Can Anti-DDoS Proxy protect TCP and UDP services?<\/strong><br\/>\n   It is commonly used for TCP\/UDP forwarding, but exact protocol support depends on edition\/region\u2014verify in official docs.<\/p>\n<\/li>\n<li>\n<p><strong>Can I protect an origin outside Alibaba Cloud?<\/strong><br\/>\n   Some DDoS proxy products support forwarding to any public IP. Verify whether Anti-DDoS Proxy supports non-Alibaba Cloud origins in your region and what latency\/cost implications apply.<\/p>\n<\/li>\n<li>\n<p><strong>Will Anti-DDoS Proxy hide my origin IP?<\/strong><br\/>\n   It can, but only if you avoid exposing origin IPs elsewhere and restrict origin access to Anti-DDoS Proxy back-to-origin IP ranges.<\/p>\n<\/li>\n<li>\n<p><strong>Does it support HTTPS?<\/strong><br\/>\n   Many deployments protect HTTPS, but TLS termination\/management varies by product model. Verify how your edition handles certificates and whether TLS is terminated at the proxy, WAF, or origin.<\/p>\n<\/li>\n<li>\n<p><strong>How do I restrict origin access safely?<\/strong><br\/>\n   Use ECS security groups or load balancer ACLs to allow inbound only from Anti-DDoS Proxy back-to-origin IP ranges published by Alibaba Cloud (do not guess; use official sources).<\/p>\n<\/li>\n<li>\n<p><strong>What happens if an attack exceeds my purchased mitigation capacity?<\/strong><br\/>\n   Behavior depends on the service\/edition. It may degrade, trigger blackhole routing, or require emergency scaling. Confirm SLA and overflow behavior in official docs and consider sizing with margin.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use Anti-DDoS Proxy with a load balancer?<\/strong><br\/>\n   Yes, this is a common best practice: Anti-DDoS Proxy \u2192 ALB\/NLB\/SLB \u2192 origins.<\/p>\n<\/li>\n<li>\n<p><strong>How quickly can I onboard a new domain\/service?<\/strong><br\/>\n   Technically minutes, but DNS propagation can take longer depending on TTL and caching. Plan migrations with rollback steps.<\/p>\n<\/li>\n<li>\n<p><strong>Does Anti-DDoS Proxy preserve the original client IP?<\/strong><br\/>\n   Often proxies add headers (for HTTP) or use proxy protocol (for TCP) to pass client IP, but this is edition\/protocol dependent\u2014verify and update application logging accordingly.<\/p>\n<\/li>\n<li>\n<p><strong>What monitoring should I set up?<\/strong><br\/>\n   Use Anti-DDoS Proxy dashboards\/alerts for attack events and CloudMonitor (and your APM) for origin latency, error rates, and saturation signals.<\/p>\n<\/li>\n<li>\n<p><strong>Can I test DDoS protection safely?<\/strong><br\/>\n   You can validate routing, health, and basic rate limiting in a controlled manner. Do not run high-volume floods. For formal testing, follow Alibaba Cloud guidance and get approval.<\/p>\n<\/li>\n<li>\n<p><strong>How do I roll back if something breaks?<\/strong><br\/>\n   Revert DNS to the origin (or previous front door), restore origin security group rules if you restricted them, and disable\/remove forwarding rules as needed.<\/p>\n<\/li>\n<li>\n<p><strong>Is Anti-DDoS Proxy suitable for dev\/test environments?<\/strong><br\/>\n   Usually not necessary, but it can be useful for staging rehearsals of DNS cutover, certificate flow, and origin allowlisting.<\/p>\n<\/li>\n<li>\n<p><strong>Does Anti-DDoS Proxy replace CDN?<\/strong><br\/>\n   No. CDN is for caching and accelerating content; Anti-DDoS Proxy is for DDoS mitigation and proxy forwarding. They can be complementary.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Anti-DDoS Proxy<\/h2>\n\n\n\n<blockquote>\n<p>URLs can change over time. If a link redirects, navigate via the Alibaba Cloud Help Center and search for \u201cAnti-DDoS Proxy\u201d.<\/p>\n<\/blockquote>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Alibaba Cloud Help Center \u2013 Anti-DDoS Proxy<\/td>\n<td>Primary source for concepts, configuration steps, limits, and best practices: https:\/\/www.alibabacloud.com\/help\/en\/anti-ddos-proxy<\/td>\n<\/tr>\n<tr>\n<td>Official product catalog<\/td>\n<td>Alibaba Cloud Products<\/td>\n<td>Entry point to find the Anti-DDoS Proxy product page and related services: https:\/\/www.alibabacloud.com\/products<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Alibaba Cloud Pricing<\/td>\n<td>Starting point to locate Anti-DDoS pricing and calculators (region-dependent): https:\/\/www.alibabacloud.com\/pricing<\/td>\n<\/tr>\n<tr>\n<td>Official security docs<\/td>\n<td>Alibaba Cloud Security products docs<\/td>\n<td>Helps you connect Anti-DDoS Proxy with WAF, Cloud Firewall, and monitoring: https:\/\/www.alibabacloud.com\/help\/en\/security<\/td>\n<\/tr>\n<tr>\n<td>Official audit logging<\/td>\n<td>ActionTrail documentation<\/td>\n<td>Audit changes to Anti-DDoS configurations and user actions: https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\n<\/tr>\n<tr>\n<td>Official monitoring<\/td>\n<td>CloudMonitor documentation<\/td>\n<td>Set alarms and integrate monitoring signals: https:\/\/www.alibabacloud.com\/help\/en\/cloudmonitor<\/td>\n<\/tr>\n<tr>\n<td>Official DNS<\/td>\n<td>Alibaba Cloud DNS documentation<\/td>\n<td>DNS cutover and record management guidance: https:\/\/www.alibabacloud.com\/help\/en\/alibaba-cloud-dns<\/td>\n<\/tr>\n<tr>\n<td>Official load balancing<\/td>\n<td>Server Load Balancer documentation<\/td>\n<td>Best practices for placing a load balancer behind Anti-DDoS Proxy: https:\/\/www.alibabacloud.com\/help\/en\/server-load-balancer<\/td>\n<\/tr>\n<tr>\n<td>Official API reference<\/td>\n<td>Alibaba Cloud OpenAPI portal<\/td>\n<td>Find Anti-DDoS-related APIs (verify product\/namespace for Anti-DDoS Proxy): https:\/\/api.alibabacloud.com\/<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Alibaba Cloud Blog (search: Anti-DDoS Proxy)<\/td>\n<td>Practical articles and announcements; validate against docs: https:\/\/www.alibabacloud.com\/blog<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, cloud engineers<\/td>\n<td>Cloud security basics, DDoS\/WAF patterns, operational labs<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>DevOps\/cloud fundamentals and tooling around deployments<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>Cloud ops practices, monitoring, reliability and incident response<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, platform teams<\/td>\n<td>Reliability engineering, SLIs\/SLOs, incident management<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops\/SRE teams exploring automation<\/td>\n<td>AIOps concepts, monitoring automation, event correlation<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training and guidance (verify offerings)<\/td>\n<td>Engineers seeking practical coaching<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training platform (verify course catalog)<\/td>\n<td>Beginners to intermediate DevOps engineers<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps support\/training (verify services)<\/td>\n<td>Teams needing short-term help and enablement<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and learning resources (verify scope)<\/td>\n<td>Ops teams needing troubleshooting and operational support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify portfolio)<\/td>\n<td>Architecture, migration, operational readiness<\/td>\n<td>Designing secure Internet ingress; implementing monitoring and runbooks<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training<\/td>\n<td>Enablement, pipeline engineering, operational practices<\/td>\n<td>Security-focused DevOps practices; incident response process setup<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify offerings)<\/td>\n<td>DevOps implementation and support<\/td>\n<td>CI\/CD modernization; infrastructure automation; operational best practices<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Anti-DDoS Proxy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Networking fundamentals:<\/li>\n<li>TCP\/UDP, ports, DNS, TLS<\/li>\n<li>Load balancing concepts<\/li>\n<li>Alibaba Cloud basics:<\/li>\n<li>ECS, VPC (even if the origin is public-facing), security groups<\/li>\n<li>RAM (users, roles, policies)<\/li>\n<li>Security fundamentals:<\/li>\n<li>Threat modeling for Internet-facing services<\/li>\n<li>Basic incident response and logging<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Anti-DDoS Proxy<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud <strong>WAF<\/strong> for application security<\/li>\n<li>Observability:<\/li>\n<li>CloudMonitor dashboards and alarms<\/li>\n<li>Log Service (SLS) pipelines and retention<\/li>\n<li>Resilience engineering:<\/li>\n<li>Multi-zone and multi-region patterns<\/li>\n<li>Disaster recovery planning and DNS failover<\/li>\n<li>Automation:<\/li>\n<li>OpenAPI, Terraform (if supported by provider), CI\/CD for security configs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Security Engineer<\/li>\n<li>SRE \/ Reliability Engineer<\/li>\n<li>Cloud Network Engineer<\/li>\n<li>DevOps Engineer (Internet ingress ownership)<\/li>\n<li>Security Operations (SOC) Analyst (monitoring\/response)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certifications evolve. For a practical path:\n&#8211; Start with Alibaba Cloud foundational certifications (cloud fundamentals).\n&#8211; Move to security and architecture tracks that cover network security, WAF, and resilience.<\/p>\n\n\n\n<blockquote>\n<p>Verify in official Alibaba Cloud certification pages for current certification names and objectives.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a \u201cprotected ingress\u201d reference architecture: Anti-DDoS Proxy \u2192 WAF \u2192 ALB \u2192 ECS.<\/li>\n<li>Implement DNS cutover\/rollback runbooks with controlled TTL and monitoring.<\/li>\n<li>Create a least-privilege RAM policy for Anti-DDoS operations and validate with ActionTrail audits.<\/li>\n<li>Build dashboards correlating Anti-DDoS events with application error rates.<\/li>\n<li>Simulate safe traffic surges (not DDoS) and confirm scaling behind the proxy.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DDoS (Distributed Denial of Service):<\/strong> An attack that floods a target with traffic from many sources to degrade or stop service.<\/li>\n<li><strong>L3\/L4 attack:<\/strong> Network\/transport-layer attacks such as SYN floods, UDP floods, ICMP floods.<\/li>\n<li><strong>L7 attack:<\/strong> Application-layer attacks such as HTTP request floods (sometimes called CC attacks).<\/li>\n<li><strong>Scrubbing:<\/strong> Filtering malicious traffic and allowing clean traffic through.<\/li>\n<li><strong>Protected IP \/ Proxy IP:<\/strong> The public endpoint exposed by Anti-DDoS Proxy that clients connect to.<\/li>\n<li><strong>Origin:<\/strong> The real backend service receiving clean traffic (ECS, SLB\/ALB\/NLB, or public IP).<\/li>\n<li><strong>Forwarding rule:<\/strong> A mapping of inbound proxy protocol\/port (or domain) to the origin protocol\/port.<\/li>\n<li><strong>DNS TTL:<\/strong> Time-to-live; how long resolvers cache DNS answers, affecting cutover speed.<\/li>\n<li><strong>Allowlisting:<\/strong> Restricting inbound access to only approved IP ranges (for example, proxy back-to-origin addresses).<\/li>\n<li><strong>RAM:<\/strong> Resource Access Management; Alibaba Cloud IAM service.<\/li>\n<li><strong>ActionTrail:<\/strong> Alibaba Cloud service to audit account activity and API calls.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Anti-DDoS Proxy<\/strong> is a managed <strong>Security<\/strong> service that protects Internet-facing applications by <strong>absorbing and scrubbing DDoS traffic<\/strong> and <strong>forwarding clean traffic<\/strong> to your origin through configurable rules. It fits best as a front door for public web, API, and TCP\/UDP services that need higher availability under attack than baseline protections can provide.<\/p>\n\n\n\n<p>Cost is primarily driven by <strong>edition\/capacity selection<\/strong> and the number of protected assets, while indirect costs often come from <strong>origin bandwidth and scaling<\/strong>. Security success depends on correct operations: <strong>DNS cutover<\/strong>, <strong>forwarding rule accuracy<\/strong>, and especially <strong>locking down the origin<\/strong> to prevent bypass.<\/p>\n\n\n\n<p>Use Anti-DDoS Proxy when you need dedicated DDoS resilience for critical services; pair it with <strong>WAF<\/strong> for application-layer protection and with robust monitoring for operational readiness. Next, deepen your skills by implementing a production ingress pattern (Anti-DDoS Proxy \u2192 WAF \u2192 Load Balancer \u2192 App) and validating auditing\/alerting with CloudMonitor and ActionTrail.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10],"tags":[],"class_list":["post-49","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/49","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=49"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/49\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}