An address book contains a number of IP addresses, port numbers, or domain names. You can configure address books in the Cloud Firewall console to simplify the configuration of access control policies. You can add trusted or untrusted addresses to the same address book. This topic describes how to create, view, modify, and export an address book.

Background information

The threat intelligence feature of Cloud Firewall synchronizes malicious IP addresses and domain names that are detected across Alibaba Cloud to cloud address books. Cloud Firewall also adds the back-to-origin CIDR blocks of your Anti-DDoS Pro or Anti-DDoS Premium instances and Web Application Firewall (WAF) instances to cloud address books. You can configure fine-grained access control policies based on these cloud address books.

When you configure access control policies, you can perform the following operations:
  • Allow traffic of IP addresses and domain names in address books.
  • Deny traffic of IP addresses and domain names in address books.
Note
  • One IP address or port number can be added to multiple address books.
  • Cloud Firewall provides built-in global address books. You cannot modify or delete the global address books.
  • You cannot modify or delete cloud address books.
  • If you change the IP addresses, domain names, or port numbers in an address book, the changes are automatically updated in the access control policies that reference the address book.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Access Control page, click the Internet Firewall tab. Then, click Address Books above the policy list.
    Manage address books
  4. In the dialog box that appears, manage address books.
    You can perform the following operations:
    • Create address books

      You can add trusted or untrusted addresses to an address book based on the configuration requirements of an access control policy. You can create the following types of address books: IPv4 address books, IPv6 address books, port address books, and domain address books. For more information, see Create an address book.

    • View and modify an address book

      Click the IPv4 Address Books, IPv6 Address Books, Port Address Books, or Domain Address Books tab based on your business requirements. On the tab that appears, find the required address book. Then, click Modify in the Actions column to view and modify the address book.

      Note You cannot change the type or name of an address book.
    • View a cloud address book

      On the Cloud Address Books tab, view the name, type, number of references, and description of a cloud address book. You can also view the IP address or domain name in a cloud address book.

      Cloud Address Books

      Find the required cloud address book and click View in the Actions column to view the configurations of the cloud address book.

      Configurations of a cloud address book
    • Delete an address book

      Click the IPv4 Address Books, IPv6 Address Books, Port Address Books, or Domain Address Books tab based on your business requirements. On the tab that appears, find the address book that you want to delete. Then, click Delete in the Actions column. In the message that appears, click OK to delete the address book.

      Note You cannot delete an address book that is being referenced by access control policies.
    • Export an address book

      In the upper-right corner of an address book list, click the Download icon icon to export the address book.

      Export an address book

Create an address book

  1. Click the IPv4 Address Books, IPv6 Address Books, Port Address Books, or Domain Address Books tab based on your business requirements. In the upper-right corner of the tab that appears, click Create Address Book.
  2. In the dialog box that appears, configure the parameters. The following table describes the parameters.
    • IPv4 Address BooksParameters in an IP address book
    • IPv6 Address Booksipv6
    • Port Address BooksParameters in a port address book
    • Domain Address BooksParameters in a domain address book
    Type Parameter Description
    IPv4 address book Address Book Type Select the type of the IP address book. Valid values:
    • IP Addresses
    • ECS Tags
    IP Address Enter one or more CIDR blocks.
    Note If you set Address Book Type to IP Addresses, this parameter is required. Separate multiple CIDR blocks with commas (,).
    Add ECS of Specified Tags Specifies whether to automatically add the public IP addresses of Elastic Compute Service (ECS) instances to the address book if the ECS instances match the specified tags. By default, the switch is turned on. The switch cannot be turned off.
    Note If you set Address Book Type to ECS Tags, this parameter is required.
    ECS Tags Select the tags and the values of the tags. The tags must be created within your Alibaba Cloud account and attached to ECS instances. Cloud Firewall automatically adds the public IP addresses of the ECS instances that match the specified tags to an address book.

    If you want to select more tags, you can click Add Tag.

    After you select a tag, the information about the ECS instance that matches the tag appears. The information includes the name of the virtual private cloud (VPC) and the IP address.

    IPv6 address book IPv6 Address Enter one or more IPv6 CIDR blocks. Separate multiple IPv6 CIDR blocks with commas (,).
    Port address book Ports Enter one or more port numbers. Separate multiple port numbers with commas (,).
    Domain address book Domain Enter one or more domain names. Separate multiple domain names with commas (,). Each domain name must be unique.
    Common parameters Address Book Name Enter an informative name for the address book to help you identify the address book.
    Description Enter the information about the address book and scenarios in which you can use the address book.
  3. Click Submit.
    The address book is displayed in the address book list. You can view the name, number of references, and description of the address book. You can also delete or modify the address book.

References

Access control for outbound and inbound traffic on the Internet firewall

Access control on VPC firewalls

Prevention configuration