Alibaba Cloud

Alibaba Cloud

GlobalAcceleration
Global Acceleration
User Guide
User Guide

Document Version: 20220627

Document Version: 20220627

Global Accelerat ion User Guide· Legal disclaimer

Legal disclaimer
Alibaba Cloud reminds you t o carefully read and fully underst and t he t erms and condit ions of t his legal
disclaimer before you read or use t his document . If you have read or used t his document , it shall be deemed
as your t ot al accept ance of t his legal disclaimer.

1. You shall download and obt ain t his document from t he Alibaba Cloud websit e or ot her Alibaba Cloud-
aut horized channels, and use t his document for your own legal business act ivit ies only. The cont ent of
t his document is considered confident ial informat ion of Alibaba Cloud. You shall st rict ly abide by t he
confident ialit y obligat ions. No part of t his document shall be disclosed or provided t o any t hird part y for
use wit hout t he prior writ t en consent of Alibaba Cloud.

2. No part of t his document shall be excerpt ed, t ranslat ed, reproduced, t ransmit t ed, or disseminat ed by
any organizat ion, company or individual in any form or by any means wit hout t he prior writ t en consent of
Alibaba Cloud.

3. The cont ent of t his document may be changed because of product version upgrade, adjust ment , or
ot her reasons. Alibaba Cloud reserves t he right t o modify t he cont ent of t his document wit hout not ice
and an updat ed version of t his document will be released t hrough Alibaba Cloud-aut horized channels
from t ime t o t ime. You should pay at t ent ion t o t he version changes of t his document as t hey occur and
download and obt ain t he most up-t o-dat e version of t his document from Alibaba Cloud-aut horized
channels.

4. This document serves only as a reference guide for your use of Alibaba Cloud product s and services.
Alibaba Cloud provides t his document based on t he "st at us quo", "being defect ive", and "exist ing
funct ions" of it s product s and services. Alibaba Cloud makes every effort t o provide relevant operat ional
guidance based on exist ing t echnologies. However, Alibaba Cloud hereby makes a clear st at ement t hat
it in no way guarant ees t he accuracy, int egrit y, applicabilit y, and reliabilit y of t he cont ent of t his
document , eit her explicit ly or implicit ly. Alibaba Cloud shall not t ake legal responsibilit y for any errors or
lost profit s incurred by any organizat ion, company, or individual arising from download, use, or t rust in
t his document . Alibaba Cloud shall not , under any circumst ances, t ake responsibilit y for any indirect ,
consequent ial, punit ive, cont ingent , special, or punit ive damages, including lost profit s arising from t he
use or t rust in t his document (even if Alibaba Cloud has been not ified of t he possibilit y of such a loss).

5. By law, all t he cont ent s in Alibaba Cloud document s, including but not limit ed t o pict ures, archit ect ure
design, page layout , and t ext descript ion, are int ellect ual propert y of Alibaba Cloud and/or it s
affiliat es. This int ellect ual propert y includes, but is not limit ed t o, t rademark right s, pat ent right s,
copyright s, and t rade secret s. No part of t his document shall be used, modified, reproduced, publicly
t ransmit t ed, changed, disseminat ed, dist ribut ed, or published wit hout t he prior writ t en consent of
Alibaba Cloud and/or it s affiliat es. The names owned by Alibaba Cloud shall not be used, published, or
reproduced for market ing, advert ising, promot ion, or ot her purposes wit hout t he prior writ t en consent of
Alibaba Cloud. The names owned by Alibaba Cloud include, but are not limit ed t o, "Alibaba Cloud",
"Aliyun", "HiChina", and ot her brands of Alibaba Cloud and/or it s affiliat es, which appear separat ely or in
combinat ion, as well as t he auxiliary signs and pat t erns of t he preceding brands, or anyt hing similar t o
t he company names, t rade names, t rademarks, product or service names, domain names, pat t erns,
logos, marks, signs, or special descript ions t hat t hird part ies ident ify as Alibaba Cloud and/or it s
affiliat es.

6. Please direct ly cont act Alibaba Cloud for any errors of t his document .

> Document Version: 20220627 I

Global Accelerat ion User Guide· Document convent ions

Document conventions
St yle Descript io n Example

A danger notice indicates a situation that Danger:

Danger will cause major system changes, faults,
Resetting will result in the loss of user
physical injuries, and other adverse
configuration data.
results.

A warning notice indicates a situation
W arning that may cause major system changes,
faults, physical injuries, and other adverse
results.
W arning:
Restarting will cause business
interruption. About 10 minutes are
required to restart an instance.

A caution notice indicates warning No t ice:

No t ice information, supplementary instructions,
If the weight is set to 0, the server no
and other content that the user must
longer receives new requests.
understand.

A note indicates supplemental No t e:

No t e instructions, best practices, tips, and
You can use Ctrl + A to select all files.
other content.

Closing angle brackets are used to Click Set t ings > Net w o rk > Set net w o rk
>
indicate a multi-level menu cascade. t ype .

Bold formatting is used for buttons ,

Bo ld menus, page names, and other UI Click OK .
elements.

Run the cd /d C:/window command to

Courier font Courier font is used for commands
enter the Windows system folder.

bae log list --instanceid

Italic formatting is used for parameters
Italic
and variables.
Instance_ID

T his format is used for an optional value,

[] or [a|b] ipconfig [-all|-t]
where only one item can be selected.

T his format is used for a required value,

{} or {a|b} switch {active|stand}
where only one item can be selected.

> Document Version: 20220627 I

Global Accelerat ion User Guide· Table of Cont ent s

Table of Contents
1.Global Accelerator instances 06

1.1. Overview 06

1.2. Create and manage GA instances 08

2.Basic bandwidth plans 11

2.1. Overview 11

2.2. Purchase and manage basic bandwidth plans 12

3.Acceleration areas 16

3.1. Overview 16

3.2. Add and manage acceleration areas 19

3.3. Modify the bandwidth value of an acceleration area 21

3.4. Delete an acceleration area 21

4.Listeners 23

4.1. Listener overview 23

4.2. Add and manage listeners 25

4.3. Associate and manage certificates 33

4.4. T LS security policies 36

5.Endpoint groups and endpoints 42

5.1. Overview 42

5.2. Distribute traffic across endpoint groups in different scenarios

… 44

5.3. Create and manage endpoint groups 56

5.4. Create and manage forwarding rules 64

5.5. Enable and manage health checks 67

5.6. Examples on how to configure the traffic distribution feature

… for multiple
72 endp

6.Access control 79

7.Log management 84

7.1. Query operations logs 84

> Document Version: 20220627 I

User Guide· Table of Cont ent s Global Accelerat ion

7.2. Work with access logs 84

8.Manage quotas 90

9.Permission management 91

9.1. Service-linked role 91

9.1.1. AliyunServiceRoleForGaVpcEndpoint 91

9.1.2. AliyunServiceRoleForGaFlowlog 94

9.1.3. AliyunServiceRoleForGaAlb 95

9.1.4. AliyunServiceRoleForGaOss 98

9.2. Grant permissions to a RAM user 100

II > Document Version: 20220627

 User Guide· Global Accelerat or inst a
Global Accelerat ion
nces

1.Global Accelerator instances

1.1. Overview
Each Global Accelerat or (GA) inst ance is an accelerat ion service t hat runs on a global scale. GA provides
mult iple inst ance specificat ions. Each inst ance specificat ion provides different accelerat ion capabilit ies
t o meet your requirement s in different scenarios.

When you creat e a GA inst ance, you must select t he t ype of accelerat ed IP address based on t he
access mode t hat is required by your business. T he following t ypes of accelerat ed IP addresses are
support ed: Elast ic IP Address (EIP) and Anycast EIP. Aft er you creat e a GA inst ance, you must purchase a
bandwidt h plan, and add an accelerat ion area and list eners. You must add an accelerat ion area if you
select EIP as t he t ype of accelerat ed IP address.

Client s can connect t o t he nearest access point of t he Alibaba Cloud global t ransmission net work by
sending request s t o t he accelerat ed IP address or t he CNAME. GA t hen aut omat ically select s rout es t o
dist ribut e client request s t o t he opt imal endpoint s. T his helps avoid net work congest ion and reduce
net work lat ency.
You can specify Elast ic Comput e Service (ECS) inst ances, Classic Load Balancer (CLB) inst ances,
Applicat ion Load Balancer (ALB) inst ances, Object St orage Service (OSS) bucket s, Alibaba Cloud public IP
addresses, cust om IP addresses of origin servers, or cust om domain names of origin servers as t he
endpoint s of GA.

Types of GA instances

T ype Scenario

You can use basic GA instances to accelerate content delivery at Layer 3 (IP
protocols). T o implement the acceleration, you need to only specify an
Basic
acceleration area and an endpoint group. For more information, see Use basic GA
instances to accelerate content delivery.

> Document Version: 20220627 6

User Guide· Global Accelerat or inst a
Global Accelerat ion
nces

T ype Scenario

You can use standard GA instances to accelerate content delivery at Layer 4 (T CP

Standard
and UDP protocols) and Layer 7 (HT T P and HT T PS protocols).

Types of accelerate IP addresses

You can select t he t ype of accelerat ed IP address based on t he access mode t hat is required by your
business.

Not e
By default , you cannot specify Anycast EIPs as accelerat ed IP addresses. If you want t o use
Anycast EIPs, submit a t icket .
If you use Anycast EIPs, t he GA inst ances and basic bandwidt h plans must meet t he
following requirement s:
GA inst ances: You must select st andard GA inst ances whose specificat ions are Large
Ⅰ or higher.
Basic bandwidt h plans: You must select pay-by-dat a-t ransfer basic bandwidt h plans
whose bandwidt h t ypes are Premium. By default , you cannot use pay-by-dat a-
t ransfer basic bandwidt h plans. If you want t o use pay-by-dat a-t ransfer basic
bandwidt h plans, submit a t icket .

Specifications of GA instances
GA provides t he following inst ance specificat ions: Small Ⅰ, Small Ⅱ, Small Ⅲ, Medium Ⅰ, Medium Ⅱ,
Medium Ⅲ, Large Ⅰ, Large Ⅱ, Large Ⅲ, Large Ⅳ, Large Ⅴ, Large Ⅵ, Large Ⅶ, Large Ⅷ, Super Large Ⅰ,
and Super Large Ⅱ. GA inst ances of different specificat ions provide different accelerat ion capabilit ies,
as shown in t he following t able.

Not e
T he unit price varies based on GA inst ance specificat ions.T he unit price on t he buy page shall
prevail.
By default , t he Large Ⅲ specificat ion and higher specificat ions are not available. T o use
t hese specificat ions, submit a t icket .

Number of Maximum number

Unit
Specification acceleration Bandwidth limit of concurrent
price(USD/month)
regions connections

Small Ⅰ 1 20 Mbps 5,000 150

Small Ⅱ 2 40 Mbps 10,000 300

Small Ⅲ 3 60 Mbps 15,000 450

Medium Ⅰ 5 100 Mbps 25,000 750

7 > Document Version: 20220627

 User Guide· Global Accelerat or inst a
Global Accelerat ion
nces

Number of Maximum number

Unit
Specification acceleration Bandwidth limit of concurrent
price(USD/month)
regions connections

Medium Ⅱ 8 160 Mbps 40,000 1200

Medium Ⅲ 10 200 Mbps 50,000 1500

Large Ⅰ 400 Mbps 100,000 3000

Large Ⅱ 600 Mbps 150,000 4500

Large Ⅲ All regions 800 Mbps 200,000 6000

For more
Large Ⅳ 1 Gbps 250,000 7500
information about
the acceleration
Large Ⅴ 1.2 Gbps 300,000 9000
areas and Alibaba
Cloud regions that
Large Ⅵ 1.4 Gbps 350,000 10500
are supported by
GA, see
Large Ⅶ 1.6 Gbps 400,000 12000
Acceleration areas
and regions.
Large Ⅷ 1.8 Gbps 450,000 13500

Super Large Ⅰ 2 Gbps 500,000 15000

Super Large Ⅱ 4 Gbps 1,000,000 30000

Specification changes
If you want t o change t he specificat ion of an exist ing GA inst ance, t ake not e of t he following it ems:
You can only upgrade GA inst ances. T he downgrade operat ion is not support ed by default . If you
want t o downgrade GA inst ances, submit a t icket .
You cannot change t he specificat ion of a GA inst ance if t he accelerat ion region or t he region where
t he endpoint group is deployed is a point of presence (PoP) node of Alibaba Cloud. For more
informat ion, see Modify t he specificat ion of a GA inst ance.

1.2. Create and manage GA instances

Global Accelerat ion (GA) is a global net work accelerat ion service t hat feat ures high availabilit y and high
performance. T his t opic describes how t o creat e and manage a GA inst ance.

Create a GA instance
Before you use GA, you must creat e a GA inst ance.

1.
2. On t he Inst ances page, click Creat e Inst ance .
3. On t he buy page, set t he following paramet ers of t he inst ance, click Buy Now , and t hen complet e
t he payment .

> Document Version: 20220627 8

User Guide· Global Accelerat or inst a
Global Accelerat ion
nces

Parameter Description

Select a type of GA instance.

Basic : You can use basic GA instances to accelerate content delivery at Layer 3
(IP protocols). T o implement the acceleration, you need only to specify an
T ype acceleration area and an endpoint group. For more information, see Use basic
GA instances to accelerate content delivery.
St andard : You can use standard GA instances to accelerate content delivery at
Layer 4 (T CP and UDP protocols) and Layer 7 (HT T P and HT T PS protocols).

Select the type of accelerated IP address.

EIP (default): If you select EIP, the custom access mode is used. You can select
an access point based on your business requirements. Each access point
provides a separate EIP.
Anycast EIP : If you select Anycast EIP, the automatic access mode is used. You
Accelerat ed IP do not need to specify an acceleration area. GA provides an Anycast EIP that is
Address T ype shared among multiple regions across the globe.

No t e You can select Anycast EIP only if you set T ype to St andard
and Specif icat io n to Large Ⅰ.

For more information, see Accelerated IP address.

Select a specification for the GA instance. You can select a specification for the GA
instance only if you set T ype to St andard .

GA provides the following instance specifications: Small Ⅰ (Specif icat io ns

Specif icat io n Unit ) , Small Ⅱ, Small Ⅲ, Medium Ⅰ, Medium Ⅱ, Medium Ⅲ, Large Ⅰ, Large
Ⅱ, Large Ⅲ, Large IV , Large V , Large V I, Large V II, Large V III, Super Large
Ⅰ, and Super Large Ⅱ. GA instances of different specifications provide different
acceleration capabilities. For more information, see Specifications of GA instances.

Inst ance By default, Inst ance is selected.

Subscript io n
Select a subscription duration for the GA instance.
Durat io n

Change the specification of a GA instance

You can change t he specificat ions of st andard GA inst ances. You can only upgrade t he specificat ion of
a GA inst ance. T o downgrade a GA inst ance, you must apply for t his feat ure t o be enabled on your
account . T o enable t his feat ure, submit a t icket .

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Upgrade in t he
Act ions column.
3. In t he Upgrade message, confirm t he informat ion and click OK.

9 > Document Version: 20220627

 User Guide· Global Accelerat or inst a
Global Accelerat ion
nces

Not e New endpoint group IP addresses may be creat ed aft er you change t he
specificat ion of a GA inst ance. T he number of newly creat ed endpoint group IP addresses
depends on t he GA inst ance specificat ion. You can go t o t he console t o view t he act ual
number. Make sure t hat t he newly added endpoint group IP addresses are available.

4. On t he Upgrade/Downgrade page, set t he paramet ers, select global accelerat or T erms of

Service , and t hen click Buy Now t o complet e t he payment .

For more informat ion about t he accelerat ion capabilit ies provided by different specificat ions, see
Specifications of GA instances.

> Document Version: 20220627 10

User Guide· Basic bandwidt h plans Global Accelerat ion

2.Basic bandwidth plans

2.1. Overview
A basic bandwidt h plan provides bandwidt h for dat a t ransfer over t he Int ernet and wit hin int ernal
net works of Alibaba Cloud. However, basic bandwidt h plans are not applicable t o dat a t ransfer
bet ween t he Chinese mainland and areas out side t he Chinese mainland. A basic bandwidt h plan is
required if you want t o accelerat e dat a t ransfer wit hin t he Chinese mainland, or bet ween t he Chinese
mainland and ot her areas.

Bandwidth types
T he following t ypes of basic bandwidt h plans are support ed: basic, enhanced, and premium. T he
following t able shows t hat t he accelerat ion t ype, accelerat ed backend service, and accelerat ion scope
of a basic bandwidt h plan vary based on t he bandwidt h t ype.

Bandwidth
Acceleration type Accelerated backend service Acceleration scope
type

Public IP addresses
provided by Alibaba Cloud
Elastic Compute Service
(ECS) By default, the acceleration
Applications that are region and the region where
Classic Load Balancer (CLB)
Basic deployed on Alibaba the backend service is
(formerly known as SLB)
Cloud deployed are located in the
Application Load Balancer Chinese mainland.
(ALB)
Object Storage Service
(OSS)

Public IP addresses
provided by Alibaba Cloud
Applications that
ECS By default, the acceleration
are deployed on
Alibaba Cloud CLB (formerly known as SLB) region and the region where
Enhanced the backend service is
Applications that ALB
deployed are located in the
are not deployed OSS Chinese mainland.
on Alibaba Cloud
Custom IP addresses
Custom domain names

11 > Document Version: 20220627

Global Accelerat ion User Guide· Basic bandwidt h plans

Bandwidth
Acceleration type Accelerated backend service Acceleration scope
type

Public IP addresses By default, the acceleration

provided by Alibaba Cloud region and the region where
the backend service is
Applications that ECS deployed are located in the
are deployed on
CLB (formerly known as SLB) areas outside the Chinese
Alibaba Cloud
Premium ALB mainland. If you want to
Applications that accelerate data transfer
are not deployed OSS
between the Chinese mainland
on Alibaba Cloud Custom IP addresses and other areas, you must
Custom domain names select China (Hong Kong) as
the acceleration region.

Not e
You can specify ECS, CLB, and ALB inst ances as endpoint s only if your Alibaba Cloud account
is included in t he whit elist . If you want t o specify ECS, CLB, or ALB inst ances as endpoint s for
your GA inst ances, submit a t icket t o upgrade t he GA inst ances.
If you want t o specify ECS inst ances or CLB inst ances as endpoint s, make sure t hat t he
inst ances are deployed in virt ual privat e clouds (VPCs).
T he IP addresses of endpoint groups associat ed wit h each GA inst ance must be globally
unique and not conflict wit h t hose of ot her GA inst ances.

Purchase a basic bandwidth plan

T o purchase a basic bandwidt h plan, go t o t he buy page.

2.2. Purchase and manage basic

bandwidth plans
A basic bandwidt h plan provides bandwidt h for dat a t ransfer over t he Int ernet and wit hin Alibaba
Cloud. T his t opic describes how t o purchase and manage basic bandwidt h plans.

Purchase a basic bandwidth plan

1.
2. On t he Inst ances page, click Purchase Basic Bandwidt h Plan.
3. On t he buy page, set t he following paramet ers, click Buy Now , and t hen complet e t he payment .

Parameter Description

Select a bandwidth type for the basic bandwidth plan.

Bandw idt h
T he following types of basic bandwidth plans are supported: basic, enhanced,
T ype
and premium.

> Document Version: 20220627 12

User Guide· Basic bandwidt h plans Global Accelerat ion

Parameter Description

Peak
Select the bandwidth limit of the basic bandwidth plan.
Bandw idt h

Durat io n Select a subscription duration of the basic bandwidth plan.

Associate a basic bandwidth plan

Aft er you purchase a basic bandwidt h plan, you must associat e t he bandwidt h plan wit h a Global
Accelerat or (GA) inst ance. You can allocat e bandwidt h t o an accelerat ion region only aft er you
associat e t he basic bandwidt h plan wit h a GA inst ance.

Each GA inst ance can be associat ed only wit h one basic bandwidt h plan.

Make sure t hat a GA inst ance and a basic bandwidt h plan are purchased before you associat e t he basic
bandwidt h plan wit h a GA inst ance. For more informat ion, see Create and manage GA instances and
Purchase a basic bandwidt h plan.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.
3. On t he page t hat appears, click t he Bandwidt h Manage t ab.
4. In t he Basic Bandwidt h Plan sect ion, find t he basic bandwidt h plan t hat you want t o manage
and click Bind in t he Act ions column.
Aft er t he basic bandwidt h plan is associat ed wit h t he GA inst ance, t he basic bandwidt h plan
changes t o t he In Use st at e.

Replace a basic bandwidth plan

You can replace a basic bandwidt h plan t hat is associat ed wit h a GA inst ance. T his allows you t o use
t he basic bandwidt h plan t hat meet s your requirement s. T he GA inst ance cont inues t o forward net work
t raffic when you replace t he basic bandwidt h plan.

Aft er you replace t he original basic bandwidt h plan wit h t he required bandwidt h plan, t he original one
is disassociat ed from t he GA inst ance and t he required one is associat ed wit h t he GA inst ance.

Make sure t hat t he required basic bandwidt h plan is purchased. T he bandwidt h provided by t he basic
bandwidt h plan is equal t o or more t han t he t ot al bandwidt h t hat is allocat ed t o t he specified
accelerat ion area. For more informat ion, see Purchase a basic bandwidt h plan.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.
3. On t he page t hat appears, click t he Bandwidt h Manage t ab.
4. In t he Basic Bandwidt h Plan sect ion, find t he basic bandwidt h plan t hat you want t o replace and
click Replace in t he Act ions column.
5. In t he Replace Basic Bandwidt h Plan dialog box, select t he basic bandwidt h plan t hat you want
t o use and click OK.
You can only select a basic bandwidt h plan t hat is in t he Act ive st at e.

Disassociate a basic bandwidth plan

13 > Document Version: 20220627

Global Accelerat ion User Guide· Basic bandwidt h plans

You can disassociat e a basic bandwidt h plan from a GA inst ance. If your GA inst ance is associat ed wit h a
basic bandwidt h plan, you must disassociat e t he bandwidt h plan before you can associat e t he GA
inst ance wit h anot her basic bandwidt h plan.

Make sure t hat no accelerat ion areas and list eners are configured for t he GA inst ance from which you
want t o disassociat e t he basic bandwidt h plan. Before you disassociat e t he basic bandwidt h plan,
delet e all t he accelerat ion areas and list eners t hat are configured. For more informat ion, see Delete an
acceleration area and Delete a listener.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.
3. On t he page t hat appears, click t he Bandwidt h Manage t ab.
4. In t he Basic Bandwidt h Package sect ion, find t he bandwidt h plan, and click Unbind in t he
Act ions column.
5. In t he Unbind Bandwidt h Plan message, click OK.

Change specifications
You can modify t he bandwidt h limit of a basic bandwidt h plan. T he modificat ion immediat ely t akes
effect .

Before you change t he specificat ion of a basic bandwidt h plan, t ake not e of t he following informat ion:

You can only upgrade a basic bandwidt h plan. T o downgrade a basic bandwidt h plan, make sure t hat
your account is included in t he whit elist . T o enable t his feat ure, submit a t icket .
T o downgrade a basic bandwidt h plan, make sure t hat t he t ot al allocat ed bandwidt h across all
accelerat ion regions is no more t han t he bandwidt h limit of t he downgraded plan.
When you upgrade or downgrade a basic bandwidt h plan, make sure t hat t he bandwidt h limit of t he
upgraded or downgraded basic bandwidt h plan does not exceed t he bandwidt h limit t hat is
support ed by t he current GA inst ance. For more informat ion about GA inst ance t ypes, see Overview.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.
3. On t he page t hat appears, click t he Bandwidt h Manage t ab.
4. In t he Basic Bandwidt h Plan sect ion, find t he basic bandwidt h plan t hat you want t o manage
and click Change Conf igurat ions in t he Bandwidt h Limit column.
5. On t he Upgrade/Downgrade page, change t he bandwidt h limit of t he basic bandwidt h plan,
select global accelerat or bandwidt h package T erms of Service , and t hen click Buy Now t o
complet e t he payment .

Not e You can only change t he bandwidt h t ype of a basic bandwidt h plan from basic t o
enhanced. You cannot change t he enhanced bandwidt h t ype and premium bandwidt h t ype t o
ot her bandwidt h t ypes.

References
Creat eBandwidt hPackage: You can call t his operat ion t o creat e a bandwidt h plan.
Bandwidt hPackageAddAccelerat or: You can call t his operat ion t o associat e a bandwidt h plan wit h a
GA inst ance.
ReplaceBandwidt hPackage: You can call t his operat ion t o replace a bandwidt h plan.

> Document Version: 20220627 14

User Guide· Basic bandwidt h plans Global Accelerat ion

Bandwidt hPackageRemoveAccelerat or: You can call t his operat ion t o disassociat e a bandwidt h plan
from a GA inst ance.
Updat eBandwidt hPackage: You can call t his operat ion t o modify t he configurat ions of a bandwidt h
plan.

15 > Document Version: 20220627

Global Accelerat ion User Guide· Accelerat ion areas

3.Acceleration areas
3.1. Overview
An accelerat ion area is t he area t hat requires accelerat ed access t o your service. T he access mode t hat
is required by your business det ermines whet her you need t o specify an accelerat ion area.

An accelerat ion area is a collect ion of Alibaba Cloud regions. Each accelerat ion area cont ains one or
more Alibaba Cloud regions. When you creat e a Global Accelerat or (GA) inst ance, you must select t he
t ype of accelerat ed IP address based on t he access mode t hat is required by your business. T he
following t ypes of accelerat ed IP addresses are support ed: Elast ic IP Address (EIP) and Anycast EIP. T he
t ype of accelerat ed IP address t hat you select det ermines whet her you need t o specify an accelerat ion
area.

Accelerated IP address
Client s can connect t o t he nearest access point of t he Alibaba Cloud global t ransmission net work by
sending request s t o t he accelerat ed IP address.

Types of accelerated IP addresses

Supported
T ype Description Feature Scenario
access point

> Document Version: 20220627 16

User Guide· Accelerat ion areas Global Accelerat ion

Supported
T ype Description Feature Scenario
access point

Advantages: Different
accelerated IP
addresses are provided You can use EIPs
for clients after the to accelerate
For more client requests are applications
T he cust o m access
information resolved by using the whose users are
mo de is used. Y o u Alibaba Cloud DNS
about the located in
must specif y an service.
acceleration specific regions.
accelerat io n area.
areas and Disadvantages: T he T his provides a
You can select an Alibaba Cloud configuration and consistent
EIP
acceleration area and regions that are maintenance are experience for
region based on your supported by complex. You need to users that use
business requirements. GA GA, see specify acceleration the acceleration
allocates a separate EIP to Acceleration areas and allocate service.
each acceleration region. areas and bandwidth based on Example: SaaS
regions. your business applications and
requirements. Static IP live streaming
addresses cannot be applications.
used to provide
services.

T he acceleration Advantages: You do

service is not need to specify
dependent on acceleration areas and
the access regions. Clients can Anycast EIPs are
points that are automatically connect suitable for
supported by to the nearest access applications
Anycast EIP. You point, which greatly that use the
T he aut o mat ic access
can use Anycast reduces O&M same static IP
mo de is used. Y o u do
EIPs to workloads. If you need address to
no t need t o specif y an
accelerate to add or delete provide services
accelerat io n area.
content delivery acceleration regions to and do not have
You do not need to for clients meet business requirements on
specify an acceleration outside the requirements, or if an the regions
Anyc area. GA allocates an Chinese acceleration region is where the
ast Anycast EIP to multiple mainland. T o abnormal, the clients are
EIP regions across the globe. accelerate accelerated IP address located.
Users can connect to the content delivery remains unchanged. Example: online
nearest access point of for clients in the You do not need to multiplayer
the Alibaba Cloud global Chinese modify the business games that use
transmission network by mainland by system. a global server
sending requests to the using Anycast architecture,
Disadvantages: Clients
Anycast EIP. EIPs, you must cross-border e-
can connect only to
specify China commerce
access points that are
(Hong Kong) as applications,
supported by Anycast
the acceleration and web
EIPs. T he quality of
region. For more applications.
acceleration service
information, see
depends on the Internet
Access point
Service Provider (ISP).
locations.

17 > Document Version: 20220627

Global Accelerat ion User Guide· Accelerat ion areas

Not e
By default , you cannot specify Anycast EIPs as accelerat ed IP addresses. If you want t o use
Anycast EIPs, submit a t icket .
If you use Anycast EIPs, t he GA inst ances and basic bandwidt h plans must meet t he
following requirement s:
GA inst ances: You must select st andard GA inst ances whose specificat ions are Large
Ⅰ or higher.
Basic bandwidt h plans: You must select pay-by-dat a-t ransfer basic bandwidt h plans
whose bandwidt h t ypes are Premium. By default , you cannot use pay-by-dat a-
t ransfer basic bandwidt h plans. If you want t o use pay-by-dat a-t ransfer basic
bandwidt h plans, submit a t icket .

IP protocols of accelerated IP addresses

You can specify an accelerat ion area and select t he IP prot ocol of t he accelerat ed IP address only if you
select EIP as t he t ype of accelerat ed IP address. If you select Anycast EIP as t he t ype of accelerat ed IP
address, only IPv4 is support ed.

Aft er you add an accelerat ion area, GA assigns an accelerat ed IP address t o each accelerat ion region in
t he accelerat ion area based on t he IP prot ocol t hat you select . Client s can connect t o t he nearest
access point of t he Alibaba Cloud global t ransmission net work by sending request s t o t he accelerat ed
IP address.

You can select one of t he following IP prot ocols:

IPv4 : assigns an accelerat ed IPv4 address. T he accelerat ed IPv4 address is used t o accelerat e IPv4
services for IPv4 client s.
IPv6 : assigns an accelerat ed IPv6 address. T he accelerat ed IPv6 address is used t o accelerat e IPv4
services for IPv6 client s.

Not e
Only IPv6 client s in t he following regions can connect t o GA: China (Qingdao), China
(Beijing), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China
(Guangzhou), China (Chengdu), China (Hong Kong), Singapore (Singapore), US (Virginia),
and Germany (Frankfurt ).
In t he same accelerat ion region of a GA inst ance, you can select one of t he following IP
address prot ocols: IPv4 or IPv6.

Acceleration areas and regions

Not e By default , t he following accelerat ion regions are unavailable: China (Heyuan), China
(Nanjing), Brazil (Sao Paulo), T hailand (Bangkok), Viet nam (Ho Chi Minh), and UAS (Dubai). If you want
t o specify t he preceding regions, submit a t icket .

3.2. Add and manage acceleration

> Document Version: 20220627 18
User Guide· Accelerat ion areas Global Accelerat ion

3.2. Add and manage acceleration

areas
Aft er you creat e a Global Accelerat or (GA) inst ance, you must add an accelerat ion area. An accelerat ion
area is t he area t hat requires accelerat ed access t o your service.

Background information
If you specify EIP as t he t ype of accelerat ed IP address, you must specify an accelerat ion area for a GA
inst ance. If you specify Anycast EIP as t he t ype of accelerat ed IP address, you do not need t o specify
an accelerat ion area for a GA inst ance.

For more informat ion about t he t ypes of accelerat ed IP addresses, see Accelerat ed IP address.
For more informat ion about how t o add accelerat ion areas for basic GA inst ances, see Use basic GA
inst ances t o accelerat e cont ent delivery.

Prerequisites
A GA inst ance is creat ed. For more informat ion, see Creat e and manage GA inst ances.
A basic bandwidt h plan is purchased and associat ed wit h t he GA inst ance. For more informat ion, see
Purchase and manage basic bandwidt h plans.

Add an acceleration area

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.
3. On t he inst ance det ails page, click t he Accelerat ion Areas t ab, select t he area t hat requires
accelerat ion, and t hen click Add Region.
4. In t he Add Accelerat ion Area dialog box, specify t he following accelerat ion area informat ion
and click OK.

Parameter Description

Select the region that requires acceleration. For more information about
Regio n acceleration areas and acceleration regions, see Acceleration areas and
regions.

19 > Document Version: 20220627

Global Accelerat ion User Guide· Accelerat ion areas

Parameter Description

Allocate bandwidth to the region. Unit: Mbit/s.

No t e
You must allocate at least 2 Mbit/s of bandwidth to each
acceleration region.
T he sum of bandwidth for all regions cannot exceed the
bandwidth limit of the basic bandwidth plan that is associated
with the GA instance.

Bandw idt h For example, if the bandwidth limit of your basic bandwidth plan
is 10 Mbit/s and you have allocated 6 Mbit/s to the China
(Qingdao) region, the available bandwidth that you can allocate
is 4 Mbit/s.

If you associate a pay-as-you-go basic bandwidth plan with a GA

instance, you do not need to specify the bandwidth. By default,
the bandwidth allocated to each acceleration region is the same
as the bandwidth limit of the pay-as-you-go basic bandwidth
plan.

Select the Internet protocol that is used by to connect to GA.

IPv4 : assigns an accelerated IPv4 address. T he accelerated IPv4 address is
used to accelerate IPv4 services for IPv4 clients.
IPv6 : assigns an accelerated IPv6 address. T he accelerated IPv6 address is
used to accelerate IPv4 services for IPv6 clients.

No t e
Int ernet Pro t o co l Only IPv6 clients in the following regions can connect to GA:
China (Qingdao), China (Beijing), China (Hangzhou), China
(Shanghai), China (Shenzhen), China (Heyuan), China
(Guangzhou), China (Chengdu), China (Hong Kong), Singapore
(Singapore), US (Virginia), and Germany (Frankfurt).
In the same acceleration region of a GA instance, you can
select one of the following IP address protocols: IPv4 or IPv6.

You can click Add t o add more regions and allocat e bandwidt h.

Not e T he number of regions t hat can be added varies based on t he specificat ion of t he
GA inst ance. For more informat ion about t he number of accelerat ion regions support ed by
each specificat ion , see Overview.

Modify an acceleration area

You can modify t he bandwidt h value of an accelerat ion area.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.

> Document Version: 20220627 20

User Guide· Accelerat ion areas Global Accelerat ion

3. On t he Accelerat ion Areas t ab, click t he t ab of t he accelerat ion area t hat you want t o manage
and click Edit Bandwidt h.
4. In t he Edit Accelerat ion Area dialog box, modify t he bandwidt h value and click OK.

Delete an acceleration area

You can delet e an accelerat ion area. Aft er t he accelerat ion area is delet ed, GA no longer provides
accelerat ion services for t his area.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.
3. On t he Accelerat ion Areas t ab, find t he accelerat ion area t hat you want t o delet e and click
Delet e in t he Act ions column.
4. In t he Delet e Delet e IP Addresses message, click OK.

References
Creat eIpSet s: You can call t his API operat ion t o creat e one or more accelerat ion regions.
Updat eIpSet : You can call t his API operat ion t o modify a specified accelerat ion region in an
accelerat ion area.
Updat eIpSet s: You can call t his API operat ion t o modify mult iple accelerat ion regions in an
accelerat ion area.
Delet eIpSet : You can call t his API operat ion t o delet e an accelerat ion region.
Delet eIpSet s: You can call t his API operat ion t o delet e mult iple accelerat ion regions.

3.3. Modify the bandwidth value of an

acceleration area
T his t opic describes how t o modify t he bandwidt h value of an accelerat ion area.

Procedure
1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click it s ID.
3. On t he Accelerat ion Areas t ab, click t he t ab of t he accelerat ion area t hat you want t o manage
and click Edit Bandwidt h.
4. In t he Edit Accelerat ion Area dialog box, modify t he bandwidt h value, and click OK.

Related information
Updat eIpSet
Updat eIpSet s

3.4. Delete an acceleration area

T his t opic describes how t o delet e an accelerat ion area. Aft er t he accelerat ion area is delet ed, Global
Accelerat or (GA) will no longer provide accelerat ion services for t his area.

Procedure

21 > Document Version: 20220627

Global Accelerat ion User Guide· Accelerat ion areas

1.
2. On t he Inst ances page, find t he t arget GA inst ance, and click t he inst ance ID.
3. On t he Accelerat ion Areas t ab, find t he t arget accelerat ion area, and click Delet e in t he Act ions
column.
4. In t he Delet e IP Addresses message, click OK.

Related information
Delet eIpSet
Delet eIpSet s

> Document Version: 20220627 22

User Guide· List eners Global Accelerat ion

4.Listeners
4.1. Listener overview
Aft er you creat e a Global Accelerat or (GA) inst ance, you must configure list eners for t he GA inst ance. A
list ener list ens for connect ion request s and t hen dist ribut es t he request s t o endpoint s based on t he
forwarding rules t hat are defined by a specified scheduling algorit hm.

Listener protocols
You can creat e 10 list eners for each GA inst ance. T he following list ener prot ocols are support ed: T CP,
UDP, HT T P, and HT T PS. You can select a prot ocol based on t he scenario.

Protocol Description Scenario

A connection-oriented protocol that

provides high reliability. A logical
connection must be established
before data can be transmitted.
T CP Session persistence is based on source
IP addresses.
Source IP addresses are visible at the
network layer.
Data is transmitted at a slow rate.
Applicable to scenarios that require
high reliability and data accuracy but
can withstand a low transmission
speed. T hese scenarios include file
transmission, email sending and
receiving, and remote logons.
Web applications that do not have
custom requirements.

A connectionless and unreliable

protocol. T hree-way handshakes are
not required before UDP packets are
UDP transmitted. UDP does not provide
error recovery or data retransmission.
Data is transmitted at a high rate.
Applicable to scenarios where real-time
transmission outweighs reliability, such
as video conferencing and real-time
quote services.

A connection-oriented protocol that Applicable to scenarios where HT T P

provides high reliability. A logical
connection must be established
HT T P before data can be transmitted.
Data is transmitted at a high rate.
Data transmission is not encrypted.
websites need to be accelerated.
Applicable to scenarios where HT T P
websites that contain specified
domain names or paths need to be
accelerated.

23 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

Protocol Description Scenario

A connection-oriented protocol that

provides high reliability. A logical
connection must be established
before data can be transmitted. Applicable to scenarios where HT T P or
HT T PS websites need to be
You can bind SSL certificates to
accelerated. T his also ensures the
servers. T his ensures high reliability of
network security when clients access
data.
HT T PS HT T P or HT T PS websites.
Applicable to scenarios where HT T P or
No t e For more information
HT T PS websites that contain specified
about SSL certificates, see What
domain names or paths need to be
is Certificate Management
accelerated.
Service?.

Data transmission is encrypted.

Listener ports
List ener port s are used t o receive request s and forward t he request s t o endpoint s. List eners consist of
basic list eners and advanced list eners. Advanced list eners can list en on a large number of port s.

Not e If you add list eners t hat use t he same prot ocol t o a GA inst ance, you must configure
different port s for t he list eners.

Basic list eners

T he following t able describes t he number of port s t hat are support ed by list eners t hat use different
prot ocols. For T CP and UDP list eners, you can submit a t icket t o increase t he quot a of
gaplus_quot a_port _per_list ener. For more informat ion, see Manage quotas.

Listener protocol Listener port range Listener port quota

30.
Separate multiple listener ports with commas
(,). Example: 80,90,8080.
T CP 1~65499 If you want to specify port ranges, you can use a
tilde (~). For example, you can enter 80~83 to
specify the ports 80, 81, 82, and 83.

30.
Separate multiple listener ports with commas
(,). Example: 80,90,8080.
UDP 1~65499
If you want to specify port ranges, you can use a
tilde (~). For example, you can enter 80~83 to
specify the ports 80, 81, 82, and 83.

HT T P 1~65499 1.

HT T PS 1~65499 1.

> Document Version: 20220627 24

User Guide· List eners Global Accelerat ion

Advanced list eners

You can specify more t han 300 consecut ive list ener port s for a T CP or UDP list ener. Advanced
list eners are list eners t hat each cont ain more t han 300 consecut ive list ener port s. Advanced list eners
have t he following limit s:

By default , you can creat e advanced list eners only for GA inst ances t hat are creat ed aft er January
8, 2022. If your GA inst ances were creat ed before t his dat e and you want t o creat e advanced
list eners, submit a t icket t o upgrade t he GA inst ances.
You must specify more t han 300 port s for an advanced list ener. T he number of port s t hat you
specify must not exceed 65,499.
You can creat e only one advanced list ener for each GA inst ance.
You can specify only consecut ive port s. For example, you can set t he port range t o 1~350. You
cannot set t he port range t o 1,3~350.
If t he accelerat ion region of a GA inst ance is a point of presence (PoP) node of Alibaba Cloud, you
cannot creat e an advanced list ener for t he GA inst ance.

Not e If you want t o check whet her t he accelerat ion region of a specified GA inst ance is
a PoP node of Alibaba Cloud, refer t o List AvailableBusiRegions.

For example, you want t o creat e t he following list eners for a GA inst ance: a T CP list ener whose list ener
port s are from 1 t o 400, a T CP list ener whose list ener port is 443, a UDP list ener whose list ener port s are
from 200 t o 210, and a UDP list ener port whose list ener port s are from 230 t o 240. T he T CP list ener
whose list ener port s are from 1 t o 400 is an advanced list ener. T he following figure shows t he list eners.

4.2. Add and manage listeners

Aft er you creat e a Global Accelerat or (GA) inst ance, you must configure list eners for t he GA inst ance. A
list ener list ens for connect ion request s and t hen dist ribut es t he request s t o endpoint s based on t he
forwarding rules t hat are defined by a specified scheduling algorit hm.

Prerequisites
A GA inst ance is creat ed. For more informat ion, see Creat e and manage GA inst ances.
If you want t o configure HT T PS list eners, make sure t hat a cert ificat e signing request is submit t ed t o
t he cert ificat e aut horit y (CA) and an SSL cert ificat e is purchased. For more informat ion, see Select
and purchase cert ificat es and Submit a cert ificat e applicat ion.

Add a TCP or UDP listener

1. Configure t he list ener and prot ocol.
i. Log on t o t he GA console.

25 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

i. Log on t o t he GA console.
ii. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
iii. On t he List ener t ab, click Add List ener.

Not e If t his is t he first t ime t hat you add a list ener, or t he specified GA inst ance is
not configured wit h a list ener, skip t his st ep.

iv. On t he Conf igure List ener & Prot ocol wizard page, specify t he following list ener
informat ion and click Next .

Parameter Description

Enter a name for the listener.

List ener
T he name must be 2 to 128 characters in length, and can contain letters, digits,
Name
underscores (_), and hyphens (-). T he name must start with a letter.

Select a protocol for the listener. Valid values:

T CP
A connection-oriented protocol that provides high reliability. A logical
connection must be established before data can be transmitted.
Session persistence is based on source IP addresses.

Source IP addresses are visible at the network layer.

Pro t o co l
Data is transmitted at a slow rate.

UDP
A connectionless and unreliable protocol. T hree-way handshakes are not
required before UDP packets are transmitted. UDP does not provide error
recovery or data retransmission.
Data is transmitted at a high rate.

Specify the listener port. T he listener port is used to receive requests and forward
requests to endpoints. Valid values: 1 t o 65499 .

You can specify at most 30 listener ports for each listener. Separate multiple
listener ports with commas (,). Example: 80,90,8080.

If you want to specify a port range, you can use a tilde (~). Example: 80~85.

Po rt
No t e
Number
If you add listeners that use the same protocol to a GA instance, you
must configure different ports for the listeners.
You can specify more than 300 consecutive listener ports for a
listener in specific regions. For more information, see Advanced
listeners.

> Document Version: 20220627 26

User Guide· List eners Global Accelerat ion

Parameter Description

Specify whether to enable client affinity.

If you select So urce IP Address from the drop-down list, client affinity is
enabled. After client affinity is enabled, requests from a specific client IP
Client address are forwarded to the same endpoint.
Af f init y
If you select Disable from the drop-down list, client affinity is disabled. After
client affinity is disabled, requests from a specific client IP address may be
forwarded to different endpoints.

2. Configure endpoint s.
Each list ener is associat ed wit h an endpoint group. You can associat e an endpoint group wit h a
list ener by specifying t he regions t o which you want t o dist ribut e net work t raffic. Aft er you
associat e an endpoint group wit h a list ener, t raffic is dist ribut ed t o t he opt imal endpoint in t he
associat ed endpoint group.

On t he Conf igure Endpoint Group wizard page, set t he following paramet ers and click Next .

For more informat ion about endpoint groups and endpoint s, see Overview .

Parameter Description

Enter a name for the endpoint group.

Endpo int
T he name must be 2 to 128 characters in length, and can contain letters, digits,
Gro up Name
underscores (_), and hyphens (-). T he name must start with a letter.

Regio n Select the region where you want to deploy the endpoint group.

Set the traffic distribution ratio for the endpoint group. Unit: %.

Valid values: 0 to 100.

T raf f ic
Dist ribut io n
Rat io No t e You can set T raf f ic Dist ribut io n Rat io only when you create an
endpoint group for a T CP or UDP listener.

Select the region where you want to deploy backend servers.

Backend Alibaba Clo ud : Backend servers are deployed on Alibaba Cloud.
Service
Of f Alibaba Clo ud : Backend servers are not deployed on Alibaba Cloud.

Specify whether to preserve client IP addresses.

Preserve
After you enable this feature, backend servers can retrieve client IP addresses. For
Client IP
more information, see Preserve client IP addresses.

27 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

Parameter Description

Endpoints are destinations of client requests. T o add an endpoint, specify the

following parameters:
Backend Service T ype : If your backend service is deployed on Alibaba Cloud, you
can select Alibaba Clo ud Public IP Address , ECS , CLB, ALB, or OSS . If your
backend service is not deployed on Alibaba Cloud, you can select Cust o m IP
Address or Cust o m Do main Name .

No t e
You can specify ECS, CLB, and ALB instances as endpoints only if your
Alibaba Cloud account is included in the whitelist. If you want to
specify ECS, CLB, or ALB instances as endpoints for your GA instances,
submit a ticket to upgrade the GA instances.
T he IP addresses of endpoint groups associated with each GA instance
must be globally unique and not conflict with those of other GA
instances.

If no service-linked role exists when you specify ECS instances, CLB

Endpo int instances, ALB instances, or OSS buckets as endpoints, the system
automatically creates the corresponding service-linked role. For more
information, see AliyunServiceRoleForGaVpcEndpoint,
AliyunServiceRoleForGaAlb, and AliyunServiceRoleForGaOss.

Backend Service : Enter the IP address, domain name, or instance ID of the

backend server.
W eight : Set a weight for the endpoint. Valid values: 0 to 255. GA distributes
network traffic to endpoints based on their weights.

No t ice If the weight of an endpoint is set to 0, GA stops distributing

network traffic to the endpoint. Proceed with caution.

You can click + Add Endpo int to add more endpoints. You can create at most four
endpoints in each endpoint group. If you want to add more endpoints, go to the
Quota Management page and increase the quota. For more information, see Manage
quotas.

3. Confirm t he configurat ions.

On t he Conf irm wizard page, confirm t he configurat ions of t he list ener and endpoint , and t hen
click Submit .

If you want t o modify a specific set t ing, click Modif y in t he corresponding sect ion. T hen, you are
redirect ed t o t he configurat ion page.

Not e If t his is t he first t ime you add a list ener, t he list ener t akes effect aft er 3 minut es. If
you modify t he configurat ions of a list ener, t he new configurat ions t ake effect aft er 1 minut e.

Add an HTTP or HTTPS listener

1. Configure t he list ener and prot ocol.
i. Log on t o t he GA console.

> Document Version: 20220627 28

User Guide· List eners Global Accelerat ion

i. Log on t o t he GA console.
ii. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
iii. On t he List ener t ab, click Add List ener.

Not e If t his is t he first t ime t hat you add a list ener, or t he specified GA inst ance is
not configured wit h a list ener, skip t his st ep.

iv. On t he Conf igure List ener & Prot ocol wizard page, set t he following paramet ers and click
Next .

Parameter Description

Enter a name for the listener.

List ener
T he name must be 2 to 128 characters in length, and can contain letters, digits,
Name
underscores (_), and hyphens (-). T he name must start with a letter.

Select a network transmission protocol for the listener. Valid values:

HT T PS : HT T PS has the following features:
A connection-oriented protocol that provides high reliability. A logical
connection must be established before data can be transmitted.
You can bind SSL certificates to servers. T his ensures the high reliability of
data.

Pro t o co l Data transmission is encrypted.

HT T P : HT T P has the following features:

A connection-oriented protocol that provides high reliability. A logical
connection must be established before data can be transmitted.
Data is transmitted at a high rate.
Data transmission is not encrypted.

Specify the listener port. T he listener port is used to receive requests and forward
Po rt requests to endpoints. Valid values: 1 t o 65499 .
Number
You can configure only one listener port for each HT T P or HT T PS listener.

Specify whether to enable client affinity.

If you select So urce IP Address from the drop-down list, client affinity is
enabled. After client affinity is enabled, requests from a specific client IP
Client address are forwarded to the same endpoint.
Af f init y
If you select Disable from the drop-down list, client affinity is disabled. After
client affinity is disabled, requests from a specific client IP address may be
forwarded to different endpoints.

29 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

Parameter Description

Click Mo dif y and select Add HT T P Header Fields .

Add the GA-ID header to retrieve the ID of the GA instance.

Use the GA-AP header to retrieve the acceleration region of the GA instance.

Advanced Use the GA-X-Forwarded-Proto header to retrieve the listener protocol of

Set t ings the GA instance.
Use the GA-X-Forwarded-Port header to retrieve the listener port of the
GA instance.
Use the X-Real-IP header to retrieve client IP addresses.

2. Opt ional. Configure t he SSL cert ificat e.

You are required t o configure an SSL cert ificat e only when you add an HT T PS list ener. SSL
cert ificat es ensure t hat dat a t ransmission over GA is encrypt ed.
i. On t he Conf igure SSL Cert if icat e page, select t he SSL cert ificat e t hat you have purchased.
ii. Click Modif y t o t he right of Advanced Set t ings and select a T LS securit y policy from t he T LS
Securit y Policies drop-down list .
For more informat ion about T LS securit y policies, see T LS securit y policies.
iii. Click Next .
3. Configure endpoint s.
Each list ener is associat ed wit h an endpoint group. You can associat e an endpoint group wit h a
list ener by specifying t he regions t o which you want t o dist ribut e net work t raffic. Aft er you
associat e an endpoint group wit h a list ener, t raffic is dist ribut ed t o t he opt imal endpoint in t he
associat ed endpoint group.

On t he Conf igure Endpoint Group wizard page, set t he following paramet ers and click Next .
For more informat ion about endpoint groups and endpoint s, see Overview .

Parameter Description

Enter a name for the endpoint group.

Endpo int
T he name must be 2 to 128 characters in length, and can contain letters, digits,
Gro up Name
underscores (_), and hyphens (-). T he name must start with a letter.

Regio n Select the region where you want to deploy the endpoint group.

Select the region where you want to deploy backend servers.

Backend Alibaba Clo ud : Backend servers are deployed on Alibaba Cloud.
Service
Of f Alibaba Clo ud : Backend servers are not deployed on Alibaba Cloud.

Specify whether to preserve client IP addresses.

Preserve By default, client IP address preservation is enabled for HT T P and HT T PS listeners. GA

Client IP preserves the IP address of a client in the X-Forwarded-For HT T P header. For
more information, see Preserve client IP addresses.

> Document Version: 20220627 30

User Guide· List eners Global Accelerat ion

Parameter Description

Endpoints are destinations of client requests. T o add an endpoint, specify the

following parameters:

Backend Service T ype : If your backend service is deployed on Alibaba Cloud, you
can select Alibaba Clo ud Public IP Address , ECS , CLB, ALB, or OSS . If your
backend service is not deployed on Alibaba Cloud, you can select Cust o m IP
Address or Cust o m Do main Name .

No t e

You can specify ECS, CLB, and ALB instances as endpoints only if your
Alibaba Cloud account is included in the whitelist. If you want to
specify ECS, CLB, or ALB instances as endpoints for your GA instances,
submit a ticket to upgrade the GA instances.
T he IP addresses of endpoint groups associated with each GA instance
must be globally unique and not conflict with those of other GA
instances.
If no service-linked role exists when you specify ECS instances, CLB
instances, ALB instances, or OSS buckets as endpoints, the system
Endpo int
automatically creates the corresponding service-linked role. For more
information, see AliyunServiceRoleForGaVpcEndpoint,
AliyunServiceRoleForGaAlb, and AliyunServiceRoleForGaOss.

Backend Service : Enter the IP address, domain name, or instance ID of the

backend server.

W eight : Set a weight for the endpoint. Valid values: 0 to 255. GA distributes
network traffic to endpoints based on their weights.

No t ice If the weight of an endpoint is set to 0, GA stops distributing

network traffic to the endpoint. Proceed with caution.

You can click + Add Endpo int to add more endpoints. You can create at most four
endpoints in each endpoint group.

Select the protocol that the backend server uses. Valid values:
HT T P : T his is the default value.

HT T PS

Backend
No t e
Service
Pro t o co l If the listener protocol is HT T P, this parameter is set to HT T P by default
and cannot be modified.

You can set Backend Service Pro t o co l only when you configure an
endpoint group for an HT T P or HT T PS listener.

31 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

Parameter Description

If the listener port and the port that the endpoint uses to provide services are not the
same, you must add a mapping between the ports.
List ener Po rt : Enter the listener port.

Endpo int Po rt : Enter the port that the endpoint uses to provide services.

Po rt If the listener port and the port that the endpoint uses to provide services are the
Mapping same, you do not need to add the port mapping. GA automatically distributes client
requests to the listener port of the endpoint.

No t e You can set Po rt Mapping only when you configure an endpoint

group for an HT T P or HT T PS listener.

4. Confirm t he configurat ions.

On t he Conf irm wizard page, confirm t he configurat ions of t he list ener and endpoint , and t hen
click Submit .
If you want t o modify a specific set t ing, click Modif y in t he corresponding sect ion. T hen, you are
redirect ed t o t he configurat ion page.

Not e If t his is t he first t ime you add a list ener, t he list ener t akes effect aft er 3 minut es. If
you modify t he configurat ions of a list ener, t he new configurat ions t ake effect aft er 1 minut e.

Not e Aft er you add an HT T P or HT T PS list ener, you can configure a virt ual endpoint group
and a forwarding rule for t he list ener. T hen, GA can simult aneously accelerat e mult iple domain
names or pat hs t o access your backend HT T P or HT T PS services. For more informat ion, see Creat e
and manage endpoint groups and Creat e and manage forwarding rules.
For more informat ion, see Use one GA instance to accelerate multiple domain names over HT T PS.

What to do next

Operation Description

You can modify a listener to meet your business requirements. T he configurations that
you can modify include the basic settings, protocol, SSL certificate, and endpoint group
of the listener.

1. On the List eners tab, find the listener that you want to modify and click Mo dif y in
the Act io ns column.
Modify a
listener 2. On the Edit List ener page, modify the basic settings, protocol, SSL certificate, or
endpoint group of the listener and then click Next .

For more information about the basic settings, protocol, SSL certificate, and
endpoint group of a listener, see Add a T CP or UDP listener or Add an HT T P or HT T PS
listener.

> Document Version: 20220627 32

User Guide· List eners Global Accelerat ion

Operation Description

You can delete a listener. After a listener is deleted, the endpoint group that is associated
with the listener is also deleted.
Delete a 1. On the List eners tab, find the listener that you want to delete and click Delet e in
listener the Act io ns column.

2. In the Delet e List ener message, click OK .

Related topics
Creat eList ener: You can call t his API operat ion t o creat e a list ener for a GA inst ance.
Updat eList ener: You can call t his API operat ion t o modify a specified list ener of a GA inst ance.
Delet eList ener: You can call t his API operat ion t o delet e a specified list ener of a GA inst ance.

4.3. Associate and manage

certificates
Global Accelerat or (GA) allows you t o associat e mult iple cert ificat es wit h an HT T PS list ener. T his t opic
describes how t o associat e mult iple cert ificat es wit h an HT T PS list ener. T his t opic also describes how t o
use virt ual endpoint groups and forwarding rules t o accelerat e mult iple domain names over HT T PS.

Prerequisites
A GA inst ance and a basic bandwidt h plan are purchased. For more informat ion, see Creat e and
manage GA inst ances and Purchase and manage basic bandwidt h plans.
An accelerat ion area is added. For more informat ion, see Add and manage accelerat ion areas.
An Int ernet Cont ent Provider (ICP) number is obt ained. All websit es must obt ain an ICP number before
t hey are permit t ed t o provide services t o users in t he Chinese mainland. For more informat ion, see
What is an ICP filing?.
Mult iple SSL cert ificat es are issued t o you. For more informat ion, see Select and purchase cert ificat es
and Submit a cert ificat e applicat ion.

Manage certificates that are associated with an HTTPS listener

When you creat e an HT T PS list ener for a GA inst ance, you must configure an SSL cert ificat e for ident it y
aut hent icat ion and encrypt ed dat a t ransmission. You can associat e mult iple cert ificat es wit h an HT T PS
list ener of a GA inst ance. T he following t ypes of cert ificat es are support ed:
Default cert ificat e

T he SSL cert ificat e t hat you configure when you creat e an HT T PS list ener is used as t he default
cert ificat e. You cannot delet e t he default cert ificat e. You can only replace t he default cert ificat e.
Addit ional cert ificat e

You can associat e addit ional cert ificat es wit h an exist ing HT T PS list ener. You can associat e mult iple
domain names wit h an HT T PS list ener by configuring addit ional cert ificat es for t he HT T PS list ener.
T hen, you can creat e domain name-based forwarding rules t o dist ribut e client request s t hat are
dest ined for different domain names t o different endpoint groups.

33 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

Each HT T PS list ener can be associat ed wit h at most t hree addit ional cert ificat es. If you want t o
associat e more addit ional cert ificat es wit h an HT T PS list ener, go t o t he Quot a Management page
and submit a t icket t o increase t he quot a of gaplus_quot a_addit ional_cert s_per_list ener. Aft er
t he quot a is increased, you can associat e at most 10 addit ional cert ificat es wit h an HT T PS list ener.
For more informat ion, see Manage quotas.

Procedure

Step 1: Associate the default certificate with an HTTPS listener

T he SSL cert ificat e t hat you configure when you creat e an HT T PS list ener is used as t he default
cert ificat e. T he endpoint group t hat you creat e is used as t he default endpoint group. For more
informat ion about HT T PS list eners, see Add an HT T P or HT T PS listener.
1. Log on t o t he GA console.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
3. On t he List ener t ab, click Add List ener.

Not e If t his is t he first t ime t hat you add a list ener, or t he specified GA inst ance is not
configured wit h a list ener, skip t his st ep.

4. On t he Conf igure List ener & Prot ocol wizard page, set t he required paramet ers, and click Next .
5. On t he Conf igure SSL Cert if icat e wizard page, select an SSL cert ificat e and click Next .
T he cert ificat e t hat you select is used as t he default cert ificat e of t he HT T PS list ener.
You can also select a securit y policy in t he Advanced Set t ings sect ion based on your
requirement s. For more informat ion about T LS securit y policies, see T LS security policies.

6. On t he Conf igure Endpoint Group wizard page, configure t he endpoint group and endpoint s
and click Next .
T he endpoint group t hat you configure is used as t he default endpoint group of t he HT T PS
list ener.

> Document Version: 20220627 34

User Guide· List eners Global Accelerat ion

7. On t he Conf irm wizard page, confirm t he configurat ions and click Submit .

Step 2: Create virtual endpoint groups

Creat e virt ual endpoint groups. Each virt ual endpoint group cont ains one of t he origin servers. For more
informat ion, see Create a virtual endpoint group.

Step 3: Associate additional certificates with the HTTPS listener

1. Log on t o t he GA console.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
3. On t he List eners t ab, find t he HT T PS list ener t hat you want t o manage and click t he list ener ID.
4. On t he list ener det ails page, click t he Cert if icat es t ab.
5. On t he Cert if icat es t ab, click Associat e Cert if icat e in t he Addit ional Cert if icat e sect ion.
6. In t he Associat e Cert if icat e dialog box, configure t he addit ional cert ificat e and click OK.
Cert if icat e : Select t he cert ificat e t hat you want t o associat e.
Associat ed Domain Name : Select one or more domain names t hat you want t o accelerat e by
using GA. T he cert ificat e is associat ed wit h t he domain names t hat you select . You can select
mult iple domain names. Each addit ional cert ificat e can be associat ed wit h at most t hree domain
names.

You can click + Add Cert if icat e t o add mult iple addit ional cert ificat es at a t ime. Each HT T PS
list ener can be associat ed wit h at most t hree addit ional cert ificat es. T o associat e more addit ional
cert ificat es wit h an HT T PS list ener, go t o t he Quot a Management page and submit a t icket t o
increase t he quot a of gaplus_quot a_addit ional_cert s_per_list ener. For more informat ion, see
Manage quotas.

Step 4: Create forwarding rules

Creat e a domain name-based forwarding rule for each virt ual endpoint group. For more informat ion,
see Create and manage forwarding rules.

Step 5: Add a CNAME record

Add CNAME records for t he domain names t hat you want t o accelerat e. T o forward request s from
client s t o GA, you must modify t he DNS record t o map t he domain names t hat you want t o accelerat e
t o t he CNAME of t he GA inst ance. For more informat ion, see 配置CNAME.

What to do next

Operation Description

1. On the List eners tab, find the HT T PS listener that you want to manage and click the
listener ID.

Replace the 2. On the listener details page, click the Cert if icat es tab.
default
3. In the Def ault Server Cert if icat e section of the Cert if icat es tab, click Replace in
certificate the Actions column.

4. In the Change Default Server Certificate dialog box, select the certificate that you
want to use and click OK .

35 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

Operation Description

You can only disassociate additional certificates from an HT T PS listener in the GA console.
If you want to delete a certificate, see Delete an SSL certificate.
1. On the List eners tab, find the HT T PS listener that you want to manage and click the
listener ID.
2. On the listener details page, click the Cert if icat es tab.
Disassociate 3. In the Addit io nal Cert if icat e section of the Cert if icat es tab, disassociate one or
an additional more additional certificates based on the following information.
certificate
Disassociate one additional certificate: Find the certificate that you want to
disassociate and click Disasso ciat e in the Act io ns column.
Disassociate multiple additional certificates: Select the additional certificates that
you want to disassociate and click Bat ch Disasso ciat e .

4. In the message that appears, click OK .

References
Associat eAddit ionalCert ificat esWit hList ener: You can call t his API operat ion t o associat e addit ional
cert ificat es wit h an HT T PS list ener.
Dissociat eAddit ionalCert ificat esFromList ener: You can call t his API operat ion t o disassociat e one or
more addit ional cert ificat es from an HT T PS list ener.
List List enerCert ificat es: You can call t his API operat ion t o query t he cert ificat es t hat are associat ed
wit h an HT T PS list ener.

4.4. TLS security policies

You can select a T ransport Layer Securit y (T LS) securit y policy when you creat e an HT T PS list ener for a
Global Accelerat or (GA) inst ance. By default , t he syst em select s t he t ls_cipher_policy_1_0 securit y
policy. If you require higher securit y, you can select a T LS securit y policy of a higher level.

TLS security policies

A T LS securit y policy cont ains T LS prot ocol versions and cipher suit es t hat are available for HT T PS. A
lat er T LS version offers higher securit y but comprises compat ibilit y wit h browsers. T he following t able
describes t he T LS prot ocol versions and cipher suit es t hat are support ed by each T LS securit y policy.

Security policy Supported T LS version Supported cipher suite

> Document Version: 20220627 36

User Guide· List eners Global Accelerat ion

Security policy Supported T LS version Supported cipher suite

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256
AES256-GCM-SHA384
t ls_cipher_po licy_1_ T LS 1.0, T LS 1.1, and
AES128-SHA256
0 T LS 1.2
AES256-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA
AES256-SHA
DES-CBC3-SHA

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256
AES256-GCM-SHA384
t ls_cipher_po licy_1_
T LS 1.1 and T LS 1.2 AES128-SHA256
1
AES256-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA
AES256-SHA
DES-CBC3-SHA

37 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

Security policy Supported T LS version Supported cipher suite

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
AES128-GCM-SHA256
AES256-GCM-SHA384
t ls_cipher_po licy_1_
T LSv1.2 AES128-SHA256
2
AES256-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA
AES128-SHA
AES256-SHA
DES-CBC3-SHA

ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384

t ls_cipher_po licy_1_ ECDHE-RSA-AES128-SHA256

T LSv1.2
2_st rict ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA

T LS_AES_128_GCM_SHA256
T LS_AES_256_GCM_SHA384
T LS_CHACHA20_POLY1305_SHA256
T LS_AES_128_CCM_SHA256
T LS_AES_128_CCM_8_SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-SHA256
t ls_cipher_po licy_1_ ECDHE-ECDSA-AES256-SHA384
T LS 1.2 and T LS 1.3
2_st rict _w it h_1_3
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA

Cipher suites that are supported by TLS security policies

> Document Version: 20220627 38

User Guide· List eners Global Accelerat ion

tls_cipher_p
tls_cipher_p
tls_cipher_p tls_cipher_p tls_cipher_p olicy_1_2_st
Security policy olicy_1_2_st
olicy_1_0 olicy_1_1 olicy_1_2 rict_with_1_
rict
3

1.0, 1.1, and

T LS 1.1 and 1.2 1.2 1.2 1.2 and 1.3
1.2

ECDHE-RSA-AES128-
✔ ✔ ✔ ✔ ✔
GCM-SHA256

ECDHE-RSA-AES256-
✔ ✔ ✔ ✔ ✔
GCM-SHA384

ECDHE-RSA-AES128-
✔ ✔ ✔ ✔ ✔
SHA256

ECDHE-RSA-AES256-
✔ ✔ ✔ ✔ ✔
SHA384

AES128-GCM-
✔ ✔ ✔ - -
SHA256

AES256-GCM-
✔ ✔ ✔ - -
SHA384

AES128-SHA256 ✔ ✔ ✔ - -

AES256-SHA256 ✔ ✔ ✔ - -

ECDHE-RSA-AES128-
✔ ✔ ✔ ✔ ✔
SHA

ECDHE-RSA-AES256-
✔ ✔ ✔ ✔ ✔
SHA

AES128-SHA ✔ ✔ ✔ - -

AES256-SHA ✔ ✔ ✔ - -

DES-CBC3-SHA ✔ ✔ ✔ - -

T LS_AES_128_GCM_
- - - - ✔
SHA256
CIP
T LS_AES_256_GCM_
HER - - - - ✔
SHA384

T LS_CHACHA20_POL
- - - - ✔
Y1305_SHA256

T LS_AES_128_CCM_S
- - - - ✔
HA256

39 > Document Version: 20220627

Global Accelerat ion User Guide· List eners

tls_cipher_p
tls_cipher_p
tls_cipher_p tls_cipher_p tls_cipher_p olicy_1_2_st
Security policy olicy_1_2_st
olicy_1_0 olicy_1_1 olicy_1_2 rict_with_1_
rict
3

T LS_AES_128_CCM_8
- - - - ✔
_SHA256

ECDHE-ECDSA-
AES128-GCM- - - - - ✔
SHA256

ECDHE-ECDSA-
AES256-GCM- - - - - ✔
SHA384

ECDHE-ECDSA-
- - - - ✔
AES128-SHA256

ECDHE-ECDSA-
- - - - ✔
AES256-SHA384

ECDHE-ECDSA-
- - - - ✔
AES128-SHA

ECDHE-ECDSA-
- - - - ✔
AES256-SHA

Not e T he √ sign in t he preceding t able indicat es t hat a cipher suit e is support ed, while t he -
sign indicat es t hat a cipher suit e is not support ed.

Select a TLS security policy

> Document Version: 20220627 40

User Guide· List eners Global Accelerat ion

By default , t he syst em select s t he t ls_cipher_policy_1_0 securit y policy when you creat e or configure an
HT T PS list ener. You can change t he T LS securit y policy in t he advanced set t ings. For more informat ion,
see Add an HT T P or HT T PS listener.

41 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

5.Endpoint groups and

endpoints
5.1. Overview
Each list ener is associat ed wit h an endpoint group, and each endpoint group cont ains one or more
endpoint s.

Endpoint groups
Each endpoint group is associat ed wit h a specific region. You can associat e an endpoint group wit h a
list ener by specifying t he region t o which you want t o dist ribut e net work t raffic. Aft er you associat e an
endpoint group wit h a list ener, t he syst em dist ribut es net work t raffic t o t he opt imal endpoint s in t he
endpoint group.

List eners t hat use different prot ocols support different t ypes of endpoint groups:
T CP or UDP list eners

By default , you can creat e t wo default endpoint groups for each T CP or UDP list ener. If you want t o
creat e more default endpoint groups, go t o t he Quot a Management page and increase t he quot a of
gaplus_quot a_epgs_per_list ener. For more informat ion, see Manage quotas.
You must deploy default endpoint groups in different regions. You can set a t raffic dist ribut ion rat io
for each default endpoint group. T he t raffic dist ribut ion rat io specifies t he proport ion of t raffic t hat
is dist ribut ed t o a default endpoint group.
HT T P or HT T PS list eners

By default , you can creat e one default endpoint group and one virt ual endpoint group for each
HT T P or HT T PS list ener. If you want t o creat e mult iple virt ual endpoint groups, go t o t he Quot a
Management page and increase t he quot a of gaplus_quot a_vepg_per_list ener. For more
informat ion, see Manage quotas.

A default endpoint group refers t o t he endpoint group t hat you configure when you creat e an
HT T P or HT T PS list ener.
A virt ual endpoint group refers t o t he endpoint group t hat you can creat e on t he Endpoint
Group page aft er you creat e a list ener.
Aft er you creat e a virt ual endpoint group for an HT T P or HT T PS list ener, you can creat e a
forwarding rule and associat e t he forwarding rule wit h t he virt ual endpoint group. T hen, t he HT T P
or HT T PS list ener forwards request s wit h different dest inat ion domain names or pat hs t o t he
default or virt ual endpoint group based on t he forwarding rule. T his way, you can use one GA
inst ance t o accelerat e mult iple domain names or pat hs. For more informat ion about how t o creat e
a forwarding rule, see Create and manage forwarding rules.

Endpoints
Endpoint s are dest inat ions of client request s. You can add at most four endpoint s t o an endpoint
group. T he following t able describes t he backend service t ypes of endpoint s.

> Document Version: 20220627 42

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Backend Network
Backend service type Backend service
service area type

Elastic IP addresses (EIPs)

Static public IP addresses

Static public IP addresses include the

Alibaba Clo ud public IP public IP addresses of Elastic Compute
Internet
address Service (ECS) instances and the public IP
addresses of Internet-facing Classic Load
Balancer (CLB) instances that are
deployed in classic networks.

Alibaba ECS instances

Clo ud ECS Only ECS instances that are deployed in
virtual private clouds (VPCs) are supported.

CLB instances
VPC
CLB Only CLB instances that are deployed in
VPCs are supported.

ALB Application Load Balancer (ALB) instances

OSS Object Storage Service (OSS) buckets

Out side Cust o m IP addresses Custom IP addresses of origin servers

Alibaba Internet
Clo ud Cust o m do main names Custom domain names of origin servers

Not e
You can specify ECS, CLB, and ALB inst ances as endpoint s only if your Alibaba Cloud account
is included in t he whit elist . If you want t o specify ECS, CLB, or ALB inst ances as endpoint s for
your GA inst ances, submit a t icket t o upgrade t he GA inst ances.
T he IP addresses of endpoint groups associat ed wit h each GA inst ance must be globally
unique and not conflict wit h t hose of ot her GA inst ances.

You can specify a weight for an endpoint . T he weight specifies t he proport ion of t raffic t hat is
forwarded t o t he endpoint . GA calculat es t he sum of all endpoint weight s in an endpoint group. T hen,
t raffic is forwarded t o endpoint s based on t he proport ions of t heir weight s. For more informat ion, see
What to do next .

Health checks
You can enable healt h checks for endpoint groups of a GA inst ance. T his improves service reliabilit y and
availabilit y and prevent s service int errupt ions caused by unhealt hy endpoint s.

Aft er you enable healt h checks for an endpoint group, GA periodically checks whet her t he endpoint s
are healt hy. When GA det ect s an unhealt hy endpoint , GA dist ribut es new request s t o ot her healt hy
endpoint s. When t he unhealt hy endpoint recovers, GA dist ribut es request s t o t he endpoint again. For
more informat ion, see Enable and manage health checks.

43 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

References
Creat e and manage endpoint groups
Creat e and manage forwarding rules
Enable and manage healt h checks

5.2. Distribute traffic across endpoint

groups in different scenarios
Global Accelerat or (GA) allows you t o configure mult iple endpoint groups t hat are deployed in
different regions for a T CP list ener or UDP list ener. You can set a t raffic dist ribut ion rat io for an
endpoint group t o cont rol t he percent age of client request s t hat are forwarded t o t he endpoint
group. You can also enable healt h checks t o filt er out unhealt hy endpoint groups.

Distribute traffic across endpoint groups

Introduction to traffic distribution
GA allows you t o set t raffic dist ribut ion rat ios for endpoint groups. You can modify t he percent age of
client request s t hat are forwarded t o each endpoint group based on your business requirement s. T his
helps improve user experience.

T raffic dist ribut ion rat io: specifies t he percent age of client request s t hat are dist ribut ed. Valid
values: 0% t o 100%. Default value: 100%. A value of 0% indicat es t hat t he endpoint group is ignored
and no client request is forwarded t o t he endpoint group. A value of 100% indicat es t hat all client
request s are forwarded t o t he endpoint group.
Endpoint group priorit y: T he client request s t hat are forwarded t o an endpoint group depend on t he
t raffic dist ribut ion rat io t hat you set and t he priorit y of t he endpoint group. GA calculat es t he
priorit y of each endpoint group based on t he net work lat ency. T he net work lat ency varies based on
geographical locat ions and net work hops. In most cases, endpoint groups t hat are closer t o access
point s have fewer net work hops and are assigned higher priorit ies. Client request s are preferably
forwarded t o t he endpoint group whose region is closest t o a specific access point .

Not e Aft er you enable healt h checks for each endpoint group, if t he endpoint group wit h a
higher priorit y fails t he healt h check, all client request s are forwarded t o t he endpoint group wit h a
lower priorit y. T he client request s are forwarded t o t he corresponding endpoint group regardless
of t he t raffic dist ribut ion rat io t hat you set .

Traffic distribution formula

T he following examples show how t raffic dist ribut ion works:

One accelerat ion region wit h mult iple endpoint groups

Client s in t he China (Beijing) region want t o access an applicat ion. T he servers t hat host t he
applicat ion are deployed in t he China (Beijing) and China (Shanghai) regions. You specify China (Beijing)
as t he accelerat ion region and creat e an endpoint group in t he China (Beijing) region and t he China
(Shanghai) region. You want t o forward client request s t hat are sent t o t he China (Beijing) region and
t he China (Shanghai) region based on your requirement s.

> Document Version: 20220627 44

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Set t he t raffic dist ribut ion rat io of each endpoint group t o 100%.

No. Description

Client requests are scheduled to the nearest access point in the China (Beijing) region
①
and then forwarded to the Alibaba Cloud global transmission network.

T he listener of the GA instance checks the connection requests from clients based on
② the protocol and port that are configured and forwards the client requests to
endpoint groups based on their priorities and traffic distribution ratios.

T he priority of the endpoint group in the China (Beijing) region is higher than that of
the endpoint group in the China (Shanghai) region. T he endpoint group in the China
③ (Beijing) region passes the health check and the traffic distribution ratio of the
endpoint group is set to 100%. All client requests are forwarded to the endpoint
group in the China (Beijing) region.

④ Client requests are processed by servers in the China (Beijing) region.

If the endpoint group in the China (Beijing) region fails the health check but the
endpoint group in the China (Shanghai) region passes the health check, the listener
⑤
forwards all client requests to the endpoint group with a lower priority in the China
(Shanghai) region.

⑥ Client requests are processed by servers in the China (Shanghai) region.

45 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Set t he t raffic dist ribut ion rat io t o 50% for t he endpoint group in t he China (Beijing) region and set
t he t raffic dist ribut ion rat io t o 100% for t he endpoint group in t he China (Shanghai) region. You
can change t he t raffic dist ribut ion rat io based on your business requirement s.

T his scenario is similar t o t he scenario in which you set t he t raffic dist ribut ion rat io t o 100% for
bot h endpoint groups. Request s from client s in t he China (Beijing) region are preferably forwarded
t o t he endpoint group in t he China (Beijing) region. Aft er you set t he t raffic dist ribut ion rat io t o
50% for t he endpoint group in t he China (Beijing) region, 50% of client request s are forwarded t o
t he endpoint group in t he China (Beijing) region and t he remaining 50% of client request s are
forwarded t o t he endpoint group in t he China (Shanghai) region. If you set t he t raffic dist ribut ion
rat io t o 30% for t he endpoint group in t he China (Beijing) region, 30% of client request s are
forwarded t o t he endpoint group in t he China (Beijing) region and 70% of client request s are
forwarded t o t he endpoint group in t he China (Shanghai) region.

If you set t he t raffic dist ribut ion rat io t o 100% for t he endpoint group in t he China (Shanghai)
region, all t he remaining client request s are forwarded t o t he endpoint group in t he China
(Shanghai) region. In t he preceding t wo examples, 50% and 70% of client request s are forwarded
t o t he endpoint group in t he China (Shanghai) region.

Set t he t raffic dist ribut ion rat io t o 50% for bot h endpoint groups. You can change t he t raffic
dist ribut ion rat io based on your business requirement s.

> Document Version: 20220627 46

User Guide· Endpoint groups and end
Global Accelerat ion
point s

No. Description

Client requests are scheduled to the nearest access point in the China (Beijing) region
①
and then forwarded to the Alibaba Cloud global transmission network.

T he listener of the GA instance checks the connection requests from clients based on
② the protocol and port that are configured and forwards the client requests to
endpoint groups based on their priorities and traffic distribution ratios.

T he priority of the endpoint group in the China (Beijing) region is higher than that of
the endpoint group in the China (Shanghai) region. T he endpoint group in the China
③ (Beijing) region passes the health check and the traffic distribution ratio of the
endpoint group is set to 50%. 50% of client requests are forwarded to the endpoint
group in the China (Beijing) region.

④ Servers in the China (Beijing) region process 50% of client requests.

T he remaining 50% of client requests are first forwarded to the endpoint group in the
China (Shanghai) region. T he percentage of client requests that are received by the
endpoint group in the China (Shanghai) region is 25% based on the following formula:
50% × 50% = 25%.
⑤
T he endpoint group in the China (Beijing) region receives 50% of client requests and
the endpoint group in the China (Shanghai) region receives 25% of client requests. T he
remaining 25% of client requests are not received.

GA evenly distributes the remaining client requests to each endpoint group.

T he remaining 25% of client requests are evenly distributed to each endpoint group.
⑥
T his indicates that each endpoint group in the China (Beijing) region and the China
(Shanghai) region receives 12.5% of client requests.

⑦ Servers in the China (Beijing) region process 12.5% of client requests.

Servers in the China (Shanghai) region process 37.5% of client requests based on the
⑧
following formula: 25% + 12.5% = 37.5%.

Mult iple accelerat ion regions wit h mult iple endpoint groups
If you specify mult iple accelerat ion regions for client s t hat are locat ed in mult iple regions, t he client s
can connect t o t he nearest access point s of t he Alibaba Cloud global t ransmission net work by
sending request s t o t he accelerat ed IP addresses. T hen, t he client request s are forwarded t o t he
endpoint groups t hat are closest t o t he access point s.
Set t he t raffic dist ribut ion rat io of each endpoint group t o 100%.

47 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

No. Description

Requests from clients in the China (Beijing) region are forwarded to the nearest access
point in the China (Beijing) region. Requests from clients in the China (Shanghai) region
①
are forwarded to the nearest access point in the China (Shanghai) region. T hen, the
client requests are forwarded to the Alibaba Cloud global transmission network.

T he listener of the GA instance checks the connection requests from clients based on
② the protocol and port that are configured and forwards the client requests to
endpoint groups based on their priorities and traffic distribution ratios.

GA distributes client requests from different regions based on the traffic distribution
ratio.
Forward client requests from the China (Beijing) region

T he priority of the endpoint group in the China (Beijing) region is higher than that of
the endpoint group in the China (Shanghai) region. T he endpoint group in the China
(Beijing) region passes the health check and the traffic distribution ratio of the
endpoint group is set to 100%. All client requests from the China (Beijing) region
③ are forwarded to the endpoint group in the China (Beijing) region.

Forward client requests from the China (Shanghai) region

T he priority of the endpoint group in the China (Shanghai) region is higher than that
of the endpoint group in the China (Beijing) region. T he endpoint group in the China
(Shanghai) region passes the health check and the traffic distribution ratio of the
endpoint group is set to 100%. All client requests from the China (Shanghai) region
are forwarded to the endpoint group in the China (Shanghai) region.

Servers in the China (Beijing) region and the China (Shanghai) region process the client
④
requests that they receive.

> Document Version: 20220627 48

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Set t he t raffic dist ribut ion rat io t o 50% for t he endpoint group in t he China (Beijing) region and set
t he t raffic dist ribut ion rat io t o 100% for t he endpoint group in t he China (Shanghai) region. You
can change t he t raffic dist ribut ion rat io based on your business requirement s.

T his scenario is similar t o t he scenario in which you set t he t raffic dist ribut ion rat io t o 100% for
bot h endpoint groups. Request s from client s in t he China (Beijing) region are preferably forwarded
t o t he endpoint group in t he China (Beijing) region. Aft er you set t he t raffic dist ribut ion rat io t o
50% for t he endpoint group in t he China (Beijing) region, 50% of client request s are forwarded t o
t he endpoint group in t he China (Beijing) region and t he remaining 50% of client request s are
forwarded t o t he endpoint group in t he China (Shanghai) region. If you set t he t raffic dist ribut ion
rat io t o 30% for t he endpoint group in t he China (Beijing) region, 30% of client request s are
forwarded t o t he endpoint group in t he China (Beijing) region and 70% of client request s are
forwarded t o t he endpoint group in t he China (Shanghai) region.
All request s from client s in t he China (Shanghai) region are forwarded t o t he endpoint group in t he
China (Shanghai) region. T his is because you set t he t raffic dist ribut ion rat io t o 100% for t he
endpoint group in t he China (Shanghai) region.
In t his scenario, t he endpoint group in t he China (Beijing) region receives 50% of request s from
client s in t he China (Beijing) region. T he endpoint group in t he China (Shanghai) receives 100% of
request s from client s in t he China (Shanghai) region and 50% of request s from client s in t he China
(Beijing) region.
Set t he t raffic dist ribut ion rat io t o 50% for bot h endpoint groups. You can change t he t raffic
dist ribut ion rat io based on your business requirement s.

49 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

No. Description

Requests from clients in the China (Beijing) region are forwarded to the nearest access
point in the China (Beijing) region. Requests from clients in the China (Shanghai) region
①
are forwarded to the nearest access point in the China (Shanghai) region. T hen, the
client requests are forwarded to the Alibaba Cloud global transmission network.

T he listener of the GA instance checks the connection requests from clients based on
② the protocol and port that are configured and forwards the client requests to
endpoint groups based on their priorities and traffic distribution ratios.

GA distributes client requests from different regions based on the traffic distribution
ratio.
Forward client requests from the China (Beijing) region

T he priority of the endpoint group in the China (Beijing) region is higher than that of
the endpoint group in the China (Shanghai) region. T he endpoint group in the China
(Beijing) region passes the health check and the traffic distribution ratio of the
endpoint group is set to 50%. 50% of client requests are forwarded to the
endpoint group in the China (Beijing) region. T he remaining 50% of client requests
are forwarded to the endpoint group in the China (Shanghai) region. T he
percentage of client requests that are received by the endpoint group in the China
(Shanghai) region is 25% based on the following formula: 50% × 50% = 25%. T he
requests from clients in the China (Beijing) region that are not received is 25%
based on the following formula: 100% - 50% - 25% = 25%.

Forward client requests from the China (Shanghai) region

③
T he priority of the endpoint group in the China (Shanghai) region is higher than that
of the endpoint group in the China (Beijing) region. T he endpoint group in the China
(Shanghai) region passes the health check and the traffic distribution ratio of the
endpoint group is set to 50%. 50% of client requests are forwarded to the
endpoint group in the China (Shanghai) region. T he remaining 50% of client
requests are forwarded to the endpoint group in the China (Beijing) region. T he
percentage of client requests that are received by the endpoint group in the China
(Beijing) region is 25% based on the following formula: 50% × 50% = 25%. T he
percentage of requests from clients in the China (Shanghai) region that are not
received is 25% based on the following formula: 100% - 50% - 25% = 25%.

GA evenly forwards the remaining client requests to each endpoint group.

T he remaining 25% of requests from clients in the China (Beijing) region are evenly
distributed to each endpoint group. T his indicates that each endpoint group in the
④
China (Beijing) region and the China (Shanghai) region receives 12.5% of client
requests. Each endpoint group in the China (Beijing) region and the China (Shanghai)
region receives 12.5% of requests from clients in the China (Shanghai) region.

Servers in the China (Beijing) region and the China (Shanghai) region process the client
⑤
requests that they receive.

> Document Version: 20220627 50

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Scenarios

O verview

Scenario Description

T he servers do not meet the requirements of an application or users in specific

Deploy an application in regions have poor network experience. For example, users in different regions
multiple regions share the same acceleration region or multiple acceleration regions share one
endpoint group. In this case, you can deploy the application in another region.

If you deploy a service in a single region, a large number of client requests may
be sent to the service and the servers that host the service may become
Forward client requests overloaded. T o resolve the issues, you can deploy the service across regions and
across regions add an endpoint group in each region. T hen, you can use the traffic distribution
feature to change the percentage of client requests that are forwarded to each
region to reduce the loads on the servers in a region.

If you have requirements for service continuity and high availability, you can
deploy the service across regions, specify the backend service in different
Cross-region disaster
regions as the endpoint group, and enable health checks for the endpoint
recovery for
groups. If the service in a region cannot be accessed, you can enable GA to
applications
forward client requests to healthy endpoint groups in other regions. T his meets
the requirements of disaster recovery.

You want to adjust your business in a region. For example, if you want to
Unpublish or update a
smoothly unpublish a service that receives low traffic in a region or update a
service based on
service in a region, you can set the traffic distribution ratio for the endpoint
regions
group in the region to migrate the service in a flexible manner.

Deploy an application in multiple regions

If you want t o scale out your business and t he servers do not meet t he requirement s of t he applicat ion
or users in specific regions have poor net work experience, you can deploy t he applicat ion in anot her
region. You can add endpoint groups or accelerat ion regions for t he GA inst ance t o improve user
experience.

Add endpoint groups t o improve t he t raffic processing capabilit ies of t he applicat ion.

51 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

T he scenario in t he following figure is used as an example. An applicat ion is deployed on servers in

t he China (Beijing) region. Client s in t he China (Beijing) region connect t o t he access point in t he China
(Beijing) region. Client s in t he China (Shanghai) region connect t o t he access point in t he China
(Shanghai) region. All client request s are processed by t he servers in t he endpoint group in t he China
(Beijing) region. As t he number of client s increases, t he loads on t he servers also increase.

In t his case, you can add an endpoint group in t he China (Shanghai) region and forward request s from
client s in t he China (Shanghai) region t o t he servers in t he endpoint group in t he China (Shanghai)
region. T his improves t he availabilit y of your applicat ion. T o add t he endpoint group, perform t he
following st eps:
i. Deploy servers in t he China (Shanghai) region.
ii. Add an endpoint group in t he China (Shanghai) region for t he list ener of a GA inst ance. For more
informat ion, see Creat e a default endpoint group.

When you add t he endpoint group in t he China (Shanghai) region, you can set t he t raffic
dist ribut ion rat io t o a lower value for t est ing. For example, you can set t he value t o 1%.
iii. Check how request s from client s in t he China (Shanghai) region are dist ribut ed.

Request s from client s in t he China (Beijing) region are processed by t he servers in t he endpoint
group in t he China (Beijing) region and 1% of request s from client s in t he China (Shanghai) region
are processed by t he servers in t he endpoint group in t he China (Shanghai) region. T he remaining
99% of client request s are processed by t he servers in t he endpoint group in t he China (Beijing)
region.
iv. Aft er t he t est ing is complet ed, change t he t raffic dist ribut ion rat io of t he endpoint group in t he
China (Shanghai) region t o 100%.

T his way, all request s from client s in t he China (Shanghai) region are forwarded t o t he servers in
t he endpoint group in t he China (Shanghai) region. T he servers in t he endpoint group in t he China
(Beijing) region do not process request s from client s in t he China (Shanghai) region. For more
informat ion, see Set the traffic distribution ratio for an endpoint group.

Add an accelerat ion region t o improve user experience

> Document Version: 20220627 52

User Guide· Endpoint groups and end
Global Accelerat ion
point s

T he scenario in t he following figure is used as an example. An applicat ion is deployed on servers in

t he China (Beijing) region. Client s in t he China (Beijing) region and t he China (Shanghai) region connect
t o t he Alibaba Cloud global t ransmission net work by sending request s t o t he access point in t he
China (Beijing) region. All client request s are processed by t he servers in t he endpoint group in t he
China (Beijing) region. When client s in t he China (Shanghai) region access t he applicat ion, net work
issues such as net work lat ency and net work jit t er frequent ly occur.

You can deploy t he applicat ion on servers in t he China (Shanghai) region, add China (Shanghai) as t he
accelerat ion region, and creat e an endpoint group in t he China (Shanghai) region for t he GA inst ance.
Request s from client s in t he China (Shanghai) region are forwarded t o t he nearest access point in t he
China (Shanghai) region. T he list ener t hen checks t he connect ion request s and forwards t he request s
t o t he endpoint group t hat is close t o t he access point in t he China (Shanghai) region. T his improves
experience for client s in t he China (Shanghai) region. For more informat ion, see Add and manage
acceleration areas and Create a default endpoint group.

Forward client requests across regions

You can use t he t raffic dist ribut ion feat ure t o forward client request s from a specific accelerat ion
region t o mult iple endpoint groups t hat are deployed in different regions. T his reduces t he loads on
t he servers in t he endpoint group of t he accelerat ion region.

53 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

T he scenario in t he following figure is used as an example. An applicat ion is deployed on servers in t he

China (Beijing) region and t he China (Shanghai) region. T he client s are locat ed in t he China (Beijing)
region. You added t he China (Beijing) accelerat ion region, an endpoint group in t he China (Beijing) region,
and an endpoint group in t he China (Shanghai) region in t he GA console. By default , GA forwards all
request s from client s in t he China (Beijing) region t o t he servers in t he endpoint group t hat is deployed
in t he China (Beijing) region. A large number of request s are sent from client s in t he China (Beijing) region.
T his causes t he servers in t he endpoint group t hat is deployed in t he China (Beijing) region t o become
overloaded. Net work lat ency and packet loss occur when client s access t he applicat ion.

You can change t he t raffic dist ribut ion rat ios for t he endpoint groups in t he China (Beijing) region and
t he China (Shanghai) region. For example, you can change t he t raffic dist ribut ion rat io for t he endpoint
group in t he China (Beijing) region from 100% t o 50%. T his way, 50% of request s from client s in t he China
(Beijing) region are processed by t he servers in t he endpoint group in t he China (Beijing) region. T he
remaining 50% of client request s are processed by t he servers in t he endpoint group in t he China
(Shanghai) region. T his way, you can properly allocat e client request s in t he China (Beijing) region and
reduce t he loads on t he servers in t he endpoint group t hat is deployed in t he China (Beijing) region. For
more informat ion about how t o change t he t raffic dist ribut ion rat ios for endpoint groups, see Set the
traffic distribution ratio for an endpoint group.

Cross-region disaster recovery for applications

You can add mult iple endpoint groups t hat are deployed in different regions for a GA inst ance and
enable healt h checks for t he endpoint groups. T his achieves cross-region disast er recovery for
applicat ions.

> Document Version: 20220627 54

User Guide· Endpoint groups and end
Global Accelerat ion
point s

T he scenario in t he following figure is used as an example. An applicat ion is deployed on servers in t he

China (Beijing) region and t he China (Shanghai) region. You added China (Beijing) and China (Shanghai) as
accelerat ion regions and an endpoint group t o each accelerat ion region in t he GA console. In most
cases, request s from client s in t he China (Beijing) region and t he China (Shanghai) region are forwarded
t o t he nearest accelerat ion region. T he list ener t hen checks t he client request s and forwards t he client
request s t o t he corresponding endpoint group based on t he t raffic dist ribut ion rat io and priorit y. T o
ensure t hat t he applicat ion can provide cont inuous and st able services, you must make sure t hat client
request s can be forwarded t o a healt hy accelerat ion region if errors occur on t he applicat ion in one of
t he accelerat ion regions.

You can enable healt h checks for endpoint groups in t he China (Beijing) region and t he China (Shanghai)
regions. If t he endpoint group in t he China (Shanghai) region fails t he healt h check, t he list ener
aut omat ically forwards client request s t o t he healt hy endpoint group in t he China (Beijing) region. If t he
endpoint group in t he China (Shanghai) region passes t he healt h check, t he list ener aut omat ically
forwards request s from client s in t he China (Shanghai) region t o t he endpoint group in t he China
(Shanghai) region. For more informat ion about how t o configure healt h checks, see Enable and manage
health checks.

Unpublish or update a service based on regions

You can use t he t raffic dist ribut ion feat ure t o unpublish or updat e a service based on regions. T his
reduces t he impact on client s.

55 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

T he scenario in t he following figure is used as an example. A service is deployed on servers in t he China

(Beijing) region and t he China (Shanghai) region. You added China (Beijing) and China (Shanghai) as
accelerat ion regions and an endpoint group t o each accelerat ion region in t he GA console. You want t o
unpublish t he service t hat is deployed in t he China (Shanghai) region because a small number of client
request s are sent t o t he service. When you unpublish t he service, you must make sure t hat client s in t he
China (Shanghai) region can access t he service as normal.

You can set t he t raffic dist ribut ion rat io t o a lower value, such as 1%, for t he endpoint group in t he
China (Shanghai) region and dist ribut e 99% of client request s t o t he endpoint group in t he China
(Beijing) region. Aft er t he client request s t hat are sent t o t he service in t he China (Shanghai) region are
less t han you expect ed, you can set t he t raffic dist ribut ion rat io t o 0% for t he endpoint group in t he
China (Shanghai) region. T his way, you can unpublish t he service t hat is deployed in t he China (Shanghai)
region.

If you want t o updat e t he service t hat is deployed in t he China (Shanghai) region, you can change t he
t raffic dist ribut ion rat io based on t he preceding informat ion when you unpublish t he service. Aft er you
set t he t raffic dist ribut ion rat io t o 0%, request s from client s in t he China (Shanghai) region are
forwarded t o t he endpoint group in t he China (Beijing) region. Aft er you updat e t he service, set t he
t raffic dist ribut ion rat io t o 100% for t he endpoint group in t he China (Shanghai) region. T his way, all
request s from client s in t he China (Shanghai) region are forwarded t o t he endpoint group in t he China
(Shanghai) region.

5.3. Create and manage endpoint

groups
T o associat e a list ener wit h an endpoint group, you can specify t he region t o which you want t o
dist ribut e net work t raffic. T hen, t he syst em dist ribut es net work t raffic t o t he opt imal endpoint in t he
endpoint group.

Prerequisites
A Global Accelerat or (GA) inst ance is creat ed. For more informat ion, see Creat e and manage GA
inst ances.

Context

> Document Version: 20220627 56

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Each endpoint group is associat ed wit h a specific region. You can associat e an endpoint group wit h a
list ener by specifying t he region t o which you want t o dist ribut e net work t raffic. Aft er you associat e an
endpoint group wit h a list ener, t he syst em dist ribut es net work t raffic t o t he opt imal endpoint s in t he
endpoint group.

List eners t hat use different prot ocols support different t ypes of endpoint groups:

T CP or UDP list eners

By default , you can creat e t wo default endpoint groups for each T CP or UDP list ener. If you want t o
creat e more default endpoint groups, go t o t he Quot a Management page and increase t he quot a of
gaplus_quot a_epgs_per_list ener. For more informat ion, see Manage quotas.
You must deploy default endpoint groups in different regions. You can set a t raffic dist ribut ion rat io
for each default endpoint group. T he t raffic dist ribut ion rat io specifies t he proport ion of t raffic t hat
is dist ribut ed t o a default endpoint group.
HT T P or HT T PS list eners

By default , you can creat e one default endpoint group and one virt ual endpoint group for each
HT T P or HT T PS list ener. If you want t o creat e mult iple virt ual endpoint groups, go t o t he Quot a
Management page and increase t he quot a of gaplus_quot a_vepg_per_list ener. For more
informat ion, see Manage quotas.

A default endpoint group refers t o t he endpoint group t hat you configure when you creat e an
HT T P or HT T PS list ener.
A virt ual endpoint group refers t o t he endpoint group t hat you can creat e on t he Endpoint
Group page aft er you creat e a list ener.

Aft er you creat e a virt ual endpoint group for an HT T P or HT T PS list ener, you can creat e a
forwarding rule and associat e t he forwarding rule wit h t he virt ual endpoint group. T hen, t he HT T P
or HT T PS list ener forwards request s wit h different dest inat ion domain names or pat hs t o t he
default or virt ual endpoint group based on t he forwarding rule. T his way, you can use one GA
inst ance t o accelerat e mult iple domain names or pat hs. For more informat ion about how t o creat e
a forwarding rule, see Create and manage forwarding rules.

Create a default endpoint group

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
3. On t he List ener t ab, click Add List ener.

Not e If t his is your first t ime you creat e an endpoint group, skip t his st ep.

4. On t he Conf igure List ener & Prot ocol wizard page, set t he required paramet ers, and click Next .
If you want t o creat e an endpoint group for an HT T PS list ener, you must also configure SSL
cert ificat es. For more informat ion, see Add and manage list eners.
5. On t he Conf igure Endpoint Group wizard page, set t he following paramet ers.

Parameter Description

57 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Enter a name for the endpoint group.

Endpo int
T he name must be 2 to 128 characters in length, and can contain letters, digits,
Gro up Name
underscores (_), and hyphens (-). T he name must start with a letter.

Regio n Select the region where you want to deploy the endpoint group.

Set the traffic distribution ratio for the endpoint group. Unit: %.

Valid values: 0 to 100.

T raf f ic
Dist ribut io n
Rat io No t e You can set T raf f ic Dist ribut io n Rat io only when you create an
endpoint group for a T CP or UDP listener.

Specify whether backend servers are deployed on Alibaba Cloud.

Backend Alibaba Clo ud : Backend servers are deployed on Alibaba Cloud.
Service
Of f Alibaba Clo ud : Backend servers are not deployed on Alibaba Cloud.

Specify whether to preserve client IP addresses.

Preserve
After you enable this feature, backend servers can retrieve client IP addresses. For
Client IP
more information, see Preserve client IP addresses.

> Document Version: 20220627 58

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Endpoints are destinations of client requests. T o add an endpoint, specify the

following parameters:

Backend Service T ype : If your backend service is deployed on Alibaba Cloud, you
can select Alibaba Clo ud Public IP Address , ECS , CLB, ALB, or OSS . If your
backend service is not deployed on Alibaba Cloud, you can select Cust o m IP
Address or Cust o m Do main Name .

No t e
You can specify ECS, CLB, and ALB instances as endpoints only if your
Alibaba Cloud account is included in the whitelist. If you want to
specify ECS, CLB, or ALB instances as endpoints for your GA instances,
submit a ticket to upgrade the GA instances.
T he IP addresses of endpoint groups associated with each GA instance
must be globally unique and not conflict with those of other GA
instances.

If no service-linked role exists when you specify ECS instances, CLB

instances, ALB instances, or OSS buckets as endpoints, the system
automatically creates the corresponding service-linked role. For more
information, see AliyunServiceRoleForGaVpcEndpoint,
AliyunServiceRoleForGaAlb, and AliyunServiceRoleForGaOss.

Backend Service : Enter the IP address, domain name, or instance ID of the

backend server.
Endpo int W eight : Set a weight for the endpoint. Valid values: 0 to 255. GA distributes
network traffic to endpoints based on their weights.

No t ice If the weight of an endpoint is set to 0, GA stops distributing

network traffic to the endpoint. Proceed with caution.

You can click + Add Endpo int to add more endpoints. You can create at most four
endpoints in each endpoint group. If you want to add more endpoints, go to the
Quota Management page and increase the quota. For more information, see Manage
quotas.

59 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Select the protocol that is used by the backend service. Valid values:
HT T P (default)

HT T PS

Backend
No t e
Service
Pro t o co l If the listener protocol is HT T P, this parameter is set to HT T P by default
and cannot be modified.
You can set Backend Service Pro t o co l only when you configure an
endpoint group for an HT T P or HT T PS listener.

If the listener port and the port that the endpoint uses to provide services are not the
same, you must add a mapping between the ports.
List ener Po rt : Enter the listener port.
Endpo int Po rt : Enter the port that the endpoint uses to provide services.

Po rt If the listener port and the port that the endpoint uses to provide services are the
Mapping same, you do not need to add the port mapping. GA automatically distributes client
requests to the listener port of the endpoint.

No t e You can set Po rt Mapping only when you configure an endpoint

group for an HT T P or HT T PS listener.

Specify whether to enable or disable the health check feature.

After you enable this feature, you can use health checks to check the status of
endpoints. For more information about the health check feature, see Enable and
manage health checks.
Healt h
Check
No t e If your GA instance uses UDP listeners, you can enable the health
check feature for an endpoint only if the endpoint is associated with a T CP, HT T P,
or HT T PS service. Otherwise, the endpoint is marked as unhealthy.

Select the protocol that you want to use for health checks. Valid values: T CP, HT T P,
and HT T PS.
Healt h A T CP health check probes whether a server port is healthy at the network layer by
Check sending SYN packets to the port.
Pro t o co l
An HT T P health check probes whether an endpoint is healthy by simulating HT T P
GET requests sent from a browser.

Set the port of the endpoint to which probe packets are sent for health checks.
Po rt
Valid values: 1 to 65535.

> Document Version: 20220627 60

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Healt h Set the interval between two consecutive health checks. Unit: seconds.
Check
Valid values: 1 to 50. Default value: 2.
Int erval

Specify the URI for health checks.

T he URI must be 1 to 80 characters in length and start with a forward slash (/). T he
URI can contain letters, digits, hyphens (-), forward slashes (/), periods (.), percent
signs (%), question marks (?), number signs (# ), and ampersands (&). T he URI can also
contain the following extended characters: _ ; ~ ! ( ) * [ ] @ $ ^ : ' , + .
URI By default, GA sends a GET request to the default homepage of the backend service.
If you do not want to use the default homepage for health checks, you can manually
specify a URI.

No t e T his parameter is supported only for HT T P and HT T PS health checks.

T he number of consecutive health check failures that must occur before a healthy
endpoint is considered unhealthy, or the number of consecutive health check
Healt hy
successes that must occur before an unhealthy endpoint is considered healthy.
T hresho ld
Valid values: 2 to 10. Default value: 3.

6. (Opt ional)Click + Add Endpoint Group t o add mult iple endpoint groups based on t he preceding
informat ion.

Not e
You can add mult iple endpoint groups only for T CP and UDP list eners.
By default , you can add t wo default endpoint groups for a T CP or UDP list ener. If you
want t o add more endpoint groups, go t o t he Quot a Management page and increase
t he quot a of gaplus_quot a_epgs_per_list ener. For more informat ion, see Manage
quot as.

7. Click Next .
8. On t he Conf irm wizard page, check t he configurat ions and click Submit .
T o modify a specific set t ing, click Modif y in t he corresponding sect ion.

Create a virtual endpoint group

Before you creat e a virt ual endpoint group, t ake not e of t he following limit s:

You can creat e a virt ual endpoint group only for an HT T P or HT T PS list ener.
Before you can creat e a virt ual endpoint group, you must creat e a default endpoint group.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
3. On t he List eners t ab, click t he endpoint group ID or number in t he Def ault Endpoint Group

61 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

ID/Name column.
4. On t he Endpoint Group t ab, click Add Virt ual Endpoint Group in t he Virt ual Endpoint Group
sect ion.
5. In t he Creat e Virt ual Endpoint Group dialog box, set t he paramet ers and click Creat e .
For more informat ion, see Creat e a default endpoint group.

What to do next

Operation Description

1. On the List eners tab, find the listener that you want to manage and click the
endpoint group ID or number in the Def ault Endpo int Gro up ID/Name column.
2. On the Endpo int Gro up tab, find the default endpoint group or virtual endpoint
group that you want to modify and click Mo dif y in the Act io ns column.
3. In the Mo dif y Def ault Endpo int Gro up or Mo dif y V irt ual Endpo int Gro up
Modify an dialog box, modify the name and endpoint configuration, and then click Save .
endpoint
For more information about the configurations of the default endpoint group, see
group
Create a default endpoint group.

No t e You can configure and modify virtual endpoint groups only for HT T P
and HT T PS listeners. For more information about virtual endpoint groups, see
Overview.

You can set the proportion of traffic that is distributed to different endpoint groups.
1. On the List eners tab, find the listener and click Edit Endpo int Gro up in the Actions
column.
Set the traffic 2. On the Co nf igure Endpo int Gro up wizard page, find the endpoint group that you
distribution want to manage, set the traffic distribution ratio, and then click Next .
ratio for an
Valid values of the traffic distribution ratio: 0 to 100. Unit: %.
endpoint
group 3. Confirm the information of the endpoint group and click Submit .

No t e You can set traffic distribution ratios only for T CP and UDP listeners.

> Document Version: 20220627 62

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Operation Description

You can set the weight of an endpoint. T he weight specifies the proportion of traffic that
GA distributes to an endpoint in the endpoint group.

GA calculates the sum of all endpoint weights in an endpoint group. T hen, traffic is
forwarded to endpoints based on the proportions of their weights. For example, if you
want to distribute 1/3 of the network traffic to Endpoint 1 and 2/3 of the network traffic
to Endpoint 2, you can set the weight of Endpoint 1 to 1 and the weight of Endpoint 2 to
2. T o disable GA from distributing network traffic to an endpoint, set the weight of the
endpoint to 0.
Set the weight
1. On the List eners tab, find the listener that you want to manage and click the
of an endpoint
endpoint group ID or number in the Def ault Endpo int Gro up ID/Name column.

2. On the Endpo int Gro up tab, find the endpoint group that contains the endpoint for
which you want to set the weight and click Mo dif y in the Act io ns column.
3. In the Mo dif y Def ault Endpo int Gro up or Mo dif y V irt ual Endpo int Gro up
dialog box, find and set the weight of the endpoint in the Endpo int section and click
Save .

Valid values of the weight: 0 to 255.

You can delete an endpoint group that you no longer need. After you delete an endpoint
group, GA stops forwarding requests to the endpoint group.

1. On the List eners tab, find the listener that you want to manage and click the
endpoint group ID or number in the Def ault Endpo int Gro up ID/Name column.

Delete an 2. On the Endpo int Gro up tab, find the default endpoint group or virtual endpoint
endpoint group that you want to delete and click Delet e in the Act io ns column.
group 3. In the message that appears, click OK .

No t e If a listener is associated with only one endpoint group and you delete
the endpoint group, the listener becomes unavailable.

You can delete an endpoint that you no longer need. After you delete an endpoint, GA
stops forwarding requests to the endpoint. If an endpoint group contains only one
endpoint, you cannot delete the endpoint.
1. On the List eners tab, find the listener that you want to manage and click the
endpoint group ID or number in the Def ault Endpo int Gro up ID/Name column.
Delete an
2. On the Endpo int Gro up tab, find the default endpoint group or virtual endpoint
endpoint
group to which the endpoint that you want to delete belongs and click Mo dif y in the
Act io ns column.
3. In the Mo dif y Def ault Endpo int Gro up or Mo dif y V irt ual Endpo int Gro up
dialog box, find the endpoint in the Endpo int section, click Delet e in the Act io ns
column, and then click Save .

References
Creat eEndpoint Group: You can call t his API operat ion t o creat e an endpoint group.
Creat eEndpoint Groups: You can call t his API operat ion t o creat e mult iple endpoint groups.
Updat eEndpoint Group: You can call t his API operat ion t o modify an endpoint group.

63 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Delet eEndpoint Group: You can call t his API operat ion t o delet e an endpoint group.

5.4. Create and manage forwarding

rules
Only HT T P and HT T PS list eners support domain name-based or pat h-based forwarding rules. Aft er an
HT T P or HT T PS list ener receives a request , t he list ener forwards t he request t o a specific endpoint
group if t he dest inat ion domain name or pat h of t he request mat ches a forwarding rule.

Prerequisites
Only HT T P and HT T PS list eners support forwarding rules. Make sure t hat you have creat ed an HT T P or
HT T PS list ener. For more informat ion, see Add and manage list eners.
A virt ual endpoint group is creat ed. For more informat ion, see Creat e a virt ual endpoint group.

Context
Forwarding rules are classified int o default forwarding rules and cust om forwarding rules:
Default forwarding rules: Aft er you creat e an HT T P or HT T PS list ener, t he syst em aut omat ically
creat es a default forwarding rule and associat es it wit h t he default endpoint group. A list ener
cont ains only one default forwarding rule. You cannot modify or delet e t he default forwarding rule.
Cust om forwarding rules: Aft er you creat e an HT T P or HT T PS list ener, you can creat e cust om
forwarding rules based on your business requirement s. You can creat e mult iple cust om forwarding
rules for a list ener.
Each forwarding rule consist s of t he following component s:

Forwarding condit ions: A request is forwarded t o t he specified endpoint group only if t he request
mat ches a forwarding condit ion. You can configure a forwarding condit ion in t he following ways:
Specify a domain name: You can specify a domain name as t he forwarding condit ion in a
forwarding rule. If a request mat ches t he specified domain name, t he request is forwarded t o t he
specified endpoint group.
Specify pat hs: You can specify mult iple pat hs as t he forwarding condit ion in a forwarding rule. If a
request mat ches one of t he specified pat hs, t he request is forwarded t o t he specified endpoint
group.
Specify a domain name and mult iple pat hs: If a request mat ches t he specified domain name or one
of t he specified pat hs, t he request is forwarded t o t he specified endpoint group.

Forwarding act ion: forwards t he request t hat mat ches t he forwarding condit ion t o a specific
endpoint group. Each forwarding rule can point only t o one endpoint group.

A list ener can cont ain one default forwarding rule and mult iple cust om forwarding rules. T he syst em
at t empt s t o mat ch a request wit h a forwarding rule in t he following ways:

Met hod 1: If t he request cont ains a domain name, t he syst em at t empt s t o mat ch t he request wit h a
forwarding rule based on t he domain name.

> Document Version: 20220627 64

User Guide· Endpoint groups and end
Global Accelerat ion
point s

If t he domain name mat ches a forwarding rule, t he syst em at t empt s t o mat ch t he pat h of t he
request wit h t he forwarding rule.

If t he pat h also mat ches t he forwarding rule, t he request is forwarded t o t he specified endpoint
group. If t he pat h does not mat ch t he forwarding rule, t he request is forwarded based on a
domain name-based forwarding rule. T he domain name of t he request is specified as t he
forwarding condit ion of t he domain name-based forwarding rule and no pat h is specified.
If such a domain name-based forwarding rule is not configured for t he list ener, an HT T P 404 st at us
code is ret urned t o t he client .

If t he domain name of t he request does not mat ch a forwarding rule, t he request is forwarded by
using Met hod 2.

Met hod 2: If a request does not cont ain a domain name or t he list ener does not cont ain a forwarding
rule t hat mat ches t he domain name, t he syst em at t empt s t o mat ch t he request wit h a pat h-based
forwarding rule. Only pat hs are specified as t he forwarding condit ion of t he pat h-based forwarding
rule and no domain name is specified.

If t he syst em mat ches a request by using one of t he preceding met hods, t he request is forwarded t o
t he specified endpoint group. If no forwarding rule mat ches t he request , t he request is mat ched wit h
t he default forwarding rule and forwarded t o t he default endpoint group.

Create a forwarding rule

65 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Aft er you creat e an HT T P or HT T PS list ener, t he syst em aut omat ically creat es a default forwarding rule
and associat es it wit h t he default endpoint group. You can perform t he following st eps t o creat e a
cust om forwarding rule and forward request s t hat mat ch t he cust om forwarding rule t o t he specified
virt ual endpoint group.

1.
2. On t he Inst ances page, find t he Global Accelerat or (GA) inst ance t hat you want t o manage and
click Conf igure List eners in t he Act ions column.
3. On t he List eners t ab, find t he list ener t hat you want t o manage and click t he ID of t he list ener.
4. On t he list ener det ails page, click t he Forwarding Rule t ab.
5. On t he Forwarding Rule t ab, click Add Forwarding Rule , configure t he following paramet ers,
and t hen click OK.

Parameter Description

Configure the forwarding condition.

Do main Name

T he domain name must be 3 to 128 characters in length and can

contain letters, digits, hyphens (-), and periods (.). Supported
wildcard characters are asterisks (*) and question marks (?).

If (Mat ching All Co ndit io ns) Pat h

T he path must be 1 to 128 characters in length and must start

with a forward slash (/). T he path can contain letters, digits,
dollar signs ($), hyphens (-), underscores (_), periods (.), plus
signs (+), forward slashes (/), ampersands (&), tildes (~), at signs
(@), colons (:), and apostrophes ('). Supported wildcard
characters are asterisks (*) and question marks (?).

Fo rw ard t o V irt ual Endpo int Select the virtual endpoint group to which a matched request is
Gro up forwarded.

Modify a forwarding rule

1.
2. On t he Inst ances page, find t he Global Accelerat or (GA) inst ance t hat you want t o manage and
click Conf igure List eners in t he Act ions column.
3. On t he List eners t ab, find t he list ener t hat you want t o manage and click t he ID of t he list ener.
4. On t he list ener det ails page, click t he Forwarding Rule t ab.

5. On t he Forwarding Rule t ab, find t he forwarding rule t hat you want t o modify, click in t he

upper-right corner, modify t he forwarding rule, and t hen click Save .

Delete a forwarding rule

1.
2. On t he Inst ances page, find t he Global Accelerat or (GA) inst ance t hat you want t o manage and
click Conf igure List eners in t he Act ions column.
3. On t he List eners t ab, find t he list ener t hat you want t o manage and click t he ID of t he list ener.

> Document Version: 20220627 66

User Guide· Endpoint groups and end
Global Accelerat ion
point s

4. On t he list ener det ails page, click t he Forwarding Rule t ab.

5. On t he Forwarding Rule t ab, find t he forwarding rule t hat you want t o delet e and click in t he

upper-right corner.
6. In t he message t hat appears, confirm t he ID of t he forwarding rule and click OK.

5.5. Enable and manage health

checks
Global Accelerat or (GA) performs healt h checks t o t est t he st at us of endpoint s. Healt h checks improve
service reliabilit y and availabilit y and prevent service int errupt ions caused by unhealt hy endpoint s.

Introduction to health checks

You can enable healt h checks for endpoint groups of a GA inst ance. Aft er you enable healt h checks, GA
periodically checks whet her t he endpoint s are healt hy. When GA det ect s an unhealt hy endpoint , GA
dist ribut es new request s t o ot her healt hy endpoint s. When t he unhealt hy endpoint recovers, GA
dist ribut es request s t o t he endpoint again.
GA support s healt h checks t hat use t he following prot ocols: T CP, HT T P, and HT T PS.

A T CP healt h check probes whet her a server port is healt hy at t he net work layer by sending SYN packet s
t o t he port . T he following figure shows t he process of T CP healt h checks.

No. Description

A GA instance sends a T CP SYN packet to the IP address and port of an endpoint based on
1
the health check configurations of the T CP listener.

67 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

No. Description

T he GA instance verifies the health status of the endpoint based on whether the endpoint
can return an SYN-ACK packet within the specified timeout period.
If the GA instance receives an SYN-ACK packet from the endpoint within the specified
timeout period (3 seconds), the endpoint is considered healthy.
If the GA instance receives an RST packet from the endpoint within the specified
timeout period (3 seconds), the endpoint is considered unhealthy.
If the GA instance does not receive an SYN-ACK packet from the endpoint within the
2 specified timeout period (3 seconds), the GA instance considers that the endpoint
cannot be reached or respond. As a result, the endpoint is considered unhealthy.

No t e T he response timeout period specifies the maximum amount of time to

wait for a health check response. If an endpoint does not respond within the
specified timeout period, the endpoint fails to pass the health check. By default, the
timeout period is set to 3 seconds and cannot be changed.

After the GA instance receives an SYN-ACK packet from the endpoint, the GA instance
3
sends an ACK packet to establish a T CP session.

An HT T P healt h check probes whet her an endpoint is healt hy by simulat ing HT T P GET request s sent
from a browser. T he following figure shows t he process of HT T P healt h checks.

No. Description

A GA instance sends an HT T P GET request to an endpoint based on the health check

1 configurations of the listener. T he HT T P GET request is sent to an address in the following
format: the IP address of the endpoint + health check port + health check path.

> Document Version: 20220627 68

User Guide· Endpoint groups and end
Global Accelerat ion
point s

No. Description

After the endpoint receives the request, the endpoint checks the status of the service and
returns a relevant HT T P status code.
If the GA instance receives the 200 status code from the endpoint within the
specified timeout period (3 seconds), the endpoint is considered healthy.
If the GA instance receives a status code other than the 200 status code from the
endpoint within the specified timeout period (3 seconds), the endpoint is considered
unhealthy.

2 If the GA instance does not receive a status code from the endpoint within the
specified timeout period (3 seconds), the GA instance considers that the endpoint
cannot be reached or respond. As a result, the endpoint is considered unhealthy.

No t e T he response timeout period specifies the maximum amount of time to

wait for a health check response. If an endpoint does not respond within the
specified timeout period, the endpoint fails to pass the health check. By default, the
timeout period is set to 3 seconds and cannot be changed.

Healt h checks improve t he availabilit y of your services. However, frequent failovers caused by unhealt hy
endpoint s may affect syst em availabilit y. Healt h check t ime windows are int roduced t o cont rol
failovers. A failover is performed only if an endpoint consecut ively passes or fails a specific number of
healt h checks wit hin a t ime window. T he healt h check t ime window is det ermined by t he following
fact ors:
Healt h check int erval: t he int erval at which healt h checks are performed.
Response t imeout : t he amount of t ime t o wait for a response.
Healt hy t hreshold: t he number of consecut ive successes or failures of healt h checks.

T he healt h check t ime window is calculat ed based on t he following formula:

T ime window for healt h check failures = Response t imeout × Healt hy t hreshold + Healt h check
int erval × (Healt hy t hreshold - 1)

T he following figure shows an example in which t he response t imeout is 3 seconds, t he healt h check
int erval is 2 seconds, and t he healt hy t hreshold is 3 t imes. T herefore, t he t ime window for healt h
check failures is 13 seconds based on t he formula 3 × 3 + 2 × (3 - 1).

T ime window for healt h check successes = (Response t ime of a successful healt h check × Healt hy
t hreshold) + Heat h check int erval × (Healt hy t hreshold - 1)

69 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

T he following figure shows an example in which t he response t ime is 1 second, t he healt h check
int erval is 2 seconds, and t he healt hy t hreshold is 3 t imes. T herefore, t he t ime window for healt h
check successes is 7 seconds based on t he formula 1 × 3 + 2 × (3 - 1).

If your GA inst ance uses UDP list eners, you can enable healt h checks for an endpoint only if t he
endpoint is associat ed wit h a T CP, HT T P, or HT T PS service. Ot herwise, t he endpoint is marked as
abnormal.

TCP health checks

HTTP and HTTPS health checks
Health check time window
Limits

Enable health checks

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
3. On t he List eners t ab, find t he list ener t hat you want t o manage and click Modif y in t he Act ions
column.
4. On t he Edit List ener page, click Next .
5. In t he Healt h Check sect ion of t he Conf igure Endpoint Group wizard page, enable t he healt h
check feat ure and set t he following paramet ers.

Parameter Description

Select the protocol that you want to use for health checks. Valid values: T CP, HT T P,
and HT T PS.

Healt h A T CP health check probes whether a server port is healthy at the network layer by
Check sending SYN packets to the port.
Pro t o co l An HT T P health check probes whether an endpoint is healthy by simulating HT T P
GET requests sent from a browser.

> Document Version: 20220627 70

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Set the port of the endpoint to which probe packets are sent for health checks.
Po rt
Valid values: 1 to 65535.

Healt h Set the interval between two consecutive health checks. Unit: seconds.
Check
Valid values: 1 to 50. Default value: 2.
Int erval

Specify the URI for health checks.

T he URI must be 1 to 80 characters in length and start with a forward slash (/). T he
URI can contain letters, digits, hyphens (-), forward slashes (/), periods (.), percent
signs (%), question marks (?), number signs (# ), and ampersands (&). T he URI can also
contain the following extended characters: _ ; ~ ! ( ) * [ ] @ $ ^ : ' , + .

URI By default, GA sends a GET request to the default homepage of the backend service.
If you do not want to use the default homepage for health checks, you can manually
specify a URI.

No t e T his parameter is supported only for HT T P and HT T PS health checks.

T he number of consecutive health check failures that must occur before a healthy
endpoint is considered unhealthy, or the number of consecutive health check
Healt hy successes that must occur before an unhealthy endpoint is considered healthy.
T hresho ld
Valid values: 2 to 10. Default value: 3.

6. Click Next . On t he Conf irm wizard page, confirm t he healt h check configurat ions and click Submit .

What to do next

Operation Description

1. On the List eners tab, find the listener and click Edit Endpo int Gro up in the
Act io ns column.
Modify health 2. In the Healt h Check section of the Co nf igure Endpo int Gro up wizard page,
check modify the health check protocol, port, and health check interval and click Next .
configurations
For more information, see Enable health checks.

3. On the Co nf irm wizard page, click Next .

1. On the List eners tab, find the listener and click Edit Endpo int Gro up in the
Act io ns column.
Disable health
2. In the Healt h Check section of the Co nf igure Endpo int Gro up wizard page,
checks
disable the healt h check feature and click Next .
3. On the Co nf irm wizard page, click Next .

Related topics

71 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Creat eEndpoint Group: Creat es an endpoint group. You can configure healt h checks when you creat e
an endpoint group.
Updat eEndpoint Group: Modifies an endpoint group. You can configure healt h checks when you
modify an endpoint group.
Get Healt hSt at us: Queries healt h check informat ion about an endpoint .

5.6. Examples on how to configure

the traffic distribution feature for
multiple endpoint groups
Dist ribut e t raffic for an applicat ion t hat is deployed across regions

T his t opic describes how t o use t he t raffic dist ribut ion feat ure t o cont rol t he percent age of client
request s t hat are forwarded t o endpoint groups in different regions.

Scenarios
A company deploys a service on servers in t he China (Beijing) and China (Shanghai) regions. T he T CP
prot ocol is used and port 80 is open. T he client s are locat ed in t he China (Beijing) region. T he company
specifies China (Beijing) as t he accelerat ion region and creat es an endpoint group in t he China (Beijing)
and China (Shanghai) regions in t he Global Accelerat or (GA) console. By default , GA forwards all
request s from client s in t he China (Beijing) region t o t he servers in t he endpoint group t hat is deployed
in t he China (Beijing) region. T he endpoint group in t he China (Shanghai) region serves as t he secondary
endpoint group. If t he endpoint group in t he China (Beijing) region is abnormal, client request s are
forwarded t o t he endpoint group in t he China (Shanghai) region. Due t o business development , t he
company want s t o forward request s from client s in t he China (Beijing) region t o t he servers in t he
endpoint group t hat is deployed in t he China (Shanghai) region. T he company also want s t o ensure t hat
client s can access t he service as normal during t he swit chover process.

You can change t he t raffic dist ribut ion rat io for t he endpoint group in t he China (Beijing) region. For
example, you can change t he t raffic dist ribut ion rat io from 100% t o 50%. T his way, 50% of request s
from client s in t he China (Beijing) region are forwarded t o t he servers in t he endpoint group in t he China
(Shanghai) region. If client s can access t he service as normal, change t he t raffic dist ribut ion rat io t o 0%.
T his way, all request s from client s in t he China (Beijing) region are forwarded t o t he servers in t he
endpoint group in t he China (Shanghai) region. T his ensures t he seamless swit chover of t raffic from
client s in t he China (Beijing) region.

> Document Version: 20220627 72

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Prerequisites
A GA inst ance and a basic bandwidt h plan are purchased. For more informat ion, see Select and purchase
GA resources.

Procedure

Step 1: Deploy servers

T he servers in t his example run t he Alibaba Cloud Linux 3.2104 64-bit operat ing syst em. T he command
t hat is used t o run t he t est may vary based on t he operat ing syst em. For more informat ion, refer t o t he
user guide of t he operat ing syst em.
1. Deploy servers in t he China (Beijing) and China (Shanghai) regions, and specify t he T CP prot ocol and
open port 80 for t he servers.
2. Open t he command prompt on a client in t he China (Beijing) region and run t he curl command t o
access t he servers in t he China (Beijing) region and t he China (Shanghai) region.

curl <Origin server IP address>

T he following figures show t he region informat ion t hat is ret urned.

Access a server in t he China (Beijing) region

Access a server in t he China (Shanghai) region

Step 2: Add an acceleration region

1.
2. On t he Inst ances page, find t he GA inst ance t hat you creat ed and click it s ID.
3. Click t he Accelerat ion Areas t ab and t hen click Add Region on t he China Nort h t ab.
4. In t he Add Accelerat ion Area dialog box, set t he following paramet ers and click OK.

Parameter Description

Select the region where the users that require the acceleration service are located.
Regio n
In this example, China (Beijing) is selected.

Allocate bandwidth to the region.

Bandw idt h
In this example, 2 Mbit/s of bandwidth is allocated.

73 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Select the Internet protocol that is used by the users to connect to GA.
Int ernet
Pro t o co l In this example, IPv4 is selected.

Aft er you add t he region, t he syst em assigns an accelerat ed IP address t o t he region t hat is added
t o t he GA inst ance. T his accelerat ed IP address is used t o accelerat e dat a t ransfer from users in t he
specified region t o t he specified backend servers t hrough GA.

Step 3: Add a listener and an endpoint group

1.
2. On t he Conf igure List ener & Prot ocol wizard page, specify t he following list ener informat ion
and click Next .

Parameter Description

Enter a name for the listener.

List ener
T he name must be 2 to 128 characters in length, and can contain letters, digits,
Name
underscores (_), and hyphens (-). T he name must start with a letter.

> Document Version: 20220627 74

User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Select the protocol of the listener.

Pro t o co l
In this example, T CP is selected.

Specify a listener port. T he port is used to receive and forward requests to endpoints.
Po rt Valid values: 1 t o 65499 .
Number
In this example, the value is set to 80.

Specify whether to enable client affinity. If client affinity is enabled, requests from the
same client are forwarded to the same endpoint when the client connects to a
Client
stateful application.
Af f init y
In this example, Disable is selected.

3. On t he Conf igure Endpoint Group wizard page, set t he following paramet ers for t he endpoint
group t hat is deployed in t he China (Beijing) region.

Parameter Description

Endpo int Gro up

Enter a name for the endpoint group.
Name

Select the region where you want to create the endpoint group. T he server
that the clients want to access must be deployed in the specified region.
Regio n
In this example, China (Beijing) is selected.

75 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

Parameter Description

Set the traffic distribution ratio for the endpoint group. Unit: %. Valid values:
0 to 100.

In this example, the default value 100 is used.

T raf f ic Dist ribut io n
Rat io
No t e You can set T raf f ic Dist ribut io n Rat io only if you create
an endpoint group for a T CP or UDP listener.

Specify whether the backend service is deployed on Alibaba Cloud.

Backend Service
In this example, Of f Alibaba Clo ud is selected.

Specify whether to preserve client IP addresses. After you enable this

feature, backend servers can retrieve client IP addresses.
Preserve Client IP
In this example, client IP address preservation is disabled.

Endpoints are destinations of client requests. T o add an endpoint, specify

the following parameters:
Backend Service T ype : In this example, Cust o m IP Address is
selected.
Backend Service : Enter the public IP address of the backend server.
Endpo int W eight : Enter the weight of the endpoint. Valid values: 0 to 255. GA
distributes network traffic to endpoints based on their weights.

No t ice If the weight of an endpoint is set to 0, GA stops

distributing network traffic to the endpoint. Proceed with caution.

Specify whether to enable or disable the health check feature.

After you enable this feature, you can use health checks to check the status
Healt h Check of endpoints. For more information about how to configure health checks,
see Enable and manage health checks.

In this example, the health check feature is enabled.

4. Click + Add Endpoint Group t o add anot her endpoint group in t he China (Shanghai) region,
configure t he endpoint group based on t he paramet er descript ion in Subst ep , and t hen click Next .

> Document Version: 20220627 76

User Guide· Endpoint groups and end
Global Accelerat ion
point s

5.

Step 4: Test the traffic distribution result

In t his example, t he following command is used t o simulat e client request s t o t est t he t raffic
dist ribut ion result .

echo > curl.txt; for ((i=0;i<<Number of requests>;i++)); do curl -s <Accelerated IP address

> >> curl.txt; done; beijing_count=`grep Beijing curl.txt | wc -l`;echo "Beijing count: ${b
eijing_count}";shanghai_count=`grep Shanghai curl.txt | wc -l`;echo "shanghai count: ${shan
ghai_count}";

Paramet er descript ion:

Number of requests : T he number of client request s t hat are simulat ed. For example, if you set N
umber of requests t o 100, 100 request s are sent from t he client .
Accelerated IP address : T he accelerat ed IP address assigned by GA.

Beijing count : T he number of request s processed by t he servers in t he China (Beijing) region.

Shanghai count : T he number of request s processed by t he servers in t he China (Shanghai) region.

1. Check how client request s are scheduled when you set t he t raffic dist ribut ion rat io t o 100% for t he
endpoint group t hat is assigned a higher priorit y in t he China (Beijing) region.
Open t he command prompt on a client in t he China (Beijing) region and send 100 request s. T hen,
check t he number of request s t hat are processed by t he servers in t he China (Beijing) region and t he
number of request s t hat are processed by t he servers in t he China (Shanghai) region.

T he result indicat es t hat all request s from t he client in t he China (Beijing) region are forwarded t o
t he endpoint group in t he China (Beijing) region.

77 > Document Version: 20220627

 User Guide· Endpoint groups and end
Global Accelerat ion
point s

2. Check how client request s are scheduled when you set t he t raffic dist ribut ion rat io t o 50% for t he
endpoint group t hat is assigned a higher priorit y in t he China (Beijing) region.
i. Change t he t raffic dist ribut ion rat io t o 50% for t he endpoint group in t he China (Beijing) region.
For more informat ion, see Set the traffic distribution ratio for an endpoint group.
ii. Send 100 request s from a client in t he China (Beijing) region and check t he number of request s
t hat are processed by t he servers in t he China (Beijing) region and t he number of request s t hat
are processed by t he servers in t he China (Shanghai) region.

T he result indicat es t hat each endpoint group in t he China (Beijing) region and t he China
(Shanghai) region processes 50 request s.

3. Check how client request s are scheduled when you set t he t raffic dist ribut ion rat io t o 0% for t he
endpoint group t hat is assigned a higher priorit y in t he China (Beijing) region.
i. Change t he t raffic dist ribut ion rat io t o 0% for t he endpoint group in t he China (Beijing) region.
For more informat ion, see Set the traffic distribution ratio for an endpoint group.
ii. Send 100 request s from a client in t he China (Beijing) region and check t he number of request s
t hat are processed by t he servers in t he China (Beijing) region and t he number of request s t hat
are processed by t he servers in t he China (Shanghai) region.

T he result indicat es t hat all request s from t he client in t he China (Beijing) region are forwarded
t o and processed by t he servers in t he China (Shanghai) region.

> Document Version: 20220627 78

User Guide· Access cont rol Global Accelerat ion

6.Access control
T his t opic describes how t o configure access cont rol for a list ener. You can configure different access
cont rol modes and access cont rol list s (ACLs) for different list eners of a Global Accelerat or (GA)
inst ance.

Introduction
T he access cont rol feat ure consist s of access cont rol modes and access cont rol list s (ACLs). Access
cont rol modes include t he whit elist mode and blacklist mode. An ACL can cont ain mult iple IP addresses
or CIDR blocks. You can set whit elist s or blacklist s for different list eners:

Whit elist : Only t he request s from t he IP addresses or CIDR blocks in t he specified ACL are forwarded. If
you want t o allow access from specific IP addresses, you can configure a whit elist .
Blacklist : All request s from t he IP addresses or CIDR blocks in t he specified ACL are denied. If you want
t o block access from specific IP addresses, you can configure a blacklist .

Not ice
Risks may arise if t he whit elist is improperly configured. Aft er you configure a whit elist for a
list ener, only request s from t he IP addresses t hat are added t o t he whit elist are forwarded
by t he list ener. If t he whit elist is enabled but no IP addresses are added t o t he ACL, t he
list ener denies all request s.
If t he blacklist is enabled but no IP addresses are added t o t he ACL, t he list ener forwards all
request s.

When you creat e an ACL, you can select IPv4 or IPv6 as t he support ed IP version. When you configure
access cont rol for a list ener, you can select an ACL t hat uses t he same IP version as t he accelerat ed IP
address of t he access point .

Limits
T he t ot al number of IP addresses and CIDR blocks in t he ACLs t hat are associat ed wit h a list ener
cannot exceed 200. Each IP address and CIDR block must be unique.
An ACL can be associat ed wit h up t o 10 list eners.
A list ener can be associat ed wit h at most t wo ACLs. If you associat e t wo ACLs wit h a list ener, one ACL

79 > Document Version: 20220627

Global Accelerat ion User Guide· Access cont rol

must be based on IPv4 and t he ot her must be based on IPv6.

If you associat e an IPv4 ACL and an IPv6 ACL wit h a list ener, only t he ACL t hat mat ches t he IP version
of t he accelerat ed IP address is applied.

Procedure
T he following figure shows how t o configure access cont rol for a list ener.

T o configure an ACL for a list ener, perform t he following st eps:

1. Creat e an ACL: Before you enable access cont rol, you must creat e an ACL.
2. Add IP addresses or CIDR blocks t o t he ACL: You can add mult iple IP addresses or CIDR blocks t o t he
ACL.
3. Enable access cont rol for a list ener.: Enable access cont rol for a list ener. T hen, set t he access
cont rol mode and select an ACL.

Create an ACL
Before you enable access cont rol for a list ener, you must creat e an ACL.

1.
2. In t he left -side navigat ion pane, click Access Cont rol.
3. On t he Access Cont rol page, click Creat e ACL. In t he Creat e ACL dialog box, set ACL Name and
IP Version.
Select IPv4 or IPv6 based on your business requirement s.
If you select IPv4 , t he ACL is applied only in accelerat ion regions t hat use accelerat ed IPv4
addresses.
If you select IPv6 , t he ACL is applied only in accelerat ion regions t hat use accelerat ed IPv6
addresses.
4. Click OK.

Add IP addresses or CIDR blocks to the ACL

Aft er t he ACL is creat ed, you can add mult iple IP addresses or CIDR blocks t o t he ACL. T his way, you can
enable a list ener t o allow or block access from t he specified IP addresses or CIDR blocks.

1.
2.
3. Find t he ACL t hat you want t o manage and click Manage ACL in t he Act ions column.
4. Add IP addresses or CIDR blocks t o t he ACL.
Add one IP address or CIDR block t o t he ACL
On t he ACL Det ails page, click Add Rule . In t he Add ACL Rule dialog box, ent er an IP address or
a CIDR block, ent er remarks, and t hen click OK.

> Document Version: 20220627 80

User Guide· Access cont rol Global Accelerat ion

T he remarks must be 2 t o 256 charact ers in lengt h, and can cont ain let t ers, digit s, hyphens (-),
forward slashes (/), periods (.), underscores (_), commas (,), semicolons (;), and at signs (@).

Add mult iple IP addresses or CIDR blocks at a t ime

On t he ACL Det ails page, click Add Mult iple Rules. In t he Add ACL Rules dialog box, ent er
mult iple IP addresses or CIDR blocks, ent er remarks, and t hen click OK.

T ake not e of t he following it ems:

Ent er one ent ry per line. Press t he Ent er key t o st art a new line.
Separat e an IP address or CIDR block and t he remarks wit h a vert ical bar (|). For example,
47.57.XX.XX|remarks.
T he remarks must be 2 t o 256 charact ers in lengt h, and can cont ain let t ers, digit s, hyphens (-),
forward slashes (/), periods (.), underscores (_), commas (,), semicolons (;), and at signs (@).

Enable access control for a listener.

GA allows you t o configure access cont rol for a list ener. You can configure whit elist s or blacklist s for
different list eners.

81 > Document Version: 20220627

Global Accelerat ion User Guide· Access cont rol

Before you enable access cont rol, make sure t hat a list ener is creat ed. For more informat ion, see Add
and manage listeners.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.
3. On t he List eners t ab, click t he ID of t he list ener for which you want t o enable access cont rol.
4. On t he List ener Det ails t ab, t urn on Access Cont rol.
5. In t he Enable Access Cont rol dialog box, set t he following paramet ers and click OK.

Parameter Description

Select an access control mode. Valid values:

W hit elist : After you associate an ACL with the listener, the listener
forwards only requests from IP addresses or CIDR blocks that are added to
the ACL.
Blacklist : After you associate an ACL with the listener, the listener denies
requests from IP addresses or CIDR blocks that are added to the ACL.

Access Co nt ro l No t ice
Mo de Risks may arise if the whitelist is improperly configured. After
you configure a whitelist for a listener, only requests from the IP
addresses that are added to the whitelist are forwarded by the
listener. If the whitelist is enabled but no IP addresses are added
to the ACL, the listener denies all requests.
If the blacklist is enabled but no IP addresses are added to the
ACL, the listener forwards all requests.

Select ACL Select an ACL.

Remove IP addresses or CIDR blocks from the ACL

You can remove IP addresses or CIDR blocks from t he ACL.
1.
2.
3. Find t he ACL t hat you want t o manage and click Manage ACL in t he Act ions column.
4. Find t he IP address or CIDR block t hat you want t o remove from t he ACL and click Delet e in t he
Act ions column. T o remove mult iple IP addresses or CIDR blocks at a t ime, select t he IP addresses
or CIDR blocks t hat you want t o remove and click Delet e below t he list .
5. In t he message t hat appears, click OK.

Disable access control

If a list ener no longer requires access cont rol, you can disable access cont rol for t he list ener.

1.
2. On t he Inst ances page, find t he GA inst ance t hat you want t o manage and click Conf igure
List eners in t he Act ions column.

> Document Version: 20220627 82

User Guide· Access cont rol Global Accelerat ion

3. On t he List eners t ab, click t he ID of t he list ener for which you want t o disable access cont rol.
4. On t he List ener Det ails t ab, t urn off Access Cont rol.

83 > Document Version: 20220627

Global Accelerat ion User Guide· Log management

7.Log management
Context
1.

7.1. Query operations logs

All operat ions t hat you perform on a Global Accelerat or (GA) inst ance are recorded in operat ions logs.
You can query and search log informat ion based on t he event t ime, users, and relevant resources. T his
allows you t o keep t rack of a GA inst ance.

Procedure
1.
2. In t he left -side navigat ion pane, choose Log Management > Operat ions Log .

3. On t he Operat ions Log page, select a query condit ion and click .

Service Name : By default , Global Accelerat or(Ga) is select ed.

Select an event t ype: You can select Read/Writ e t ype , Username , and Resource T ype .
Select a t ime range: You can select a default or cust om t ime range.

4. Find t he operat ions log t hat you want t o view and click t o view det ails.

7.2. Work with access logs

Global Accelerat or (GA) can creat e access logs t o record t he t raffic informat ion of endpoint s. You can
analyze t he t raffic informat ion t o verify Access Cont rol List (ACL) rules and t roubleshoot net work errors.

Introduction to access logs

You can configure GA t o creat e access logs for one or more endpoint groups of a GA inst ance. T he
collect ed log dat a is delivered t o t he Logst ores provided by Log Service in t he regions where t he
endpoint groups are deployed. An access log cont ains t he following informat ion: t he source IP address,
source port , dest inat ion IP address, dest inat ion port , and accelerat ion region.

T roubleshoot ing

You can t roubleshoot issues based on t he informat ion in an access log.

> Document Version: 20220627 84

User Guide· Log management Global Accelerat ion

For example, you can check whet her GA ret urns an expect ed response based on t he st at us
paramet er in an access log and t hen locat e t he cause.

Business planning
You can analyze an access log t o make informed business decisions.

For example, you can upgrade bandwidt h plans in advance t o meet your business requirement s
based on t he t raffic t rend in t he accelerat ion region. You can also view t he host s t hat access your
applicat ion wit hin a specified t ime period and prepare for applicat ion upgrades based on t he
ht t p_host paramet er in t he access log.

You are not charged addit ional fees for using t he access log feat ure. You need only t o pay for Log
Service. For more informat ion, see Billing of Log Service.

T he access log feat ure is support ed only in regions where Log Service is available. For more
informat ion, see Support ed regions.
Only st andard GA inst ances support t he access log feat ure. Basic GA inst ances do not support t he
access log feat ure. In t his t opic, a st andard GA inst ance is used as an example.
You cannot collect t he access log of an endpoint group if t he endpoint group is deployed on a point
of presence (PoP) node of Alibaba Cloud.
You cannot query t he domain names of endpoint s.
T he access log feat ure is aut omat ically enabled for GA inst ances t hat are creat ed aft er January 8,
2022. If you want t o enable t he access log feat ure for GA inst ances t hat are creat ed before January
8, 2022, submit a t icket t o upgrade t he GA inst ances.

Click here t o view more informat ion about access logs.

T he following t able describes t he access log informat ion t hat you can query in t he Log Service
console.

Paramet er Descript ion

accelerator_region T he acceleration region.

client_ip T he IP address of the client, which is the source IP address.

client_port T he port of the client, which is the source port.

T he outbound traffic during the time period when traffic information is

egress_bytes
collected.

endpoint_group_id T he ID of the endpoint group.

endpoint_group_region T he region where the endpoint group is deployed.

endpoint_ip T he IP address of the endpoint, which is the destination IP address.

endpoint_port T he port of the endpoint, which is the destination port.

ga_id T he ID of the GA instance.

T he inbound traffic during the time period when traffic information is

ingress_bytes
collected.

85 > Document Version: 20220627

Global Accelerat ion User Guide· Log management

Paramet er Descript ion

listener_id T he ID of the listener.

protocol T he network transmission protocol that is used by the listener.

status T he status of the response packet that is sent by GA.

time T he time when the log entry is generated.

T he duration of the session, which starts from the time when GA receives the
session_time
request and ends at the time when the last byte is sent to the client.

end_time T he time when the session ends.

epg_region T he region where the endpoint group is deployed.

T he following paramet ers are available when HT T P and HT T PS list eners are used.

Paramet er Descript ion

http_host T he Host header of the request.

http_referer T he HT T P referer header of the request.

request_method T he request method.

request_uri T he URI of the request that is received by GA.

Scenarios
Billing
Limits

Create an access log

Before you creat e an access log for a GA inst ance, make sure t hat you have added list eners and
endpoint groups for t he GA inst ance. For more informat ion, see Add and manage listeners.

1.
2. On t he Inst ances page, click t he ID of t he GA inst ance t hat you want t o manage.
3. On t he inst ance det ails page, click t he Access Log t ab.
4. On t he Access Log t ab, click Creat e Access Log . In t he St orage Conf igurat ion dialog box, set
t he following paramet ers and click OK.

> Document Version: 20220627 86

User Guide· Log management Global Accelerat ion

Parameter Description

List ener
Select a listener.
ID/Name
Select So urce
Endpo int Gro up
Select a destination endpoint group.
ID/Name

By default, the region where the endpoint group resides is

Regio n
selected.

Log Service projects are used to isolate and manage

resources.
Pro ject
You can click Select Pro ject and select an existing project.
St o rage You can also click Creat e Pro ject and create a project.
Set t ings

Log Service Logstores are used to collect, store, and query

log data.
Lo gst o re You can click Select Lo gst o re and select an existing
Logstore. You can also click Creat e Lo gst o re and create a
Logstore.

87 > Document Version: 20220627

Global Accelerat ion User Guide· Log management

Not e When you perform t his operat ion, t he syst em checks whet her t he service-linked
role AliyunServiceRoleForGaFlowlog is assigned t o GA.
If t he service-linked role AliyunServiceRoleForGaFlowlog does not exist , t he syst em
aut omat ically creat es t he service-linked role and at t aches t he permission policy
AliyunServiceRolePolicyForGaFlowlog t o t he service-linked role. T his allows GA t o access
Log Service and deliver flow logs t o Log Service.
If t he service-linked role AliyunServiceRoleForGaFlowlog is assigned t o GA, t he syst em
does not creat e it again.

For more informat ion, see AliyunServiceRoleForGaFlowlog.

Aft er you creat e t he access log, you can find it on t he Access Log t ab.

What to do next

Operation Description

1. On the Access Lo g tab, find the access log that you created and click
V iew Lo g in the Act io ns column to go to the Log Service console.
View access logs
2. You can view and analyze the access log. For more information, see
Examples.

1. On the Access Lo g tab, find the access log that you want to delete and
Delete an access log click Delet e in the Act io ns column.
2. In the Delet e Lo g message, click OK .

Aft er Log Service collect s an access log, you can download, deliver, and process t he access log. You
can also creat e alert s for t he access log. For more informat ion, see Common operations on logs of Alibaba
Cloud services.

Examples
On t he Raw Logs t ab of t he Logst ore page, you can view informat ion about raw logs.

> Document Version: 20220627 88

User Guide· Log management Global Accelerat ion

For example, you can click client _ip t o view informat ion about client IP addresses.

On t he Logst ore page, ent er an SQL st at ement in t he Search & Analyze search box t o search for a
specified access log.

For example, you can query t he dist ribut ion of client IP addresses based on t he order in t he following
figure.

No. Description

Enter the following SQL statement to query the heat map of client IP addresses and view
the top 10 regions where the clients are distributed. T his helps you plan your business.

1 * | select ip_to_geo(client_ip) as address, count(1) as count group by

address order by count desc limit 10

2 Select a time range during which access logs are generated and click Search & Analyz e .

On the Graph tab, click the Pro pert ies tab and then click the icon to view the
3
distribution of client IP addresses.

View a raw access log

Q uery a specified access log

89 > Document Version: 20220627

Global Accelerat ion User Guide· Manage quot as

8.Manage quotas
T his t opic describes how t o manage quot as of Global Accelerat or (GA). If t he quot a of a cloud resource
is insufficient , you can apply for a quot a increase.

Procedure
1.
2. In t he left -side navigat ion pane, click Quot a Management .
3. On t he Quot a Management page, view t he quot a usage of GA resources for t he current Alibaba
Cloud account .

4. T o increase a quot a, click Submit Applicat ion in t he Act ions column, set t he following
paramet ers, and t hen click OK.
Request ed Value : Specify t he request ed value. You must ent er a number t hat is great er t han
t he current quot a. For more informat ion about default quot a limit s, see Limit s.
Reason f or Applicat ion: Ent er t he det ailed reason for t he applicat ion, including t he scenarios
and necessit y.
Mobile/Landline Phone Number: Ent er t he mobile or landline phone number of t he applicant .
Email: Ent er t he email address of t he applicant .

Result
Aft er you submit t he applicat ion, you can click Hist ory in t he Act ions column t o view t he applicat ion
st at us.

T he syst em aut omat ically assesses whet her t o approve your applicat ion.

If t he request ed value exceeds t he upper limit , t he syst em aut omat ically reject s t he applicat ion and
t he applicat ion st at us changes t o Reject ed .

If your applicat ion is reject ed, reduce t he request ed value and submit t he applicat ion again.

If t he request ed value falls wit hin t he expect ed range, t he syst em aut omat ically approves t he
applicat ion, t he applicat ion st at us changes t o Approved , and t he request ed value immediat ely
t akes effect .

> Document Version: 20220627 90

User Guide· Permission management Global Accelerat ion

9.Permission management
9.1. Service-linked role
9.1.1. AliyunServiceRoleForGaVpcEndpoint
You can specify an Elast ic Comput e Service (ECS) inst ance or a Classic Load Balancer (CLB) inst ance
(formerly known as an SLB inst ance) as an endpoint for a Global Accelerat or (GA) inst ance. In t his case, if
your GA inst ance does not have t he service-linked role AliyunServiceRoleForGaVpcEndpoint , t he syst em
aut omat ically creat es t he service-linked role.

O verview
AliyunServiceRoleForGaVpcEndpoint is a service-linked role of GA. If you want t o specify an ECS inst ance
or a CLB inst ance as an endpoint , make sure t hat your GA inst ance has t he service-linked role
AliyunServiceRoleForGaVpcEndpoint .

Not e A service-linked role is a Resource Access Management (RAM) role t hat is associat ed
wit h an Alibaba Cloud service. In some cases, t o use a feat ure of a cloud service, you must first
acquire t he permissions t o access ot her cloud services. Service-linked roles simplify t he
aut horizat ion process and avoid user errors. For more informat ion, see Service-linked roles.

Permissions required to create the service-linked role

By default , an Alibaba Cloud account is aut horized t o creat e t he service-linked role
AliyunServiceRoleForGaVpcEndpoint . RAM users must be grant ed t he following permissions t o creat e
t he service-linked role:

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
}
}
}

You can aut horize a RAM user t o creat e t he service-linked role by using one of t he following met hods:

At t ach t he administ rat or permission policy AliyunGlobalAccelerat ionFullAccess t o t he RAM user. For
more informat ion, see Grant permissions t o a RAM role.

Not e T he permissions required t o creat e t he service-linked role

AliyunServiceRoleForGaVpcEndpoint are included in t he administ rat or permission policy
AliyunGlobalAccelerat ionFullAccess. You can at t ach t he administ rat or permission policy t o a RAM
user. T his way, t he RAM user can creat e t he service-linked role
AliyunServiceRoleForGaVpcEndpoint .

91 > Document Version: 20220627

Global Accelerat ion User Guide· Permission management

At t ach a cust om permission policy t o a RAM user. T he following code block shows t he cont ent of t he
cust om permission policy:

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
}
}
}

For more informat ion, see Create a custom policy and Grant permissions to a RAM role.

Create the service-linked role

When you specify an ECS inst ance or a CLB inst ance as an endpoint for a GA inst ance, t he syst em checks
whet her t he GA inst ance has t he service-linked role AliyunServiceRoleForGaVpcEndpoint . In t his case,
t he following rules apply t o t he GA inst ance:
If t he GA inst ance does not have t he service-linked role AliyunServiceRoleForGaVpcEndpoint , t he
syst em aut omat ically creat es t he service-linked role and at t aches t he permission policy
AliyunServiceRoleForGaVpcEndpoint t o t he service-linked role. T his allows GA t o access ECS and CLB.
T he following code block shows t he cont ent of t he permission policy:

> Document Version: 20220627 92

User Guide· Permission management Global Accelerat ion

{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Resource": "*",
"Action": [
"ecs:CreateNetworkInterface",
"ecs:DeleteNetworkInterface",
"ecs:DescribeNetworkInterfaces",
"ecs:ModifyNetworkInterfaceAttribute",
"ecs:DescribeSecurityGroups",
"ecs:CreateSecurityGroup",
"ecs:AuthorizeSecurityGroup",
"ecs:AuthorizeSecurityGroupEgress",
"ecs:RevokeSecurityGroup",
"ecs:RevokeSecurityGroupEgress",
"ecs:JoinSecurityGroup",
"ecs:LeaveSecurityGroup",
"ecs:DeleteSecurityGroup",
"ecs:DescribeSecurityGroupAttribute",
"ecs:DescribeSecurityGroups",
"ecs:DescribeSecurityGroupReferences",
"ecs:ModifySecurityGroupAttribute",
"ecs:ModifySecurityGroupEgressRule",
"ecs:ModifySecurityGroupPolicy",
"ecs:ModifySecurityGroupRule",
"vpc:DescribeVSwitches"
]
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "vpcendpoint.ga.aliyuncs.com"
}
}
}
]
}

If t he GA inst ance has t he service-linked role AliyunServiceRoleForGaVpcEndpoint , t he syst em does

not creat e t he service-linked role again.

Delete the service-linked role

T he syst em does not aut omat ically delet e t he service-linked role AliyunServiceRoleForGaVpcEndpoint .
T o delet e t he service-linked role, you must first delet e t he ECS inst ance or CLB inst ance t hat serves as
an endpoint . For more informat ion, see t he following t opics:

1. Delet e an endpoint
2. Delet e a service-linked role

93 > Document Version: 20220627

Global Accelerat ion User Guide· Permission management

9.1.2. AliyunServiceRoleForGaFlowlog
T his t opic describes t he scenarios of t he service-linked role AliyunServiceRoleForGaFlowlog and how t o
creat e and delet e t he service-linked role.

O verview
AliyunServiceRoleForGaFlowlog is a service-linked role of Global Accelerat or (GA). Aft er you creat e
AliyunServiceRoleForGaFlowlog, GA can access your Log Service and deliver logs t o Log Service.

Not e A service-linked role is a Resource Access Management (RAM) role t hat is associat ed
wit h an Alibaba Cloud service. In some scenarios, t o use a feat ure of a cloud service, you must
obt ain t he permissions t o access ot her cloud services. Service-linked roles simplify t he aut horizat ion
process and avoid risks caused by user errors. For more informat ion, see Service-linked roles.

Permissions required to create AliyunServiceRoleForGaFlowlog

You can use an Alibaba Cloud account t o creat e AliyunServiceRoleForGaFlowlog. If you want t o creat e
AliyunServiceRoleForGaFlowlog as a RAM user, t he RAM user must first obt ain t he following permissions:

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "flowlog.ga.aliyuncs.com"
}
}
}

You can grant t he RAM user t he required permissions in one of t he following ways:

At t ach t he administ rat or permission policy AliyunGlobalAccelerat ionFullAccess t o t he RAM user. For
more informat ion, see Grant permissions t o a RAM role.

Not e T he permission t o creat e a service-linked role is included in

AliyunGlobalAccelerat ionFullAccess. T herefore, you can creat e a service-linked role as a RAM user
aft er you at t ach AliyunGlobalAccelerat ionFullAccess t o t he RAM user.

Creat e a cust om permission policy and at t ach it t o t he RAM user. T he following code block shows t he
cont ent of t he cust om permission policy:

> Document Version: 20220627 94

User Guide· Permission management Global Accelerat ion

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "flowlog.ga.aliyuncs.com"
}
}
}

For more informat ion, see Create a custom policy and Grant permissions to a RAM role.

Create AliyunServiceRoleForGaFlowlog
Aft er you enable t he log delivery feat ure of flow logs for GA, t he syst em aut omat ically creat es t he
service-linked role AliyunServiceRoleForGaFlowlog, and at t aches a permission policy named
AliyunServiceRolePolicyForGaFlowlog t o it . T he permission policy allows GA t o access flow logs. T he
following code block shows t he cont ent of t he permission policy:

{
"Version": "1",
"Statement": [
{
"Action": [
"log:PostLogStoreLogs"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "flowlog.ga.aliyuncs.com"
}
}
}
]
}

Delete AliyunServiceRoleForGaFlowlog
T he syst em cannot aut omat ically delet e t he service-linked role AliyunServiceRoleForGaFlowlog of GA.
T o manually delet e AliyunServiceRoleForGaFlowlog, delet e all GA inst ances first . For more informat ion,
see Delete a service-linked role.

9.1.3. AliyunServiceRoleForGaAlb

95 > Document Version: 20220627

Global Accelerat ion User Guide· Permission management

When you specify an Applicat ion Load Balancer (ALB) inst ance as an origin server, your GA inst ance must
assume t he service-linked role AliyunServiceRoleForGaAlb. If your GA inst ance does not assume t he
service-linked role, t he syst em aut omat ically creat es t he role for your GA inst ance.

AliyunServiceRoleForGaAlb
AliyunServiceRoleForGaAlb is a service-linked role of GA. T o specify an ALB inst ance as an origin server,
your GA inst ance must assume t he service-linked role AliyunServiceRoleForGaAlb.

Not e A service-linked role is a Resource Access Management (RAM) role t hat is associat ed
wit h an Alibaba Cloud service. In some cases, t o use a feat ure of a cloud service, you must first
acquire t he permissions t o access ot her cloud services. Service-linked roles simplify t he
aut horizat ion process and avoid user errors. For more informat ion, see Service-linked roles.

Permissions required to create AliyunServiceRoleForGaAlb

By default , an Alibaba Cloud account is aut horized t o creat e t he service-linked role
AliyunServiceRoleForGaAlb. If a RAM user want s t o creat e t he service-linked role, you must first use t he
Alibaba Cloud account t o grant t he following permissions t o t he RAM user:

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "alb.ga.aliyuncs.com"
}
}
}

You can grant t he RAM user t he required permissions by using one of t he following met hods:

At t ach t he administ rat or permission policy AliyunGlobalAccelerat ionFullAccess t o t he RAM user. For
more informat ion, see Grant permissions t o a RAM role.

Not e T he permissions required t o creat e t he service-linked role AliyunServiceRoleForGaAlb

are included in t he administ rat or permission policy AliyunGlobalAccelerat ionFullAccess. T herefore,
aft er you at t ach t he administ rat or permission policy t o a RAM user, t he RAM user can creat e t he
service-linked role AliyunServiceRoleForGaAlb.

At t ach a cust om permission policy t o a RAM user. T he following code block shows t he cont ent of t he
cust om permission policy:

> Document Version: 20220627 96

User Guide· Permission management Global Accelerat ion

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "alb.ga.aliyuncs.com"
}
}
}

For more informat ion, see Create a custom policy and Grant permissions to a RAM role.

Create the service-linked role AliyunServiceRoleForGaAlb

When you specify an ALB inst ance as an origin server, t he syst em checks whet her your GA inst ance
assumes t he service-linked role AliyunServiceRoleForGaAlb.

If your GA inst ance does not assume t he service-linked role AliyunServiceRoleForGaAlb, t he syst em
aut omat ically creat es t he service-linked role and at t aches t he permission policy
AliyunServiceRoleForGaAlb t o t he service-linked role. T his allows GA t o access ALB. T he following
code block shows t he cont ent of t he permission policy:

{
"Statement": [
{
"Effect": "Allow",
"Action": "alb:GetLoadBalancerAttribute",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "alb.ga.aliyuncs.com"
}
}
}
],
"Version": "1"
}

If your GA inst ance assumes t he service-linked role AliyunServiceRoleForGaAlb, t he syst em does not
creat e t he service-linked role again.

Delete the service-linked role AliyunServiceRoleForGaAlb

T he syst em does not aut omat ically delet e t he service-linked role AliyunServiceRoleForGaAlb. T o delet e
t he service-linked role, you must first disassociat e t he ALB inst ance from your GA inst ance. T hen, you
can delet e t he service-linked role. For more informat ion, see:

1. Delet e an endpoint
2. Delet e a service-linked role

97 > Document Version: 20220627

Global Accelerat ion User Guide· Permission management

9.1.4. AliyunServiceRoleForGaOss
When you specify an Object St orage Service (OSS) inst ance as an origin server, your GA inst ance must
assume t he service-linked role AliyunServiceRoleForGaOss. If your GA inst ance does not assume t he
service-linked role, t he syst em aut omat ically creat es t he role for your GA inst ance.

AliyunServiceRoleForGaO ss
AliyunServiceRoleForGaOss is a service-linked role of GA. T o specify an OSS inst ance as an origin server,
your GA inst ance must assume t he service-linked role AliyunServiceRoleForGaVpcEndpoint .

Not e A service-linked role is a Resource Access Management (RAM) role t hat is associat ed
wit h an Alibaba Cloud service. In some cases, t o use a feat ure of a cloud service, you must first
acquire t he permissions t o access ot her cloud services. Service-linked roles simplify t he
aut horizat ion process and avoid risks caused by user errors. For more informat ion, see Service-linked
roles.

Permissions required to create AliyunServiceRoleForGaO ss

By default , an Alibaba Cloud account is aut horized t o creat e t he service-linked role
AliyunServiceRoleForGaOss. If a RAM user want s t o creat e t he service-linked role, you must first use t he
Alibaba Cloud account t o grant t he following permissions t o t he RAM user:

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.ga.aliyuncs.com"
}
}
}

You can grant t he RAM user t he required permissions by using one of t he following met hods:

At t ach t he administ rat or permission policy AliyunGlobalAccelerat ionFullAccess t o t he RAM user. For
more informat ion, see Grant permissions t o a RAM role.

Not e T he permissions required t o creat e t he service-linked role AliyunServiceRoleForGaOss

are included in t he administ rat or permission policy AliyunGlobalAccelerat ionFullAccess. T herefore,
aft er you at t ach t he administ rat or permission policy t o a RAM user, t he RAM user can creat e t he
service-linked role AliyunServiceRoleForGaOss.

At t ach a cust om permission policy t o a RAM user. T he following code block shows t he cont ent of t he
cust om permission policy:

> Document Version: 20220627 98

User Guide· Permission management Global Accelerat ion

{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.ga.aliyuncs.com"
}
}
}

For more informat ion, see Create a custom policy and Grant permissions to a RAM role.

Create the service-linked role AliyunServiceRoleForGaO ss

When you specify an ALB inst ance as an origin server, t he syst em checks whet her your GA inst ance
assumes t he service-linked role AliyunServiceRoleForGaOss.
If your GA inst ance does not assume t he service-linked role AliyunServiceRoleForGaOss, t he syst em
aut omat ically creat es t he service-linked role and at t aches t he permission policy
AliyunServiceRoleForGaOss t o t he service-linked role. T his allows GA t o access OSS. T he following
code block shows t he cont ent of t he permission policy:

{
"Statement": [
{
"Effect": "Allow",
"Action": "oss:getBucketInfo",
"Resource": "*"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "oss.ga.aliyuncs.com"
}
}
}
],
"Version": "1"
}

If your GA inst ance assumes t he service-linked role AliyunServiceRoleForGaOss, t he syst em does not
creat e t he service-linked role again.

Delete the service-linked role AliyunServiceRoleForGaO ss

T he syst em does not aut omat ically delet e t he service-linked role AliyunServiceRoleForGaOss. T o delet e
t he service-linked role, you must first disassociat e t he OSS inst ance from your GA inst ance. T hen, you
can delet e t he service-linked role. For more informat ion, see:

1. Delet e an endpoint
2. Delet e a service-linked role

99 > Document Version: 20220627

Global Accelerat ion User Guide· Permission management

9.2. Grant permissions to a RAM user

By default , Resource Access Management (RAM) users cannot creat e Global Accelerat or (GA) resources,
or access or manage GA resources creat ed by Alibaba Cloud account s. If you want t o access or manage
GA resources as a RAM user, you must first grant t he required permissions t o t he RAM user.

Prerequisites
A RAM user is creat ed. For more informat ion, see Creat e a RAM user.

Procedure
1. Log on t o t he RAM console wit h your Alibaba Cloud account .
2. In t he left -side navigat ion pane, choose Ident it ies > Users.
3. On t he Users page, find t he RAM user and click Add Permissions in t he Act ions column.
4. In t he Add Permissions panel, set t he following paramet ers and click OK.

Parameter Description

T he authorization scope. Valid values:

Alibaba Clo ud Acco unt : T he authorization takes effect on the current
Aut ho riz ed Alibaba Cloud account.
Sco pe
Specif ic Reso urce Gro up : T he authorization takes effect on a specified
resource group.

Principal T he system automatically specifies the RAM user created in Step as the principal.

Select Syst em Po licy and then select permission policies that you want to attach
to the RAM user.

You can attach the following system policies of GA to a RAM user:

Select Po licy AliyunGlo balAccelerat io nReadOnlyAccess : Grants the RAM user read-only
permissions on GA.
AliyunGlo balAccelerat io nFullAccess : Grants the RAM user full permissions
on GA.

5. Confirm t he aut horizat ion scope and permission policies and click Complet e .

> Document Version: 20220627 100