{"id":50,"date":"2026-04-12T15:57:07","date_gmt":"2026-04-12T15:57:07","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-anti-ddos-origin-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-12T15:57:07","modified_gmt":"2026-04-12T15:57:07","slug":"alibaba-cloud-anti-ddos-origin-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-anti-ddos-origin-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Alibaba Cloud Anti-DDoS Origin Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Security<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Anti-DDoS Origin<\/strong> is a managed Security service that helps protect internet-facing IP resources (such as public IPs on cloud workloads) from Distributed Denial of Service (DDoS) attacks. It is designed to keep services reachable by detecting abnormal traffic patterns and applying scrubbing\/mitigation before malicious traffic overwhelms your origin.<\/p>\n\n\n\n<p>In simple terms: <strong>you attach Anti-DDoS Origin to the public IPs that matter<\/strong>, and Alibaba Cloud provides upstream DDoS detection and mitigation capacity so your applications can continue serving legitimate users during attacks.<\/p>\n\n\n\n<p>Technically, Anti-DDoS Origin works at the network edge (primarily <strong>Layer 3\/Layer 4<\/strong>) to counter volumetric and protocol-based DDoS attacks. It monitors inbound traffic to protected IP assets, identifies attack signatures and anomalous rates, and applies mitigation policies in Alibaba Cloud\u2019s DDoS protection infrastructure. The goal is to reduce or eliminate malicious traffic while allowing legitimate traffic to reach your origin.<\/p>\n\n\n\n<p><strong>The problem it solves:<\/strong> DDoS attacks can saturate bandwidth, exhaust connection tables, and destabilize network stacks and load balancers. Without upstream mitigation, even well-architected applications can become unreachable. Anti-DDoS Origin addresses this by providing cloud-scale capacity and managed mitigation closer to the source of the attack traffic.<\/p>\n\n\n\n<blockquote>\n<p>Note on naming and product family: Alibaba Cloud has multiple DDoS-related products (for example, Anti-DDoS Basic and Anti-DDoS Proxy). This tutorial is specifically about <strong>Anti-DDoS Origin<\/strong> in Alibaba Cloud Security. Always verify the latest naming\/editions in the official console and documentation because Alibaba Cloud periodically updates packaging and console navigation.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Anti-DDoS Origin?<\/h2>\n\n\n\n<p><strong>Official purpose (in practical terms):<\/strong> Anti-DDoS Origin is intended to protect <strong>origin IP assets<\/strong> (public-facing IP addresses and certain Alibaba Cloud public endpoints) against DDoS attacks by providing managed, upstream DDoS detection and mitigation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities (what it generally does)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DDoS detection<\/strong> for abnormal inbound traffic patterns.<\/li>\n<li><strong>Mitigation\/scrubbing<\/strong> for volumetric and protocol attacks (commonly L3\/L4).<\/li>\n<li><strong>Visibility<\/strong> into attack events and traffic trends (attack reports, metrics).<\/li>\n<li><strong>Operational controls<\/strong> to manage protected assets and response behavior (exact knobs vary by edition\u2014verify in official docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual model)<\/h3>\n\n\n\n<p>While the exact UI and object model can vary by region\/edition, Anti-DDoS Origin commonly involves:\n&#8211; <strong>Protected asset<\/strong>: the IP or cloud resource endpoint you want to protect (for example, an EIP or public IP).\n&#8211; <strong>Mitigation capacity<\/strong>: the level of protection capacity you purchase (often expressed as mitigation\/cleaning bandwidth and\/or QPS\/pps constraints\u2014verify exact dimensions).\n&#8211; <strong>Attack event center<\/strong>: event history, attack details, and mitigation status.\n&#8211; <strong>Monitoring and alerting<\/strong>: integration with Alibaba Cloud monitoring\/notifications (verify supported integrations).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed cloud Security service<\/strong> (DDoS protection at\/near Alibaba Cloud\u2019s network edge).<\/li>\n<li>Typically <strong>subscription-based<\/strong> product packaging for higher protection tiers (verify supported billing modes in your region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope (how it\u2019s scoped in Alibaba Cloud)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Generally <strong>account-scoped<\/strong> for purchasing\/instance management.<\/li>\n<li>Protected objects are typically <strong>region-associated<\/strong> because IP resources (EIP, SLB, etc.) are region-specific.<\/li>\n<li>Protection effectiveness can be <strong>global in practice<\/strong> (internet attacks originate anywhere), but configuration and resource binding are usually <strong>regional<\/strong>.<br\/>\n<strong>Verify<\/strong> the scope model for your specific asset types and region in the official documentation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n<p>Anti-DDoS Origin is usually positioned as:\n&#8211; The <strong>DDoS foundation<\/strong> for public-facing cloud workloads (ECS, load balancers, public IP assets).\n&#8211; Complementary to:\n  &#8211; <strong>Web Application Firewall (WAF)<\/strong> for Layer 7 threats (SQLi, XSS, bot rules).\n  &#8211; <strong>Cloud Firewall<\/strong> for network access control\/policy.\n  &#8211; <strong>Security Center<\/strong> for host-based threat detection and posture.\n  &#8211; <strong>ActionTrail<\/strong> for audit logs of administrative actions.\n  &#8211; <strong>CloudMonitor<\/strong> for metrics\/alarms.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Anti-DDoS Origin?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced downtime risk:<\/strong> DDoS outages directly impact revenue and brand trust.<\/li>\n<li><strong>Lower incident cost:<\/strong> mitigations handled by a managed platform reduce time-to-recover and on-call fatigue.<\/li>\n<li><strong>Predictable protection strategy:<\/strong> capacity planning for \u201cwhat if we get attacked\u201d becomes part of a documented architecture.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Upstream mitigation:<\/strong> stopping traffic before it overwhelms origin bandwidth and connection state is more effective than only origin-side filtering.<\/li>\n<li><strong>Cloud-scale scrubbing capacity:<\/strong> difficult and expensive to replicate on-prem or self-managed.<\/li>\n<li><strong>Better survivability for public endpoints:<\/strong> especially for TCP SYN floods, UDP floods, amplification attacks, and other L3\/L4 patterns.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Centralized control<\/strong> for protecting multiple IP assets.<\/li>\n<li><strong>Attack visibility<\/strong> (event timelines, top sources\/ports\/protocols depending on edition).<\/li>\n<li><strong>Alerting workflows<\/strong> so operations teams can correlate with application symptoms and autoscaling events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security \/ compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Defense-in-depth:<\/strong> DDoS controls complement WAF, IAM, patching, and network policy.<\/li>\n<li><strong>Auditability:<\/strong> administrative actions can be logged (for example via ActionTrail\u2014verify integration details).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability \/ performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Mitigation at scale<\/strong> reduces the probability that backend load balancers, NAT devices, or stateful firewalls become bottlenecks under attack.<\/li>\n<li>Helps maintain <strong>availability<\/strong> (a key pillar of Security).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You run <strong>internet-facing services<\/strong> (APIs, websites, game servers, SaaS endpoints).<\/li>\n<li>You have <strong>public IP exposure<\/strong> where volumetric attacks are a real risk.<\/li>\n<li>You need <strong>managed DDoS mitigation<\/strong> without building a scrubbing center.<\/li>\n<li>Your availability SLOs require a <strong>formal DDoS protection layer<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should <em>not<\/em> choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your workload is <strong>not publicly reachable<\/strong> (private VPC-only services).<\/li>\n<li>You only need <strong>application-layer protection<\/strong> (then WAF\/bot protection may be the primary tool; DDoS protection can still be valuable, but it\u2019s not the whole answer).<\/li>\n<li>You require <strong>full control of mitigation logic<\/strong> (custom appliances, bespoke routing) and accept higher cost\/complexity.<\/li>\n<li>You\u2019re protecting assets <strong>outside<\/strong> Alibaba Cloud where a different topology (such as proxy-based DDoS services) may fit better\u2014verify cross-cloud protection options.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Anti-DDoS Origin used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>E-commerce and retail<\/strong> (checkout and product API availability)<\/li>\n<li><strong>FinTech and payments<\/strong> (API uptime and transaction processing)<\/li>\n<li><strong>Gaming<\/strong> (UDP\/TCP floods targeting game servers)<\/li>\n<li><strong>Media and streaming<\/strong> (bandwidth-heavy targets)<\/li>\n<li><strong>EdTech<\/strong> (traffic spikes and abuse during exams\/events)<\/li>\n<li><strong>SaaS and B2B platforms<\/strong> (API endpoints and customer portals)<\/li>\n<li><strong>Public sector<\/strong> (high-visibility services that are frequent targets)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams managing shared ingress<\/li>\n<li>SRE\/operations teams owning uptime<\/li>\n<li>Security engineering teams owning threat models and Security controls<\/li>\n<li>DevOps teams owning production networking and release reliability<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Public-facing <strong>ECS<\/strong> workloads with EIP<\/li>\n<li><strong>Load balancer<\/strong> frontends for web\/apps (ALB\/CLB\/NLB\u2014names vary; verify which types are supported)<\/li>\n<li>Internet-facing <strong>API endpoints<\/strong><\/li>\n<li>Game services needing low latency but high attack resistance<\/li>\n<li>Hybrid architectures where the public ingress is on Alibaba Cloud but backend is mixed<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> primary use case; DDoS protection is most important for customer-facing availability.<\/li>\n<li><strong>Dev\/test:<\/strong> commonly limited, because attacks are usually targeted at production; however, teams may test configuration, alerting, and runbooks in staging (without generating real DDoS traffic).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Anti-DDoS Origin is commonly a fit. For each: problem \u2192 why this service \u2192 example.<\/p>\n\n\n\n<p>1) <strong>Protect a public API endpoint on ECS<\/strong>\n&#8211; <strong>Problem:<\/strong> API becomes unreachable during TCP SYN floods or UDP floods that exhaust connection tracking.\n&#8211; <strong>Why Anti-DDoS Origin fits:<\/strong> Upstream L3\/L4 mitigation reduces malicious traffic reaching the ECS public IP\/EIP.\n&#8211; <strong>Example:<\/strong> A mobile app API on <code>api.example.com<\/code> backed by ECS instances and a public IP needs availability during promotion days.<\/p>\n\n\n\n<p>2) <strong>Reduce blackhole risk for critical IPs<\/strong>\n&#8211; <strong>Problem:<\/strong> During large attacks, upstream networks may blackhole traffic to protect infrastructure, causing downtime.\n&#8211; <strong>Why it fits:<\/strong> Higher protection capacity can reduce the likelihood of blackholing (exact behavior depends on provider\/region\u2014verify).\n&#8211; <strong>Example:<\/strong> A payment callback IP must remain reachable to complete transactions.<\/p>\n\n\n\n<p>3) <strong>Protect game servers (UDP-heavy traffic)<\/strong>\n&#8211; <strong>Problem:<\/strong> Attackers send UDP floods that saturate bandwidth and disrupt sessions.\n&#8211; <strong>Why it fits:<\/strong> DDoS mitigation targets volumetric UDP floods more effectively than host-based filters.\n&#8211; <strong>Example:<\/strong> A multiplayer game with regional servers experiences recurring attacks after competitive events.<\/p>\n\n\n\n<p>4) <strong>Protect a public load balancer frontend<\/strong>\n&#8211; <strong>Problem:<\/strong> Load balancer listeners face bursts of malicious connections that degrade service.\n&#8211; <strong>Why it fits:<\/strong> Anti-DDoS Origin protection on the public-facing address reduces attack traffic before it hits the listener.\n&#8211; <strong>Example:<\/strong> A web platform uses a load balancer to distribute traffic to multiple ECS instances.<\/p>\n\n\n\n<p>5) <strong>Protect B2B webhook receivers<\/strong>\n&#8211; <strong>Problem:<\/strong> Public webhook endpoints are a stable target (always-on, predictable).\n&#8211; <strong>Why it fits:<\/strong> Keeps webhook ingestion reachable even under volumetric abuse.\n&#8211; <strong>Example:<\/strong> An ERP integration endpoint receives supplier notifications and must remain available.<\/p>\n\n\n\n<p>6) <strong>Protect login and authentication endpoints from volumetric floods<\/strong>\n&#8211; <strong>Problem:<\/strong> Attackers flood authentication endpoints, impacting all users.\n&#8211; <strong>Why it fits:<\/strong> While credential abuse is L7, volumetric floods are L3\/L4 and can be mitigated upstream.\n&#8211; <strong>Example:<\/strong> SSO gateway sees periodic L4 floods during high-profile campaigns.<\/p>\n\n\n\n<p>7) <strong>Improve resilience for marketing campaign landing pages<\/strong>\n&#8211; <strong>Problem:<\/strong> DDoS during a product launch causes reputational damage.\n&#8211; <strong>Why it fits:<\/strong> Adds DDoS capacity at the edge; complements CDN\/WAF strategies.\n&#8211; <strong>Example:<\/strong> A brand launch page is fronted by a load balancer and must stay up.<\/p>\n\n\n\n<p>8) <strong>Protect \u201csingle IP\u201d legacy services you can\u2019t easily redesign<\/strong>\n&#8211; <strong>Problem:<\/strong> Legacy systems are bound to one IP and one port; redesign is slow.\n&#8211; <strong>Why it fits:<\/strong> You can attach DDoS protection to the existing IP rather than refactor architecture.\n&#8211; <strong>Example:<\/strong> A manufacturing control portal runs on a fixed IP with strict partner allowlists.<\/p>\n\n\n\n<p>9) <strong>Protect public endpoints used by IoT devices<\/strong>\n&#8211; <strong>Problem:<\/strong> IoT ingestion endpoints are attacked or abused; device connectivity suffers.\n&#8211; <strong>Why it fits:<\/strong> Stabilizes ingress against volumetric floods and malformed traffic spikes.\n&#8211; <strong>Example:<\/strong> Telemetry ingestion over TCP is targeted by random internet scanning and floods.<\/p>\n\n\n\n<p>10) <strong>Meet contractual uptime commitments<\/strong>\n&#8211; <strong>Problem:<\/strong> Customer SLAs require documented DDoS protection and incident processes.\n&#8211; <strong>Why it fits:<\/strong> Provides an explicit Security control that can be referenced in architecture reviews.\n&#8211; <strong>Example:<\/strong> A SaaS vendor includes DDoS protection as part of its security addendum.<\/p>\n\n\n\n<p>11) <strong>Reduce operational noise during attacks<\/strong>\n&#8211; <strong>Problem:<\/strong> Attacks trigger cascading alerts (CPU, connection errors, timeouts), overwhelming responders.\n&#8211; <strong>Why it fits:<\/strong> Upstream mitigation reduces symptom amplification and helps maintain stable baselines.\n&#8211; <strong>Example:<\/strong> An SRE team wants fewer false-positive incident pages during internet turbulence.<\/p>\n\n\n\n<p>12) <strong>Protect multi-tenant platforms with shared ingress<\/strong>\n&#8211; <strong>Problem:<\/strong> One tenant is targeted; shared infrastructure suffers.\n&#8211; <strong>Why it fits:<\/strong> Strengthens shared ingress and reduces blast radius from volumetric events.\n&#8211; <strong>Example:<\/strong> Multi-tenant API gateway and shared load balancer for multiple customers.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can vary by edition\/region. Where specific knobs or dashboards differ, <strong>verify in official docs<\/strong> and in the Anti-DDoS console for your account\/region.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Protected asset management (bind IP resources)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you add\/select public IP assets to protect under Anti-DDoS Origin.<\/li>\n<li><strong>Why it matters:<\/strong> DDoS protection is only effective for the assets actually covered.<\/li>\n<li><strong>Practical benefit:<\/strong> Consistent onboarding process for new public endpoints.<\/li>\n<li><strong>Caveats:<\/strong> Supported asset types can be limited (for example, EIP vs other public endpoints). Verify supported resources and regions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 DDoS detection and mitigation (L3\/L4)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Detects DDoS patterns and applies mitigation measures in upstream infrastructure.<\/li>\n<li><strong>Why it matters:<\/strong> L3\/L4 floods can overwhelm bandwidth and connection state before application defenses can react.<\/li>\n<li><strong>Practical benefit:<\/strong> Service availability under volumetric\/protocol attacks.<\/li>\n<li><strong>Caveats:<\/strong> No DDoS solution can guarantee 100% availability for every conceivable attack size; mitigation capacity and upstream conditions matter.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Attack event visibility and reporting<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides event records and dashboards (attack time window, traffic peaks, vectors).<\/li>\n<li><strong>Why it matters:<\/strong> You need evidence for postmortems, tuning, and communicating with stakeholders.<\/li>\n<li><strong>Practical benefit:<\/strong> Faster diagnosis and better incident reports.<\/li>\n<li><strong>Caveats:<\/strong> Granularity of reports varies by edition; some deep analytics may require additional services or logs (verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Traffic and baseline monitoring<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Shows normal traffic baselines vs suspicious spikes for protected assets.<\/li>\n<li><strong>Why it matters:<\/strong> Baselines help you pick thresholds and detect anomalies early.<\/li>\n<li><strong>Practical benefit:<\/strong> Better tuning and earlier detection of slow-ramp attacks.<\/li>\n<li><strong>Caveats:<\/strong> Metrics can lag; treat dashboards as operational aids, not the sole source of truth.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Alerting and notifications (operations integration)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Notifies when attacks start\/stop or thresholds are exceeded (often via Alibaba Cloud alerting channels).<\/li>\n<li><strong>Why it matters:<\/strong> DDoS incidents are time-sensitive; responders need prompt signals.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduced MTTA (mean time to acknowledge).<\/li>\n<li><strong>Caveats:<\/strong> Confirm which channels are supported (SMS\/email\/webhook) and whether they require additional configuration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Mitigation policy controls (thresholds \/ modes)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Depending on edition, may allow configuration of mitigation sensitivity, thresholds, or response modes.<\/li>\n<li><strong>Why it matters:<\/strong> Overly aggressive settings can block legitimate traffic; overly lax settings can allow attacks through.<\/li>\n<li><strong>Practical benefit:<\/strong> Tailor protection to workload patterns (APIs vs gaming vs streaming).<\/li>\n<li><strong>Caveats:<\/strong> Exact parameters differ by edition; always test in a safe environment and follow official guidance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Blackhole management behavior (service continuity)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Helps manage how traffic is handled when attacks exceed certain capacities (conceptually: minimize time in blackhole).<\/li>\n<li><strong>Why it matters:<\/strong> Blackhole filtering is effectively downtime.<\/li>\n<li><strong>Practical benefit:<\/strong> Better survivability at higher attack volumes.<\/li>\n<li><strong>Caveats:<\/strong> Blackhole policies are influenced by upstream carriers and regional infrastructure\u2014verify behaviors for your region and asset type.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 Multi-IP \/ multi-asset coverage (edition dependent)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows protecting multiple IP assets under one purchased Anti-DDoS Origin instance\/plan.<\/li>\n<li><strong>Why it matters:<\/strong> Platforms often have multiple public endpoints.<\/li>\n<li><strong>Practical benefit:<\/strong> Standardized protection across a fleet.<\/li>\n<li><strong>Caveats:<\/strong> There may be a maximum number of protected assets per instance\/plan (verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 Integrations with Alibaba Cloud governance\/security tooling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Works alongside RAM (access control), ActionTrail (auditing), CloudMonitor (metrics\/alerts), and other Security services.<\/li>\n<li><strong>Why it matters:<\/strong> DDoS protection must be operable and auditable.<\/li>\n<li><strong>Practical benefit:<\/strong> Fits enterprise Security and operations requirements.<\/li>\n<li><strong>Caveats:<\/strong> Not all integrations are automatic; some require manual setup.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">7.1 High-level architecture<\/h3>\n\n\n\n<p>At a high level, Anti-DDoS Origin places Alibaba Cloud\u2019s DDoS mitigation capability in front of (or upstream of) your public IP assets. Legitimate traffic is forwarded to the origin, while attack traffic is filtered\/scrubbed.<\/p>\n\n\n\n<p>Unlike proxy-based DDoS products (where you typically change DNS to point to a proxy IP), origin-based protection is generally <strong>bound to the IP asset itself<\/strong> (exact mechanics depend on product\/region\u2014verify).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">7.2 Request \/ data \/ control flows<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\n<p><strong>Data plane (traffic):<\/strong>\n  1. Internet clients send traffic to your public IP (EIP \/ public endpoint).\n  2. Anti-DDoS Origin detects anomalies and applies mitigation upstream.\n  3. Cleaned\/allowed traffic reaches your protected asset and then your workload.<\/p>\n<\/li>\n<li>\n<p><strong>Control plane (configuration):<\/strong>\n  1. Admins configure Anti-DDoS Origin in the console\/API.\n  2. Policies and protected asset bindings are applied to Alibaba Cloud\u2019s mitigation infrastructure.\n  3. Events and metrics are published for monitoring and incident response.<\/p>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.3 Integrations with related services (common patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ECS + EIP:<\/strong> Protect public IPs used by ECS workloads.<\/li>\n<li><strong>Load balancers:<\/strong> Protect public-facing listener endpoints.<\/li>\n<li><strong>WAF:<\/strong> Use WAF for Layer 7 attacks; keep Anti-DDoS Origin for volumetric\/protocol attacks.<\/li>\n<li><strong>Cloud Firewall \/ Security Groups:<\/strong> Continue enforcing least privilege; DDoS protection doesn\u2019t replace network policy.<\/li>\n<li><strong>CloudMonitor:<\/strong> Alarms on attack events\/traffic spikes (verify metric names).<\/li>\n<li><strong>ActionTrail:<\/strong> Audit who changed protection settings (verify event sources).<\/li>\n<li><strong>Simple Log Service (SLS):<\/strong> Some teams centralize Security events into logs\/SIEM (verify native export options for Anti-DDoS).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.4 Dependency services (what it relies on)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud\u2019s DDoS mitigation network and scrubbing capacity.<\/li>\n<li>Your protected public IP resources (EIP\/load balancer\/public endpoints).<\/li>\n<li>Optional: monitoring\/auditing services for alerting and compliance evidence.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.5 Security \/ authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access is controlled by <strong>RAM<\/strong> (Resource Access Management) policies.<\/li>\n<li>Prefer:<\/li>\n<li>Dedicated RAM roles\/users for Security administration.<\/li>\n<li>Least privilege policies (start from read-only for observers).<\/li>\n<li>MFA and strong password policies for privileged accounts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.6 Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anti-DDoS Origin is designed for <strong>internet ingress<\/strong> to protected IPs.<\/li>\n<li>It is not a substitute for:<\/li>\n<li>Private network isolation (VPC design)<\/li>\n<li>East-west microsegmentation<\/li>\n<li>Application-layer protection (WAF\/bot management)<\/li>\n<li>Keep your public endpoints minimal: use load balancers, limit direct-to-ECS exposure when possible.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.7 Monitoring \/ logging \/ governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Define:<\/li>\n<li>\u201cAttack detected\u201d = incident? or just an alert?<\/li>\n<li>Severity thresholds (bps\/pps, duration, affected endpoints).<\/li>\n<li>Build dashboards:<\/li>\n<li>Attack events over time<\/li>\n<li>Peak inbound bps\/pps<\/li>\n<li>Error rates at application level (APM)<\/li>\n<li>Governance:<\/li>\n<li>Tag Anti-DDoS instances and protected assets (env, owner, app, cost center).<\/li>\n<li>Document runbooks: \u201cWhat do we do when Anti-DDoS triggers?\u201d<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7.8 Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[Internet Users \/ Attack Traffic] --&gt; P[Protected Public IP Asset]\n  P --&gt; A[Anti-DDoS Origin Mitigation]\n  A --&gt; O[Origin Workload\\n(ECS \/ Load Balancer)]\n  O --&gt; APP[Application]\n<\/code><\/pre>\n\n\n\n<blockquote>\n<p>Conceptual note: actual traffic path representation depends on how Alibaba Cloud applies mitigation for your asset type\/region. Use this as a mental model, and verify the exact flow in official docs.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">7.9 Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph Internet\n    Legit[Legitimate Clients]\n    Bad[Attack Sources \/ Botnets]\n  end\n\n  Legit --&gt; Edge[Alibaba Cloud Network Edge]\n  Bad --&gt; Edge\n\n  subgraph DDoSProtection[Anti-DDoS Origin]\n    Detect[Detection &amp; Fingerprinting]\n    Scrub[Mitigation \/ Scrubbing]\n    Events[Attack Events &amp; Metrics]\n  end\n\n  Edge --&gt; Detect --&gt; Scrub --&gt; PubIP[Protected Public Endpoint\\n(EIP \/ LB Public IP)]\n  PubIP --&gt; LB[Load Balancer]\n  LB --&gt; ASG[ECS Fleet \/ Auto Scaling]\n  ASG --&gt; App[App Services]\n  App --&gt; DB[ApsaraDB \/ Data Stores]\n\n  Events --&gt; Mon[CloudMonitor Alarms]\n  Events --&gt; SOC[SecOps \/ SIEM\\n(Verify export options)]\n  Admin[RAM Admins] --&gt;|Config| DDoSProtection\n  Admin --&gt;|Audit| Trail[ActionTrail]\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Account and billing<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An <strong>Alibaba Cloud account<\/strong> with billing enabled.<\/li>\n<li>Ability to purchase Security services (some editions may require real-name verification and\/or enterprise verification\u2014verify in your region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM (RAM)<\/h3>\n\n\n\n<p>You need RAM permissions to:\n&#8211; Manage Anti-DDoS Origin instances and protected assets.\n&#8211; View\/modify relevant resources (EIP, ECS, Load Balancer) you intend to protect.\n&#8211; Configure alerts\/notifications (if using CloudMonitor).<\/p>\n\n\n\n<p><strong>Practical recommendation<\/strong>\n&#8211; Create:\n  &#8211; A <strong>SecurityAdmin<\/strong> RAM role\/user with Anti-DDoS administrative permissions.\n  &#8211; A <strong>SecurityObserver<\/strong> RAM role\/user with read-only permissions.\n&#8211; Policy names can differ; <strong>verify the exact managed policy names<\/strong> in the RAM console (search for Anti-DDoS-related policies).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Regions and availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anti-DDoS Origin availability varies by region and by protected asset type.<\/li>\n<li>Confirm:<\/li>\n<li>Your target region supports Anti-DDoS Origin.<\/li>\n<li>Your specific IP asset type (EIP vs LB vs other) is supported.<\/li>\n<li>Official docs are the source of truth (see resources section).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud console access (web).<\/li>\n<li>Optional:<\/li>\n<li>Alibaba Cloud CLI (<code>aliyun<\/code>) if you plan to automate provisioning (verify that Anti-DDoS Origin APIs are exposed in your region\/account).<\/li>\n<li>SSH client for ECS (OpenSSH, PuTTY).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas \/ limits<\/h3>\n\n\n\n<p>Common limits to check (varies by edition\/region):\n&#8211; Number of protected IPs per instance\/plan.\n&#8211; Maximum mitigation capacity purchased.\n&#8211; Limits on configuration changes (rate limits).\n&#8211; Alert quotas (SMS\/notifications).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services for the lab<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ECS<\/strong> instance (or an existing public endpoint).<\/li>\n<li><strong>EIP<\/strong> (Elastic IP Address) associated to ECS (recommended for a clear \u201cpublic IP asset\u201d example).<\/li>\n<li>Security Group rules for inbound HTTP\/SSH to validate reachability.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Anti-DDoS Origin pricing can be <strong>edition-based<\/strong> and <strong>capacity-based<\/strong>, and it can vary by region. Alibaba Cloud frequently offers multiple tiers for DDoS protection across its product family, so treat the points below as a cost model guide and <strong>verify exact SKUs and prices<\/strong> in official pricing pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.1 Pricing dimensions (typical)<\/h3>\n\n\n\n<p>Common dimensions you should expect (verify exact terms):\n&#8211; <strong>Edition \/ plan tier<\/strong> (different mitigation capability and features).\n&#8211; <strong>Protection capacity<\/strong> (often in Gbps and\/or packets per second; sometimes \u201cmitigation capacity\u201d vs \u201cclean bandwidth\u201d).\n&#8211; <strong>Number of protected assets\/IPs<\/strong> included.\n&#8211; <strong>Subscription duration<\/strong> (monthly\/annual) and region.\n&#8211; <strong>Add-ons<\/strong> (advanced reporting, extended logs, additional IP slots\u2014if offered).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.2 Free tier \/ baseline protection<\/h3>\n\n\n\n<p>Alibaba Cloud commonly provides <strong>baseline DDoS protection<\/strong> for certain public IP resources (often referred to as <strong>Anti-DDoS Basic<\/strong>). Anti-DDoS Origin is typically chosen when baseline protection is insufficient.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Do not assume<\/strong> baseline protection levels; they vary by product, region, and time.<\/li>\n<li>Confirm your current baseline DDoS coverage in the console and official docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.3 Cost drivers (what makes it more expensive)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Higher mitigation\/cleaning capacity<\/li>\n<li>More protected IP assets<\/li>\n<li>Higher-tier editions with richer analytics and controls<\/li>\n<li>More regions or more public endpoints<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.4 Hidden or indirect costs<\/h3>\n\n\n\n<p>Even if Anti-DDoS Origin itself is a predictable subscription:\n&#8211; <strong>Bandwidth costs on your origin<\/strong> (legitimate traffic still reaches you).\n&#8211; <strong>Load balancer costs<\/strong> and scaling costs under flash crowds (not DDoS).\n&#8211; <strong>Logging\/monitoring costs<\/strong> if you export events or keep long retention.\n&#8211; <strong>Operational costs<\/strong>: on-call rotations, incident tooling.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.5 Network \/ data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DDoS mitigation aims to reduce malicious traffic reaching your assets, but:<\/li>\n<li>Some attack traffic may still reach your origin depending on attack type and mitigation behavior.<\/li>\n<li>Your legitimate traffic is unaffected in intent, but latency can vary during mitigation events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.6 How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect only <strong>critical ingress IPs<\/strong> (avoid \u201cprotect everything\u201d without prioritization).<\/li>\n<li>Use <strong>load balancers<\/strong> and reduce direct-to-ECS exposure to minimize the number of public IPs.<\/li>\n<li>Use <strong>CDN + WAF<\/strong> for web apps to offload and reduce exposure (DDoS and L7 controls are complementary).<\/li>\n<li>Right-size mitigation capacity based on:<\/li>\n<li>Historical attacks<\/li>\n<li>Industry norms<\/li>\n<li>Business impact analysis<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9.7 Example low-cost starter estimate (non-numeric)<\/h3>\n\n\n\n<p>A minimal starter footprint usually looks like:\n&#8211; 1 region\n&#8211; 1 protected IP (EIP or LB public IP)\n&#8211; A lower-tier Anti-DDoS Origin plan sufficient for small services<\/p>\n\n\n\n<p>Because prices vary by region\/edition and may be promotional or contract-based, <strong>verify the exact monthly cost<\/strong> on the official pricing page for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.8 Example production cost considerations (non-numeric)<\/h3>\n\n\n\n<p>For production, cost planning should include:\n&#8211; Multiple protected endpoints (API, web, webhook, admin)\n&#8211; Higher mitigation capacity aligned to your risk profile\n&#8211; Redundancy via multi-zone application design (Anti-DDoS doesn\u2019t replace HA)\n&#8211; Monitoring\/alerting integrations and log retention<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">9.9 Official pricing references<\/h3>\n\n\n\n<p>Use official Alibaba Cloud sources to confirm:\n&#8211; Product packaging and editions\n&#8211; Regional price differences\n&#8211; Contract\/enterprise pricing options<\/p>\n\n\n\n<p>Start here (verify the exact Anti-DDoS Origin pricing page for your region):\n&#8211; Alibaba Cloud Anti-DDoS product entry: https:\/\/www.alibabacloud.com\/product\/anti-ddos<br\/>\n&#8211; Alibaba Cloud Pricing (general): https:\/\/www.alibabacloud.com\/pricing<br\/>\n&#8211; Alibaba Cloud Pricing Calculator: https:\/\/www.alibabacloud.com\/pricing\/calculator  <\/p>\n\n\n\n<p>If the Anti-DDoS Origin pricing link in your region differs, use the console \u201cBuy\u201d flow to view the authoritative SKU list.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab focuses on a realistic, safe workflow: protect a simple public endpoint (ECS + EIP) with Anti-DDoS Origin, verify protection attachment and monitoring, and prepare incident-ready alerting. It does <strong>not<\/strong> attempt to generate real DDoS traffic (unsafe and often a policy violation).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a small internet-facing service on ECS.<\/li>\n<li>Associate an EIP and confirm reachability.<\/li>\n<li>Purchase\/enable <strong>Anti-DDoS Origin<\/strong>.<\/li>\n<li>Add the EIP as a protected asset.<\/li>\n<li>Configure basic alerting and validate visibility.<\/li>\n<li>Document a minimal runbook and clean up resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Provision an ECS instance and EIP, deploy a simple web server.\n2. Confirm normal traffic works (curl).\n3. Enable Anti-DDoS Origin and bind the EIP.\n4. Confirm the protection status and review dashboards.\n5. Configure monitoring\/notifications for attack events (where supported).\n6. Clean up to avoid ongoing charges.<\/p>\n\n\n\n<blockquote>\n<p>Cost note: ECS, EIP, and Anti-DDoS Origin may all generate costs. Choose the smallest ECS size and shortest Anti-DDoS subscription available in your region, and delete resources after the lab.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a small ECS instance (public endpoint)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Alibaba Cloud console, go to <strong>Elastic Compute Service (ECS)<\/strong>.<\/li>\n<li>Click <strong>Create Instance<\/strong>.<\/li>\n<li>Choose:\n   &#8211; Region close to you (and where Anti-DDoS Origin is available).\n   &#8211; A low-cost instance type.\n   &#8211; An OS you are comfortable with (e.g., Alibaba Cloud Linux \/ CentOS \/ Ubuntu).<\/li>\n<li>Configure networking:\n   &#8211; Place the instance in a VPC.\n   &#8211; Do <strong>not<\/strong> assign a public IP during creation (we will attach an EIP for clarity).<\/li>\n<li>Configure Security Group rules:\n   &#8211; Allow inbound <strong>TCP 22<\/strong> from your IP (SSH).\n   &#8211; Allow inbound <strong>TCP 80<\/strong> from <code>0.0.0.0\/0<\/code> (HTTP) for a simple test server.<\/li>\n<li>Create and start the instance.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; An ECS instance is running and reachable via private IP within the VPC.\n&#8211; Security Group allows SSH and HTTP as configured.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Allocate and associate an Elastic IP (EIP)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Elastic IP Address (EIP)<\/strong> in the console.<\/li>\n<li>Click <strong>Create EIP<\/strong>.<\/li>\n<li>Select:\n   &#8211; The same region as ECS.\n   &#8211; Bandwidth billing model appropriate for your region (often pay-by-traffic or pay-by-bandwidth\u2014verify).<\/li>\n<li>After allocation, click the EIP and choose <strong>Associate<\/strong>.<\/li>\n<li>Associate it with your ECS instance.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Your ECS instance now has a stable public IP (the EIP).<\/p>\n\n\n\n<p><strong>Verify<\/strong>\n&#8211; From your local machine:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ping -c 3 &lt;YOUR_EIP&gt;\n<\/code><\/pre>\n\n\n\n<p>Ping may be blocked by Security Group\/ICMP settings; HTTP will be your primary validation.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Install a simple web server on ECS<\/h3>\n\n\n\n<p>SSH into the instance:<\/p>\n\n\n\n<pre><code class=\"language-bash\">ssh root@&lt;YOUR_EIP&gt;\n<\/code><\/pre>\n\n\n\n<p>Install NGINX (commands vary by OS; below are common examples\u2014use the correct one for your distribution).<\/p>\n\n\n\n<p><strong>Ubuntu\/Debian:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">apt update\napt -y install nginx\nsystemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n<p><strong>RHEL\/CentOS\/Alibaba Cloud Linux (may vary):<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">yum -y install nginx\nsystemctl enable --now nginx\n<\/code><\/pre>\n\n\n\n<p>Create a simple landing page:<\/p>\n\n\n\n<pre><code class=\"language-bash\">cat &gt;\/usr\/share\/nginx\/html\/index.html &lt;&lt;'EOF'\n&lt;h1&gt;Anti-DDoS Origin Lab&lt;\/h1&gt;\n&lt;p&gt;If you can read this, HTTP reachability is working.&lt;\/p&gt;\nEOF\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; NGINX is running and serving HTTP.<\/p>\n\n\n\n<p><strong>Verify from your local machine<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -i http:\/\/&lt;YOUR_EIP&gt;\/\n<\/code><\/pre>\n\n\n\n<p>You should see <code>HTTP\/1.1 200 OK<\/code>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Purchase\/enable Anti-DDoS Origin<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the Alibaba Cloud console, search for <strong>Anti-DDoS<\/strong> and open the <strong>Anti-DDoS<\/strong> service console.<\/li>\n<li>Locate <strong>Anti-DDoS Origin<\/strong>.<\/li>\n<li>Click <strong>Buy<\/strong> (or <strong>Upgrade\/Enable<\/strong>) and choose:\n   &#8211; Region (same as your EIP).\n   &#8211; Edition\/tier.\n   &#8211; Protection capacity and number of protected assets (start minimal).\n   &#8211; Subscription term (choose short term for the lab if possible).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; An Anti-DDoS Origin instance\/plan is active in your account.<\/p>\n\n\n\n<p><strong>Important<\/strong>\n&#8211; If the console offers multiple products (e.g., Anti-DDoS Proxy vs Origin), ensure you choose <strong>Origin<\/strong> as required.\n&#8211; If you do not see Anti-DDoS Origin in your region, <strong>verify regional availability<\/strong> and try a supported region.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Add the EIP as a protected asset<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In the <strong>Anti-DDoS Origin<\/strong> console, find the section for <strong>Protected Assets<\/strong> (name may vary).<\/li>\n<li>Click <strong>Add<\/strong> or <strong>Bind Asset<\/strong>.<\/li>\n<li>Select your <strong>EIP<\/strong> (or enter the public IP if required).<\/li>\n<li>Confirm and apply.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The EIP appears in the protected asset list with a protection status such as \u201cProtected\/Enabled\u201d (wording varies).<\/p>\n\n\n\n<p><strong>Verify<\/strong>\n&#8211; Re-run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -i http:\/\/&lt;YOUR_EIP&gt;\/\n<\/code><\/pre>\n\n\n\n<p>Your website should still respond normally.<\/p>\n\n\n\n<p><strong>What you\u2019re validating here<\/strong>\n&#8211; Anti-DDoS Origin is not breaking legitimate traffic.\n&#8211; The protected asset binding is active.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Review attack visibility dashboards (baseline)<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Anti-DDoS Origin console, open:\n   &#8211; <strong>Overview<\/strong>\n   &#8211; <strong>Traffic\/Monitoring<\/strong>\n   &#8211; <strong>Attack Events\/Reports<\/strong><\/li>\n<li>Confirm your protected IP is listed.<\/li>\n<li>Note baseline inbound traffic and current status.<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You can view baseline traffic metrics for the protected EIP.\n&#8211; No active attack events (assuming normal conditions).<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Configure alerting for attack events (recommended)<\/h3>\n\n\n\n<p>Alerting configuration differs by Alibaba Cloud region and account setup. Commonly, you will use:\n&#8211; Built-in Anti-DDoS notifications, and\/or\n&#8211; <strong>CloudMonitor<\/strong> alarms, and\/or\n&#8211; Notification contacts\/channels.<\/p>\n\n\n\n<p>Proceed as follows:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>In Anti-DDoS Origin console, look for <strong>Notifications\/Alerts<\/strong> settings.<\/li>\n<li>Add at least one notification recipient (email\/SMS) if supported.<\/li>\n<li>In <strong>CloudMonitor<\/strong>, look for Anti-DDoS-related metrics\/events and create an alarm rule (metric names vary\u2014verify).<\/li>\n<li>Set a practical alarm policy:\n   &#8211; Attack detected (event-based)\n   &#8211; Inbound traffic exceeds baseline by X (metric-based; choose cautiously to avoid false positives)<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Alerts are configured so your team is notified when an attack event occurs.<\/p>\n\n\n\n<p><strong>Verification<\/strong>\n&#8211; If the console provides a \u201cSend test notification\u201d option, use it.\n&#8211; Otherwise, confirm alarm rule is created and in \u201cEnabled\u201d state.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Service reachability<\/strong>\n   &#8211; <code>curl http:\/\/&lt;YOUR_EIP&gt;\/<\/code> returns 200 OK.<\/li>\n<li><strong>Protected asset status<\/strong>\n   &#8211; The EIP shows as protected in Anti-DDoS Origin console.<\/li>\n<li><strong>Visibility<\/strong>\n   &#8211; Traffic metrics are visible for the EIP in Anti-DDoS Origin.<\/li>\n<li><strong>Operational readiness<\/strong>\n   &#8211; Alerts are configured and enabled.\n   &#8211; You documented:<ul>\n<li>Asset list<\/li>\n<li>Owner\/on-call contact<\/li>\n<li>What constitutes an incident<\/li>\n<li>Where to check attack reports<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p><strong>Issue: I can\u2019t find Anti-DDoS Origin in the console<\/strong>\n&#8211; Confirm you are in the correct <strong>region<\/strong>.\n&#8211; Confirm your account has permission to view\/purchase Security products.\n&#8211; Check the Anti-DDoS product page for region support.\n&#8211; If your organization uses a reseller\/enterprise contract, confirm product enablement with your account team.<\/p>\n\n\n\n<p><strong>Issue: EIP doesn\u2019t appear in protected asset selection<\/strong>\n&#8211; Ensure the EIP is:\n  &#8211; In the same region as Anti-DDoS Origin instance\/plan\n  &#8211; In a supported state (allocated\/associated as required)\n&#8211; Verify supported asset types for Anti-DDoS Origin.<\/p>\n\n\n\n<p><strong>Issue: Website stopped working after enabling protection<\/strong>\n&#8211; Re-check:\n  &#8211; Security Group inbound rules (TCP 80)\n  &#8211; NGINX status on ECS (<code>systemctl status nginx<\/code>)\n  &#8211; Whether you accidentally protected the wrong IP\n&#8211; If Anti-DDoS Origin has policy knobs (threshold\/mode), revert to default and verify.<\/p>\n\n\n\n<p><strong>Issue: CloudMonitor doesn\u2019t show Anti-DDoS metrics<\/strong>\n&#8211; Metric availability varies. Verify in official docs:\n  &#8211; Whether Anti-DDoS Origin publishes CloudMonitor metrics in your edition\/region\n  &#8211; Whether you need to enable a setting to export metrics\/events<\/p>\n\n\n\n<p><strong>Issue: SSH is blocked<\/strong>\n&#8211; Ensure Security Group allows TCP 22 from your public IP.\n&#8211; Verify you are using the correct username for your OS image.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid charges, clean up in reverse order:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Remove protected asset binding<\/strong> (optional but tidy):\n   &#8211; In Anti-DDoS Origin console, remove the EIP from protected assets if your workflow requires explicit unbinding.<\/li>\n<li><strong>Cancel\/disable Anti-DDoS Origin subscription<\/strong>\n   &#8211; Follow the console billing\/subscription cancellation flow (note: refunds and early termination policies vary\u2014verify).<\/li>\n<li><strong>Release EIP<\/strong>\n   &#8211; Disassociate the EIP from ECS, then release it.<\/li>\n<li><strong>Delete ECS instance<\/strong>\n   &#8211; Ensure disk snapshots or additional disks are handled according to your needs.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prefer load balancers<\/strong> for public ingress, not direct-to-ECS exposure.<\/li>\n<li><strong>Minimize public IP footprint<\/strong>: fewer exposed IPs means fewer assets to protect and less configuration drift.<\/li>\n<li>Use <strong>multi-zone<\/strong> application design (load balancers, multiple ECS instances, managed databases). DDoS protection is not a substitute for HA.<\/li>\n<li>Combine <strong>Anti-DDoS Origin (L3\/L4)<\/strong> with <strong>WAF (L7)<\/strong> for web applications.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM \/ Security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce <strong>least privilege<\/strong> with RAM:<\/li>\n<li>Separate admin and observer roles.<\/li>\n<li>Use MFA for privileged users.<\/li>\n<li>Use <strong>ActionTrail<\/strong> to audit configuration changes.<\/li>\n<li>Require change management for:<\/li>\n<li>Adding\/removing protected assets<\/li>\n<li>Changing mitigation settings<\/li>\n<li>Altering alerting recipients<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Protect <strong>critical<\/strong> endpoints first (payment, login, API gateway).<\/li>\n<li>Consolidate ingress behind a <strong>small set of public IPs<\/strong> (load balancer + domain routing).<\/li>\n<li>Regularly review protected asset inventory for stale IPs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep application and infrastructure scalable:<\/li>\n<li>Autoscaling where applicable<\/li>\n<li>Connection limits tuned<\/li>\n<li>Health checks and timeouts set appropriately<\/li>\n<li>Ensure your monitoring distinguishes between:<\/li>\n<li>Flash crowd (legitimate surge)<\/li>\n<li>DDoS (malicious surge)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maintain a DDoS runbook:<\/li>\n<li>Where to check attack events<\/li>\n<li>Who to contact internally<\/li>\n<li>How to communicate to customers<\/li>\n<li>Define incident severity based on:<\/li>\n<li>Duration<\/li>\n<li>Impacted endpoints<\/li>\n<li>Error budgets\/SLOs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use tags: <code>env=prod<\/code>, <code>app=api<\/code>, <code>owner=platform<\/code>, <code>costcenter=1234<\/code>.<\/li>\n<li>Create dashboards that correlate:<\/li>\n<li>Anti-DDoS events<\/li>\n<li>Load balancer metrics<\/li>\n<li>ECS metrics<\/li>\n<li>Application error rate<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance \/ naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Naming convention example:<\/li>\n<li><code>addos-origin-prod-core-ingress<\/code><\/li>\n<li><code>addos-origin-staging-api<\/code><\/li>\n<li>Track protected assets in a CMDB or IaC code repository.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Controlled by <strong>RAM<\/strong>.<\/li>\n<li>Recommended controls:<\/li>\n<li>Dedicated Security admin role<\/li>\n<li>Read-only role for auditors and on-call engineers<\/li>\n<li>MFA on privileged accounts<\/li>\n<li>No shared accounts; individual identities only<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anti-DDoS Origin primarily addresses network-layer availability. Encryption considerations typically apply to:<\/li>\n<li>Your application traffic (TLS termination on LB or NGINX)<\/li>\n<li>Logs and exports (SLS\/SIEM)<\/li>\n<li>Ensure TLS is configured end-to-end as appropriate. Anti-DDoS does not replace TLS.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DDoS protection reduces risk of availability loss, but you must still:<\/li>\n<li>Restrict inbound ports to only what you need<\/li>\n<li>Use Security Groups and Cloud Firewall policies<\/li>\n<li>Avoid exposing SSH\/RDP broadly to the internet<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep secrets out of user data scripts and public repos.<\/li>\n<li>Use Alibaba Cloud secret management approaches where available (service choice depends on your stack\u2014verify current offerings).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit \/ logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable <strong>ActionTrail<\/strong> for audit logging of configuration changes.<\/li>\n<li>Keep logs long enough for:<\/li>\n<li>Compliance requirements<\/li>\n<li>Post-incident analysis<\/li>\n<li>Ensure alert recipients are maintained and reviewed (on-call rotation changes).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Availability is commonly part of Security frameworks (CIA triad).<\/li>\n<li>For regulated workloads, document:<\/li>\n<li>DDoS control ownership<\/li>\n<li>Monitoring procedures<\/li>\n<li>Incident response plan<\/li>\n<li>Use official Alibaba Cloud compliance documentation for your region (verify applicable certifications and scope).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Assuming DDoS protection replaces <strong>WAF<\/strong> or <strong>Firewall<\/strong> rules.<\/li>\n<li>Leaving <strong>direct-to-ECS<\/strong> services exposed unnecessarily.<\/li>\n<li>No alerting configured; relying only on \u201csomeone will notice\u201d.<\/li>\n<li>Overprotecting non-critical IPs while underprotecting core ingress.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Front web workloads with:<\/li>\n<li>Load balancer + WAF (for L7) + Anti-DDoS Origin (for L3\/L4)<\/li>\n<li>Restrict management access:<\/li>\n<li>SSH only from bastion\/VPN\/IP allowlist<\/li>\n<li>Maintain tested incident playbooks.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>These are common constraints and operational surprises. Always validate your exact constraints in official docs and in your region.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Known limitations \/ constraints (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Region and asset-type support<\/strong>: not every region or resource type may be supported.<\/li>\n<li><strong>Primarily L3\/L4 focus<\/strong>: application-layer attacks often require WAF\/bot controls.<\/li>\n<li><strong>Capacity matters<\/strong>: if attack volume exceeds purchased mitigation capacity (or upstream constraints), service impact can still occur.<\/li>\n<li><strong>Visibility granularity varies<\/strong>: deep packet\/forensics data may not be available in all tiers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas (examples to verify)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Maximum number of protected IPs per plan\/instance.<\/li>\n<li>Maximum mitigation capacity you can purchase.<\/li>\n<li>Rate limits on API\/console changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Regional constraints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Product availability and editions differ by region.<\/li>\n<li>Blackhole policies and thresholds can differ due to upstream carriers and infrastructure\u2014verify.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing surprises<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Subscription auto-renewal if enabled.<\/li>\n<li>EIP and bandwidth charges independent of Anti-DDoS Origin.<\/li>\n<li>Additional costs for monitoring\/log retention.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compatibility issues<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If your architecture depends on third-party DDoS\/CDN services, confirm how they interact with your Alibaba Cloud ingress.<\/li>\n<li>Some traffic engineering patterns (Anycast, multi-CDN, complex DNS failover) require careful design\u2014verify compatibility.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational gotchas<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Not updating alert recipients after team changes.<\/li>\n<li>Not documenting which IPs are protected and why.<\/li>\n<li>Treating every attack alert as a Sev-1 incident (alert fatigue).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Migration challenges<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Moving from direct public IPs to load balancers changes the set of protected assets and may require reconfiguration.<\/li>\n<li>If you reassign EIPs, confirm protection bindings follow the correct IP.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Vendor-specific nuances<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Alibaba Cloud\u2019s DDoS product family includes multiple offerings (Basic, Origin, Proxy). Selecting the wrong one leads to mismatched expectations (proxy vs origin binding).<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Anti-DDoS Origin is one tool in a broader availability and Security strategy. Compare it with nearby Alibaba Cloud services and similar services in other clouds.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Comparison table<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Alibaba Cloud Anti-DDoS Origin<\/strong><\/td>\n<td>Protecting Alibaba Cloud public IP assets at L3\/L4<\/td>\n<td>Managed upstream mitigation; binds to origin assets; operational visibility<\/td>\n<td>Not a full L7 security solution; edition\/region constraints<\/td>\n<td>You need DDoS protection for public IPs on Alibaba Cloud workloads<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud Anti-DDoS Basic<\/strong><\/td>\n<td>Baseline protection for many public resources<\/td>\n<td>Often enabled by default; no extra setup (varies)<\/td>\n<td>Lower protection capability; limited controls\/visibility<\/td>\n<td>Small workloads and low-risk endpoints; as baseline for all workloads<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud Anti-DDoS Proxy<\/strong><\/td>\n<td>Proxy-based protection (often for websites\/services where traffic can be routed through proxy)<\/td>\n<td>Can protect via proxying; may add L7 protections depending on offering<\/td>\n<td>Requires traffic redirection (DNS\/IP changes); architectural impact<\/td>\n<td>You need proxy-based scrubbing and can route traffic through proxy endpoints<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud WAF<\/strong><\/td>\n<td>Application-layer security (HTTP\/HTTPS)<\/td>\n<td>L7 protections (OWASP, bots\/rules); virtual patching<\/td>\n<td>Doesn\u2019t replace upstream L3\/L4 DDoS mitigation<\/td>\n<td>You need L7 protection; use with Anti-DDoS Origin for defense-in-depth<\/td>\n<\/tr>\n<tr>\n<td><strong>Alibaba Cloud Cloud Firewall<\/strong><\/td>\n<td>Centralized network access control<\/td>\n<td>Unified policy, segmentation, visibility<\/td>\n<td>Not a DDoS scrubbing service<\/td>\n<td>You need network governance and filtering, not DDoS mitigation<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS Shield (Standard\/Advanced)<\/strong><\/td>\n<td>DDoS protection on AWS<\/td>\n<td>Strong integration with AWS edge and services<\/td>\n<td>AWS-only; pricing differs<\/td>\n<td>Your workloads are on AWS<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure DDoS Protection<\/strong><\/td>\n<td>DDoS protection on Azure VNets<\/td>\n<td>Native Azure integration<\/td>\n<td>Azure-only<\/td>\n<td>Your workloads are on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Cloud Armor<\/strong><\/td>\n<td>Edge security and WAF + some DDoS defenses<\/td>\n<td>Integrates with Google edge<\/td>\n<td>GCP-only<\/td>\n<td>Your workloads are on GCP<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed appliances \/ iptables<\/strong><\/td>\n<td>Small-scale filtering, custom control<\/td>\n<td>Full control; can block some patterns<\/td>\n<td>Not effective for large volumetric attacks; costly to scale<\/td>\n<td>You only need minor filtering or have upstream scrubbing elsewhere<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">15.1 Enterprise example (regulated SaaS platform)<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA multi-tenant B2B SaaS platform hosts customer portals and APIs on Alibaba Cloud. The platform experienced repeated L4 floods against public API endpoints, causing intermittent timeouts and forcing emergency scaling.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Public ingress via a load balancer (single\/few public IPs).\n&#8211; <strong>Anti-DDoS Origin<\/strong> enabled for the load balancer public endpoint (and any other critical public IPs).\n&#8211; WAF in front of web portals (for L7 threats).\n&#8211; CloudMonitor alarms for attack events + SRE dashboards correlating:\n  &#8211; Anti-DDoS events\n  &#8211; LB connections\n  &#8211; API error rates\n&#8211; ActionTrail enabled for audit and change control.<\/p>\n\n\n\n<p><strong>Why Anti-DDoS Origin was chosen<\/strong>\n&#8211; Native alignment with Alibaba Cloud public IP assets.\n&#8211; Upstream L3\/L4 mitigation to reduce impact before the load balancer and ECS fleet.\n&#8211; Centralized visibility suitable for incident postmortems and compliance reporting.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced outage frequency during volumetric attacks.\n&#8211; Lower operational overhead during attacks due to clearer event telemetry.\n&#8211; Improved compliance posture by documenting availability controls and auditability.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">15.2 Startup \/ small-team example (gaming backend)<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA small game studio runs regional game servers on ECS with EIPs. After release, attackers repeatedly targeted UDP ports to disrupt matches.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Keep ECS game servers but reduce exposure:\n  &#8211; Only required UDP\/TCP ports open.\n  &#8211; Add <strong>Anti-DDoS Origin<\/strong> for the EIPs used by game servers (or consolidate behind a front door where feasible).\n&#8211; Establish on-call alerts and a simple runbook.\n&#8211; Add rate limiting and protocol hardening at the application level (not a DDoS solution, but reduces resource exhaustion).<\/p>\n\n\n\n<p><strong>Why Anti-DDoS Origin was chosen<\/strong>\n&#8211; Faster than redesigning to a proxy-based architecture.\n&#8211; Provides upstream mitigation without building custom scrubbing.\n&#8211; Small team benefits from managed Security controls.<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Higher match availability during floods.\n&#8211; Faster triage using attack event dashboards.\n&#8211; More predictable incident response without deep network expertise.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>What does Anti-DDoS Origin protect?<\/strong><br\/>\nIt protects eligible <strong>public IP assets<\/strong> (such as EIPs or public endpoints of supported Alibaba Cloud resources) against DDoS attacks, primarily at Layer 3\/Layer 4. Verify supported asset types and regions in official docs.<\/p>\n\n\n\n<p>2) <strong>Is Anti-DDoS Origin the same as Anti-DDoS Proxy?<\/strong><br\/>\nNo. Anti-DDoS Origin is generally bound to origin IP assets. Anti-DDoS Proxy typically involves routing traffic through proxy addresses (often requiring DNS changes). Choose based on your architecture and requirements.<\/p>\n\n\n\n<p>3) <strong>Does Anti-DDoS Origin stop all DDoS attacks?<\/strong><br\/>\nNo service can guarantee stopping all attacks under all conditions. Effectiveness depends on attack type, scale, purchased capacity, and upstream conditions. Use defense-in-depth.<\/p>\n\n\n\n<p>4) <strong>Will Anti-DDoS Origin protect against application-layer attacks (HTTP floods)?<\/strong><br\/>\nAnti-DDoS Origin is mainly for L3\/L4. Some editions may include additional protections, but for HTTP-layer threats you typically use <strong>WAF<\/strong> and bot mitigation. Verify feature scope by edition.<\/p>\n\n\n\n<p>5) <strong>Do I need to change DNS to use Anti-DDoS Origin?<\/strong><br\/>\nOften, origin-bound protection does not require DNS changes because it protects the IP itself. However, exact onboarding depends on resource type and product mechanics\u2014verify in your region.<\/p>\n\n\n\n<p>6) <strong>Can I protect multiple IPs with one Anti-DDoS Origin plan?<\/strong><br\/>\nMany offerings allow multiple protected assets, but limits vary by plan\/edition. Check your SKU details.<\/p>\n\n\n\n<p>7) <strong>Does Anti-DDoS Origin add latency?<\/strong><br\/>\nAny mitigation system can add some latency during attack conditions. Under normal traffic, impact is typically minimal, but you should measure and set expectations.<\/p>\n\n\n\n<p>8) <strong>How do I know it\u2019s working if I\u2019m not under attack?<\/strong><br\/>\nYou validate configuration (protected asset status), ensure normal traffic works, and verify metrics\/alerts are active. You generally should not simulate real DDoS.<\/p>\n\n\n\n<p>9) <strong>What happens if an attack exceeds my protection capacity?<\/strong><br\/>\nService degradation or blackhole filtering can occur depending on upstream policies and thresholds. Plan capacity based on risk and consider architectural mitigations (CDN, multi-region, etc.).<\/p>\n\n\n\n<p>10) <strong>Does Anti-DDoS Origin replace Security Groups or Cloud Firewall?<\/strong><br\/>\nNo. DDoS protection addresses availability under attack traffic. Security Groups\/Cloud Firewall enforce access policies and segmentation.<\/p>\n\n\n\n<p>11) <strong>How do I grant a SOC team read-only access?<\/strong><br\/>\nCreate a RAM role\/user with read-only permissions for Anti-DDoS and relevant monitoring services. Verify the correct managed policies or create a custom least-privilege policy.<\/p>\n\n\n\n<p>12) <strong>Can I automate Anti-DDoS Origin configuration with IaC?<\/strong><br\/>\nPossibly, depending on available APIs and Terraform provider support. Verify current API support and official provider documentation.<\/p>\n\n\n\n<p>13) <strong>Is Anti-DDoS Origin regional or global?<\/strong><br\/>\nConfiguration is usually regional because IP assets are regional, but protection operates against global internet threats. Always confirm regional support for your assets.<\/p>\n\n\n\n<p>14) <strong>How does Anti-DDoS Origin interact with CDN?<\/strong><br\/>\nCDN can absorb and distribute traffic for web content, while Anti-DDoS Origin protects the underlying public endpoints. For web apps, CDN + WAF + DDoS protection is a common layered approach.<\/p>\n\n\n\n<p>15) <strong>What should I monitor during an attack?<\/strong><br\/>\nMonitor:\n&#8211; Anti-DDoS attack events (start\/stop, peak rates)\n&#8211; Load balancer connection metrics\n&#8211; Application error rate and latency\n&#8211; Backend resource saturation<br\/>\nCorrelate to avoid scaling in response to malicious traffic alone.<\/p>\n\n\n\n<p>16) <strong>Can I use Anti-DDoS Origin for on-prem servers?<\/strong><br\/>\nAnti-DDoS Origin is designed for Alibaba Cloud origin assets. For non-Alibaba assets, proxy-based solutions or third-party scrubbing may be required\u2014verify options.<\/p>\n\n\n\n<p>17) <strong>How quickly can I enable it in an incident?<\/strong><br\/>\nTime-to-enable depends on procurement and binding steps. For critical services, enable it proactively rather than waiting for an incident.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Anti-DDoS Origin<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official product page<\/td>\n<td>Alibaba Cloud Anti-DDoS<\/td>\n<td>High-level overview and entry point to documentation: https:\/\/www.alibabacloud.com\/product\/anti-ddos<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Alibaba Cloud Help Center (Anti-DDoS)<\/td>\n<td>Primary source for capabilities, supported assets, regions, and guides (navigate to Anti-DDoS Origin within): https:\/\/www.alibabacloud.com\/help<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Alibaba Cloud Pricing<\/td>\n<td>Canonical place to confirm pricing model and SKU differences: https:\/\/www.alibabacloud.com\/pricing<\/td>\n<\/tr>\n<tr>\n<td>Pricing calculator<\/td>\n<td>Alibaba Cloud Pricing Calculator<\/td>\n<td>Estimate total cost including dependent services: https:\/\/www.alibabacloud.com\/pricing\/calculator<\/td>\n<\/tr>\n<tr>\n<td>Console<\/td>\n<td>Alibaba Cloud Console<\/td>\n<td>Validate actual region availability, editions, and configuration workflow: https:\/\/home.console.alibabacloud.com\/<\/td>\n<\/tr>\n<tr>\n<td>Governance<\/td>\n<td>ActionTrail documentation<\/td>\n<td>Audit who changed Anti-DDoS configurations (verify service event coverage): https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\n<\/tr>\n<tr>\n<td>Monitoring<\/td>\n<td>CloudMonitor documentation<\/td>\n<td>Alarm setup and operational monitoring patterns: https:\/\/www.alibabacloud.com\/help\/en\/cloudmonitor<\/td>\n<\/tr>\n<tr>\n<td>Application security<\/td>\n<td>WAF documentation<\/td>\n<td>L7 protection to complement Anti-DDoS Origin: https:\/\/www.alibabacloud.com\/help\/en\/web-application-firewall<\/td>\n<\/tr>\n<tr>\n<td>Network policy<\/td>\n<td>Cloud Firewall documentation<\/td>\n<td>Central network policy management: https:\/\/www.alibabacloud.com\/help\/en\/cloud-firewall<\/td>\n<\/tr>\n<tr>\n<td>Community learning<\/td>\n<td>Alibaba Cloud Tech Community<\/td>\n<td>Practical posts and operational tips (validate against official docs): https:\/\/www.alibabacloud.com\/blog<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps, SRE, Cloud engineers, Security practitioners<\/td>\n<td>Cloud operations, DevSecOps practices, platform labs (verify course catalog)<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>DevOps fundamentals, tooling, process, and practical labs<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>CloudOps\/SRE operations practices and automation<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, platform engineers<\/td>\n<td>Reliability engineering, monitoring, incident response<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams adopting AIOps<\/td>\n<td>AIOps concepts, monitoring automation, incident analytics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify current offerings)<\/td>\n<td>Engineers looking for practical guidance<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training programs<\/td>\n<td>Beginners to working professionals<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps enablement and training resources<\/td>\n<td>Small teams and startups<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support\/training resources<\/td>\n<td>Ops\/DevOps teams needing hands-on assistance<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify service lines)<\/td>\n<td>Architecture reviews, operations improvements, automation<\/td>\n<td>DDoS readiness assessment, monitoring\/runbook implementation, cloud migration planning<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training<\/td>\n<td>DevSecOps pipelines, SRE practices, platform enablement<\/td>\n<td>Security controls integration, incident response runbooks, observability rollout<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting services<\/td>\n<td>Delivery automation, infrastructure operations<\/td>\n<td>IaC implementation, CI\/CD hardening, production reliability improvements<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Anti-DDoS Origin<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Networking fundamentals:<\/li>\n<li>IP addressing, TCP\/UDP, ports, NAT<\/li>\n<li>L3 vs L4 vs L7 concepts<\/li>\n<li>DDoS basics:<\/li>\n<li>Volumetric attacks (UDP floods, amplification)<\/li>\n<li>Protocol attacks (SYN floods)<\/li>\n<li>Application-layer floods (HTTP)<\/li>\n<li>Alibaba Cloud essentials:<\/li>\n<li>ECS, VPC, EIP<\/li>\n<li>Load balancers<\/li>\n<li>Security Groups and RAM<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Anti-DDoS Origin<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>WAF<\/strong> tuning (rules, bot mitigation, rate limiting)<\/li>\n<li><strong>Cloud Firewall<\/strong> policy management and segmentation<\/li>\n<li>Observability:<\/li>\n<li>CloudMonitor dashboards and alarms<\/li>\n<li>Central logging and incident workflows<\/li>\n<li>Resilient architectures:<\/li>\n<li>Multi-zone deployments<\/li>\n<li>Disaster recovery planning<\/li>\n<li>Incident management (postmortems, error budgets)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud Security Engineer<\/li>\n<li>SRE \/ Site Reliability Engineer<\/li>\n<li>Cloud\/Platform Engineer<\/li>\n<li>DevOps Engineer<\/li>\n<li>Solutions Architect<\/li>\n<li>Security Operations (SecOps) Analyst (visibility and response)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Alibaba Cloud certification tracks and names change over time. If you are pursuing Alibaba Cloud certifications:\n&#8211; Start with foundational cloud certifications.\n&#8211; Add Security-focused learning modules that include network Security, WAF, and DDoS fundamentals.<br\/>\n<strong>Verify current Alibaba Cloud certification paths<\/strong> on official Alibaba Cloud training\/certification pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a \u201cpublic API reference architecture\u201d:<\/li>\n<li>LB + ECS + WAF + Anti-DDoS Origin + CloudMonitor + ActionTrail<\/li>\n<li>Create an incident runbook repository:<\/li>\n<li>Alert definitions<\/li>\n<li>Triage steps<\/li>\n<li>Communication templates<\/li>\n<li>Implement least-privilege RAM roles for:<\/li>\n<li>Security admin<\/li>\n<li>Operator<\/li>\n<li>Auditor<\/li>\n<li>Cost governance:<\/li>\n<li>Tagging policy and monthly protected asset review<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>DDoS (Distributed Denial of Service):<\/strong> An attack where many sources overwhelm a target with traffic, causing service unavailability.<\/li>\n<li><strong>L3 (Layer 3):<\/strong> Network layer (IP routing).<\/li>\n<li><strong>L4 (Layer 4):<\/strong> Transport layer (TCP\/UDP). Many volumetric and protocol attacks occur here.<\/li>\n<li><strong>L7 (Layer 7):<\/strong> Application layer (HTTP\/HTTPS). Typically handled by WAF and bot controls.<\/li>\n<li><strong>ECS:<\/strong> Elastic Compute Service (Alibaba Cloud virtual machines).<\/li>\n<li><strong>EIP:<\/strong> Elastic IP Address (public IP that can be associated to cloud resources).<\/li>\n<li><strong>Security Group:<\/strong> Virtual firewall rules attached to ECS\/network interfaces controlling inbound\/outbound traffic.<\/li>\n<li><strong>Mitigation\/Scrubbing:<\/strong> Filtering and cleaning malicious traffic so legitimate traffic can pass.<\/li>\n<li><strong>Blackhole filtering:<\/strong> Dropping traffic to an IP entirely when attack volume exceeds certain thresholds, effectively causing downtime.<\/li>\n<li><strong>RAM:<\/strong> Resource Access Management (Alibaba Cloud IAM).<\/li>\n<li><strong>ActionTrail:<\/strong> Service that records API calls and account activity for auditing.<\/li>\n<li><strong>CloudMonitor:<\/strong> Alibaba Cloud monitoring and alerting service.<\/li>\n<li><strong>WAF:<\/strong> Web Application Firewall; protects web applications from L7 threats.<\/li>\n<li><strong>SLO\/SLA:<\/strong> Service Level Objective\/Agreement; uptime and performance targets\/commitments.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Alibaba Cloud <strong>Anti-DDoS Origin<\/strong> is a Security service designed to protect <strong>public-facing origin IP assets<\/strong> from DDoS attacks, primarily at <strong>Layer 3\/Layer 4<\/strong>. It matters because DDoS is fundamentally an availability threat, and upstream mitigation is often the difference between a degraded service and a full outage.<\/p>\n\n\n\n<p>In Alibaba Cloud architectures, Anti-DDoS Origin typically sits alongside <strong>Security Groups\/Cloud Firewall<\/strong> (access control) and <strong>WAF<\/strong> (application-layer protection) to form defense-in-depth for internet-facing workloads. Cost is usually driven by <strong>edition<\/strong> and <strong>protection capacity<\/strong> plus the number of <strong>protected assets<\/strong>, and you should always validate region\/SKU pricing in the official pricing pages and console.<\/p>\n\n\n\n<p>Use Anti-DDoS Origin when you run critical public endpoints and need managed DDoS mitigation without redesigning traffic to a proxy. Next, strengthen your overall posture by integrating monitoring (CloudMonitor), auditability (ActionTrail), and layered protections (WAF, firewall policy), and by practicing incident runbooks in staging.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,10],"tags":[],"class_list":["post-50","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/50","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=50"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/50\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=50"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=50"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=50"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}