Use a single Global Accelerator instance to accelerate multiple HTTPS domains-Global Accelerator(GA)-阿里云帮助中心

You can use a single Global Accelerator instance to accelerate access to multiple HTTPS domains by configuring multiple certificates on it.

Use case

This topic uses an example of a company headquartered in the US (Silicon Valley) that has deployed two web services on Alibaba Cloud servers. Each service uses a different domain name. The company's clients are primarily in China (Hong Kong), and its web services face the following challenges:

Unstable public network connections cause high latency, jitter, and packet loss.
Multiple servers provide services by using different domain names. Accelerating each domain separately results in high costs.

To resolve these issues, the company plans to deploy Global Accelerator and configure an HTTPS listener. An HTTPS listener can accelerate access to multiple HTTPS domains by using the following features:

It supports binding multiple certificates to associate multiple domains with a single HTTPS listener.
It supports domain-based forwarding rules that route requests for different domains to their corresponding backend servers.
It encrypts client requests to ensure data security during transmission.

The following table describes the company's web server details and the request forwarding plan after deploying Global Accelerator.

Item	Domain 1`xxxtest.cloud`	Domain 2`xxxtest.fun`
Listener protocol	HTTPS
Listener port	443
Corresponding certificate	default certificate A	additional certificate B
Corresponding forwarding rule	default forwarding rule	custom forwarding rule
Corresponding endpoint group	default endpoint group	virtual endpoint group
Corresponding server	Server 1	Server 2
Backend service protocol	HTTP	HTTPS
Backend service port	80	443
Server public IP address	47.XX.XX.62	47.XX.XX.34

Note

Certificates configured in Global Accelerator encrypt data sent from clients to the instance. Certificates installed on backend servers encrypt data sent from Global Accelerator to the servers.

Prerequisites

You have purchased an SSL certificate and submitted a certificate application. For more information, see Select and purchase a certificate and Submit a certificate application.
You have uploaded the certificate file to the backend servers. For more information, see Upload a file to an ECS instance by using Cloud Assistant.
Your backend Server 1 and Server 2 provide services over HTTP port 80 and HTTPS port 443, respectively.
You have configured DNS resolution for Domain 1 (xxxtest.cloud) and Domain 2 (xxxtest.fun). Specifically, you have configured A records that point the domains to the public IP addresses of the backend servers.

Note

This topic describes how to use Nginx to configure backend services that run on HTTP port 80 and HTTPS port 443, and use Alibaba Cloud DNS to configure DNS records. If you use a different DNS service provider, follow their instructions.

Procedure

Note

This topic uses a standard pay-as-you-go Global Accelerator instance as an example to show you how to configure Global Accelerator to accelerate access to multiple HTTPS domains. Before you create a standard pay-as-you-go Global Accelerator instance, take note of the following information:

Pay-as-you-go GA instances use Pay-By-Data-Transfer for bandwidth billing. You do not need to associate a bandwidth package. Cloud Data Transfer (CDT) handles traffic billing.
The first time you use a pay-as-you-go GA instance, you must Activate Service.

Step 1: Configure basic information about an instance

Log on to the GA console.
On the Instances page, click Create Standard Pay-as-you-go Instance.

In the Basic Instance Configuration step, configure the parameters based on the following table and click Next.

Parameter	Description
GA Instance Name	Enter a name for the GA instance.
Instance Billing Method	Pay-As-You-Go is selected by default. You are charged instance fees, Capacity Unit (CU) fees, and data transfer fees for pay-as-you-go standard Global Accelerator instances. For more information about instance fees and CU fees, see Billing of pay-as-you-go Global Accelerator instances. For more information about data transfer fees, see Data transfer billing.
Resource Group	Select the resource group to which the standard Global Accelerator instance belongs. The resource group must be created by the current Alibaba Cloud account in Resource Management. For more information, see Create a resource group.

Step 2: Configure an acceleration area

Specify acceleration regions and allocate bandwidth to each acceleration region.

In the Configure Acceleration Area step, configure the parameters based on the following table and click Next.

Parameter	Description
Acceleration Area	Select one or more regions from the drop-down list and click Add. In this example, the China (Hong Kong) region in the Asia Pacific section is selected.
Assign Bandwidth
Maximum Bandwidth	Specify the maximum bandwidth for the acceleration region. Each acceleration region supports a bandwidth range of 2 to 10,000 Mbit/s. The maximum bandwidth is used for bandwidth throttling. The data transfer fees are managed by CDT. In this example, the default value 200 Mbit/s is used. Important If you specify a small value for the maximum bandwidth, throttling may occur and packets may be dropped. Specify a maximum bandwidth based on your business requirements.
IP Protocol	Select the IP version that is used to connect to Global Accelerator. In this example, the default value IPv4 is selected.
ISP Line Type	Select an ISP line type for the Global Accelerator instance. BGP (Multi-ISP) is selected in this example.

Step 3: Configure a listener

A listener checks for and processes inbound client connections based on the port and protocol you specify. Each listener is associated with an endpoint group. After you associate a listener with an endpoint group for a specific region, Global Accelerator distributes traffic to the optimal endpoint within that group.

On the Configure Listeners page, configure a listener and click Next.

Parameter	Description
Listener Name	Enter a name for the listener.
Routing Type	Select a routing type. In this example, select Intelligent Routing.
Protocol	Select a protocol for the listener. In this example, select HTTPS.
Port	Specify the listener port that is used to receive and forward requests to endpoints. The port number must be in the range of 1 to 65499. In this example, enter 443.
Server certificate	Select the server certificate that you have obtained. In this example, select Certificate A.
TLS security policy	Select the TLS security policy that you want to use. A TLS security policy includes the supported TLS protocol versions and cipher suites for HTTPS. For more information, see TLS security policies. If you do not configure this parameter, the default policy tls_cipher_policy_1_0 is used.
Client Affinity	Specify whether to enable client affinity. If you enable client affinity, all requests from the same client are routed to the same endpoint. This feature is suitable for stateful applications. In this example, select Source IP Address.
Add HTTP Header	Select the additional HTTP header fields that you require. In this example, the default configuration is used. Additional HTTP header fields Use the `GA-ID` header to retrieve the ID of the Global Accelerator instance. Use the `GA-AP` header to retrieve information about the acceleration region. Use the `GA-X-Forwarded-Proto` header to retrieve the listener protocol of the GA instance. Use the `GA-X-Forwarded-Port` header to retrieve the listener port of the GA instance. Use the `X-Real-IP` header to retrieve the real IP address of the client.

Step 4: Configure an endpoint group and endpoints

On the Configure an Endpoint Group page, configure an endpoint group and endpoints, and then click Next.

This section describes only the parameters that are highly relevant to this scenario. For more information about how to configure an endpoint, see Add and manage endpoint groups for intelligent routing listeners.

Parameter	Description
Region	Select the region where the endpoint group is deployed. In this example, select US (Silicon Valley).
Endpoint Configuration	Endpoints are the destination hosts for client requests. Configure the endpoints based on the following information: Backend Service Type: Select Alibaba Cloud Public IP. Backend Service: Enter the IP address of the backend service that you want to accelerate. In this example, enter the public IP address of Server 1: `47.XX.XX.62`. Weight: Enter a weight for the endpoint. The value must be in the range of 0 to 255. Global Accelerator routes traffic to endpoints based on their weights. In this example, the default value 255 is used. Warning If the weight of an endpoint is set to 0, Global Accelerator stops distributing traffic to that endpoint. Proceed with caution.
Preserve Client IP	The preserve client IP feature, enabled by default, allows backend services to retrieve client IP addresses. An HTTP listener reads the client's source IP address from the x-forwarded-for field in the HTTP header. For more information, see Preserve client IP addresses.
Backend Service Protocol	Select the service protocol that is used by the backend server. The default protocol is HTTP.
Port Mapping	If the listener port is different from the service port of your endpoint, you must configure port mapping. Listener Port: This parameter must be set to the port of the current listener. In this example, enter `443`. Endpoint Port: The service port of your endpoint. In this example, enter `80`.
Traffic Distribution Ratio	Specify the percentage of traffic that you want to forward to the endpoint group. Valid values: 0 to 100. In this example, the default value of 100% is used.
Health Check	Enable or disable health checks. If you enable this feature, the health status of endpoints can be checked. For more information, see Enable and manage health checks. In this example, health checks are disabled by default.

On the Configuration Review page, review the settings and click Submit.

Note
Creating a GA instance takes about 3 to 5 minutes.
Optional: After the instance is created, click Go to Instance Details below the task details list. On the instance details page, you can select tabs such as Instance Information, Listeners, and Acceleration Areas to view the instance configuration.
Configure a virtual endpoint group.
1. On the instance details page, click the Listeners tab.
2. On the Listener tab, find the listener that you want to manage and click the endpoint group ID in the Default Endpoint Group column.
3. On the Endpoint Group tab, in the Virtual Endpoint Group section, click Add Virtual Endpoint Group.
4. On the Add Endpoint Group page, configure the settings based on the following information, and then click Create.
  Except for the parameters listed below, all other parameters are configured in the same way as the default endpoint group.
  - Backend Service Type: Select Alibaba Cloud Public IP.
  - Backend Service: Enter the public IP address of Server 2: 47.XX.XX.34.
  - Backend Service Protocol: Select HTTPS.
  - Port Mapping: No port mapping is required.
    
    If the listener port is the same as the service port of your endpoint, you do not need to configure port mapping. Global Accelerator automatically forwards access requests to the service port of the endpoint.

Step 5: Bind an additional certificate

You can bind an additional certificate to an HTTPS listener to associate another domain. In combination with domain-based forwarding rules, this allows you to route requests for different domains to different virtual endpoint groups.

The following steps describe how to associate Domain 2 (xxxtest.fun) with the HTTPS listener by binding Certificate B.

On the Listener tab, find the target HTTPS listener and click its ID.
On the listener details page, click the Certificates.
On the Certificates, in the Additional Certificate section, click Associate Certificate.
In the Associate Certificate dialog box, configure the additional certificate based on the following information, and then click OK.
- Certificate: Select the certificate that you want to bind. In this example, select Certificate B.
- Associated Domain Name: Select the domain that is associated with this certificate and that you want to accelerate by using Global Accelerator. In this example, select Domain 2 (xxxtest.fun).

Step 6: Add a forwarding rule

When an HTTPS listener receives a request, it first attempts to match the request against custom forwarding rules. If a rule is matched, the listener forwards the request to the corresponding endpoint group. If no custom forwarding rule is matched, the request is forwarded to the default endpoint group based on the default forwarding rule.

The following steps describe how to create a custom forwarding rule for the virtual endpoint group of Server 2. This rule routes all requests for Domain 2 (xxxtest.fun) to Server 2.

On the Listener tab, find the target HTTPS listener and click its ID.
On the listener details page, click the Forwarding Rule tab.
On the Forwarding Rule tab, click Add Forwarding Rule.

In the Add Forwarding Rule section, configure the forwarding rule based on the following information, and click OK.

Parameter	Description
Name	Enter a name for the forwarding rule.
If (Matching All Conditions)	Configure a forwarding condition. In this example, select Domain Name and enter the domain to match: `xxxtest.fun`.
Forwarding action	Select the action type and forwarding target. In this example, select Forward to and select the virtual endpoint group that you created in Step 4: configure an endpoint group and endpoints.

Step 7: Configure a CNAME record

You must point Domain 1 (xxxtest.cloud) and Domain 2 (xxxtest.fun) to the CNAME address of the Global Accelerator instance by using DNS. This ensures that access requests are routed through Global Accelerator.

On the Domains page, find your domain (xxxtest.cloud) and click DNS settings in the Actions column.

Note
If your domain is not registered with Alibaba Cloud, you must add the domain to the Alibaba Cloud DNS console before you can configure DNS records.
On the DNS Settings page, find the existing A record and click Edit in the Actions column.
In the Modify record panel, set Record Type to CNAME, change the Record Value to the CNAME address that is assigned to the Global Accelerator instance, and then click Confirm.

You can find the CNAME address that is assigned to the Global Accelerator instance on the Instances page.
Repeat the preceding steps to change the existing A record for Domain 2 (xxxtest.fun) to a CNAME record.

Note

If you need to return resolution results based on the client's region, make sure that you have upgraded Alibaba Cloud DNS to Enterprise Standard or Enterprise Ultimate Edition. For more information about how to upgrade, see Renew an instance.

After the upgrade, you can change the default DNS line of the existing A record to a specific regional line and add a CNAME record that points to the CNAME address assigned to the Global Accelerator instance.

Step 8: Test the configuration

Test whether clients can access the web services that are deployed in US (Silicon Valley) through the different domains and benefit from accelerated access.

Note

This topic uses Alibaba Cloud Linux 3 as an example for testing. Test commands may vary based on the operating system. For specific commands, refer to your operating system's documentation.
The acceleration effect of the Global Accelerator service is subject to your actual business tests.

Test website connectivity

Open a command-line window on a computer in the acceleration area. In this example, the acceleration area is China (Hong Kong).

Run the following command for both Domain 1 (xxxtest.cloud) and Domain 2 (xxxtest.fun) to verify that the CNAME configuration has taken effect.

ping <website_domain>

If the returned resolution result matches the CNAME of the Global Accelerator instance, the CNAME configuration is in effect.

[root@iZjxxx ~]# ping xxx_test.cloud
PING ga-bp1xxx9.com (8.217.xxx.xxx) 56(84) bytes of data.
64 bytes from 8.217.xxx.xxx (8.217.xxx.xxx): icmp_seq=1 ttl=101 time=1.59 ms
64 bytes from 8.217.xxx.xxx (8.217.xxx.xxx): icmp_seq=2 ttl=101 time=1.59 ms
64 bytes from 8.217.xxx.xxx (8.217.xxx.xxx): icmp_seq=3 ttl=101 time=1.60 ms
^C
--- ga-bp1xxx9.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.593/1.595/1.598/0.002 ms
[root@iZjxxx ~]# ping xxx_test.fun
PING ga-bp1xxx.com (8.217.xxx.xxx) 56(84) bytes of data.
64 bytes from 8.217.xxx.xxx (8.217.xxx.xxx): icmp_seq=1 ttl=96 time=1.58 ms
64 bytes from 8.217.xxx.xxx (8.217.xxx.xxx): icmp_seq=2 ttl=96 time=1.53 ms
64 bytes from 8.217.xxx.xxx (8.217.xxx.xxx): icmp_seq=3 ttl=96 time=1.51 ms
^C
--- ga-bp1xxx9.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 1.508/1.539/1.576/0.042 ms

Run the following command for Domain 1 (xxxtest.cloud) and Domain 2 (xxxtest.fun) to test website connectivity and verify that the certificate is retrieved.

curl -v https://<website_domain> --resolve <website_domain>:<listener_port>:<accelerated_IP>

The following test result for Domain 1 (xxxtest.cloud) is used as an example. If the output includes the corresponding certificate information and a valid response, the website service is working as expected.

[root@iZxxx]# curl -v https://xxx_test.cloud --resolve xxx_test.cloud:443:8.217.xxx
* Added xxx_test.cloud:443:8.217.xxx to DNS cache
* Rebuilt URL to: https://xxx_test.cloud/
* Hostname xxx_test.cloud was found in DNS cache
*   Trying 8.217.xxx...
* TCP_NODELAY set
* Connected to xxx_test.cloud (8.217.xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=xxx_test.cloud
*  start date: Mar  1 00:00:00 2024 GMT
*  expire date: Mar 31 23:59:59 2025 GMT
*  subjectAltName: host "xxx_test.cloud" matched cert's "xxx_test.cloud"
*  issuer: C = US; O = DigiCert Inc; CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55d6e15b76b0)
> GET / HTTP/2
> Host: xxx_test.cloud
> User-Agent: curl/7.61.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< date: Thu, 14 Sep 2023 09:00:09 GMT
< content-type: text/html
< content-length: 299
< last-modified: Mon, 11 Sep 2023 10:27:09 GMT
< etag: "64feeb7d-12b"
< accept-ranges: bytes
< 
<!DOCTYPE html>
<html>
<head>
<title>HTTP Server Test Page</title>
<style>
        body {
                width: 35em;
                margin: 0 auto;
                font-family: Tahoma, Verdana, Arial, sans-serif;
        }
</style>
</head>
<body>
<h1>Welcome to HTTP Server Test Page!</h1>
<p>This is ECS01.</p>
</body>
</html>
* Connection #0 to host xxx_test.cloud left intact

Test the acceleration performance

To test the acceleration performance, see Test the acceleration performance of Global Accelerator.