Global Accelerator FAQ

If your backend service is deployed on Alibaba Cloud by using an Alibaba Cloud account that is different from the one that you use to activate GA, you can still use GA. When you configure GA, note the following:

• The account used for GA must have an active enhanced or premium acceleration bandwidth plan.

• When you configure the endpoint group, specify that the backend service is not deployed on Alibaba Cloud.

If a web service uses the GA IPv6 Translation Service, you can run the curl command on an IPv6 client to access the backend IPv4 web service and verify that the IPv6 Translation Service works. The following steps describe how to perform the test:

1. In the GA acceleration area, open the command-line interface (CLI) of the IPv6 client.

2. Run the following command to test whether the IPv6 client can access the backend IPv4 web service.

   curl -6 -g http://[<Accelerated IP address assigned by GA>]

   The test result indicates that the IPv6 client can access the backend IPv4 web service through the accelerated IP address.

The GA IPv6 Translation Service may fail for several reasons. Check the following:

• Check whether the Global Accelerator configuration is complete.

  A complete configuration must include an acceleration area, a listener (for standard GA instances), an endpoint group, and an endpoint.

• Check whether the client supports IPv6 access over the internet.

  You can run the ping command to test the accelerated IP address over IPv6. If the command fails, enable IPv6 on the client and make sure it has internet access.

• If you provide services by using a domain name, check whether DNS resolution is configured for the domain name.

  You can run a command such as dig to check the DNS resolution information. Check whether an AAAA record or a CNAME record is added. An AAAA record specifies an IPv6 accelerated IP address. A CNAME record specifies a CNAME for acceleration. For more information, see Configure DNS settings.

• If you add a CNAME record for DNS resolution, check whether the client region is included in the acceleration area.

  The CNAME of a GA instance is region-specific and affected by the acceleration area configuration. Cross-region access may fail. For example, if the acceleration area includes only regions in the Chinese mainland, the CNAME cannot be resolved from outside the Chinese mainland. We recommend that you add an acceleration area outside the Chinese mainland or switch to an AAAA record.

• Check whether security policies or firewalls are configured for your website.

  If security policies are configured on your origin server, they must allow traffic from the public IP address that the endpoint uses for origin-to-destination traffic.

• Due to varying DNS synchronization times and detection mechanisms, some third-party IPv6 detection websites may fail. In this case, you can access the website from an IPv6 client to check whether IPv6 works as expected.

If your application cannot connect to a backend service through GA after configuration, check the following:

• Check whether the backend service is working as expected.

  Access your backend service directly. If you cannot access the backend service, troubleshoot the origin server.

• If you use a CNAME record for DNS resolution, check whether the client region is added as a GA acceleration area.

  The CNAME of a GA instance is region-specific and depends on the acceleration area configuration. Cross-region access may fail.

  For example, if the acceleration area includes only regions outside the Chinese mainland (excluding Hong Kong (China)), the CNAME record cannot take effect in the Chinese mainland, which causes access failures for clients in the Chinese mainland. You can use one of the following solutions:

  • Solution 1: Configure intelligent DNS resolution based on client locations. Resolve traffic from outside the Chinese mainland to the GA CNAME, and resolve traffic from the Chinese mainland directly to the origin server.

    In this case, traffic from outside the Chinese mainland enters GA through the accelerated IP address of the acceleration area outside the Chinese mainland. Traffic from the Chinese mainland connects directly to the origin server, which may cause latency and packet loss due to ISP and international link limitations.

  • Solution 2: Add an acceleration area in the Chinese mainland to the GA instance, and use the default DNS line to resolve requests to the GA CNAME.

    GA automatically allocates an accelerated IP address based on the region from which a request is initiated. Traffic from outside the Chinese mainland is routed to GA through accelerated IP addresses in acceleration areas outside the Chinese mainland, and traffic from the Chinese mainland is routed to GA through accelerated IP addresses in the Chinese mainland.

    Note: If the acceleration area includes the Chinese mainland and your service traffic is HTTP or HTTPS, you must obtain an ICP filing for your domain name. Otherwise, acceleration will fail.

• Check whether the backend server has security policies.

  Check whether traffic is allowed from the origin-to-destination public IP address of the endpoint. You can view this IP address on the Listener Details tab. If your origin server is protected by a third-party security device, such as a Sangfor SSL VPN or a firewall, you must add the GA endpoint's origin-to-destination public IP address to the device's allowlist. Otherwise, a connection timeout may occur.

• Check whether the required service port is added to the GA listener.

  For example, a web application uses both port 80 and port 443. You must add both ports to the GA listener. Otherwise, if you use a port that is not in the listener to access the GA instance, access will fail.

• If your origin server is not deployed on Alibaba Cloud, check whether the Preserve Client IP feature is enabled.

  The Preserve Client IP feature requires the origin server to support the Proxy Protocol. Otherwise, access will fail. We recommend that you disable the Preserve Client IP feature and try to access the service again.

• Check whether the traffic exceeds the bandwidth peak of the acceleration area.

  • You can go to the Monitoring Chart tab to view the number of connections and bandwidth usage. Traffic spikes may indicate DDoS attacks. To view instance metrics, see View instance metrics.

  • You can modify the bandwidth peak of an acceleration area. For more information, see Modify an acceleration area.

• Check whether an access control list (ACL) is enabled for the GA instance and whether the client IP address is in the ACL's allowlist.

• Check whether the DNS resolution of the domain name is correctly configured to resolve to the GA CNAME or accelerated IP address.

  You can use a command such as dig to check. For more information about how to configure a CNAME record, see Configure a CNAME record.

• Check whether the health check port is consistent with the backend service's listening port.

  If GA routes requests to the backend service through a load balancer such as CLB, the health check port must be the same as the actual listening port of the backend service. In port mapping scenarios, the actual backend listening port may be different from the GA listener port. In this case, you must configure health checks based on the actual backend listening port. Otherwise, health checks will fail, the backend server will be considered unavailable, which causes access failures.