All Products
Search
Document Center

Cloud Firewall:Manage address books

Last Updated:Mar 06, 2024

You can add multiple IP addresses, including IPv4 addresses and IPv6 addresses, ports, or domain names to an address book. Then, you can reference the address book when you create an access control policy. This can help you control the network traffic of specified groups. You can use address books to simplify the configuration of access control policies. The updates in the address books are automatically synchronized to the related access control policies. This helps improve the response speed of policy adjustment and the overall management efficiency.

Address book types

Cloud Firewall supports custom address books and provides recommended intelligent address books. You can flexibly create custom address books and apply them to meet the diverse security requirements of your workloads.

Address book type

Description

Custom address book

A custom address book refers to an address book that you create. You can create custom IPv4 address books, IPv6 address books, port address books, and domain address books.

You can create up to 5,000 custom address books. The maximum number of addresses that can be added to an address book is based on the type of address book.

  • IPv4 Address Book: You can add up to 2,000 IPv4 addresses or 500 tags of Elastic Compute Service (ECS) instances to each address book.

  • IPv6 Address Book: You can add up to 2,000 IPv6 addresses to each address book.

  • Port Address Book: You can add up to 50 ports to each address book.

  • Domain Address Book: You can add up to 2,000 domain names to each address book.

Note

An item can be added to multiple address books. For example, an IPv4 address can be added to two different address books.

Recommended intelligent address book

A recommended intelligent address book refers to a built-in address book. You can directly reference a recommended intelligent address book when you configure an access control policy. You cannot modify or delete a recommended intelligent address book. Recommended intelligent address books include cloud service address books and threat intelligence address books.

Note

Recommended intelligent address books are automatically updated on a regular basis, and the updates are automatically synchronized to the related access control policies. The automatic update time varies based on the address book type. The automatic update time of cloud service address books ranges from 10 to 100 minutes, and the automatic update time of threat intelligence address books is 1 day.

  • Cloud Service Address Book contain the back-to-origin addresses of Alibaba Cloud services, such as the server IP addresses of the Security Center vulnerability scanner, the public IP addresses of all ECS instances within your account, the back-to-origin addresses of Anti-DDoS instances, and the back-to-origin addresses of Web Application Firewall (WAF) instances.

    If a cloud service address book is disabled, the normal operation of the related services may be affected. We recommend that you allow traffic of IP addresses and domain names in all cloud service address books.

  • The list of Threat Intelligence Address Book contains the address books of malicious IP addresses or domain names detected by Alibaba Cloud and address books of common websites.

    • In most cases, malicious IP address or domain name address books are obtained and continuously updated by security researchers and automated systems based on analysis of cyber attacks and malware activities. If the traffic of IP addresses or domain names in malicious address books is denied, communications with known malicious sources can be intercepted and the security of your system can be enhanced. We recommend that you deny the traffic of IP addresses or domain names in all malicious address books.

    • Address books of common websites contain frequently accessed websites, such as common online document websites, social networking websites, and cloud disk websites. Administrators of enterprises can configure access control policies to allow or deny access to these common websites.

      The address books of common websites can be used in scenarios in which enterprises want to manage the network activities of employees. This helps ensure that network bandwidth is preferentially used for business-critical activities and restrict access to specific websites that do not meet compliance and security requirements.

    Note

    Threat intelligence address books are automatically updated every other day.

Create a custom address book

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > Address Books.

  3. On the Address Books page, click the Custom Address Book tab and click a tab based on the type of the address book that you want to create.

  4. Click the IPv4 Address Book, IPv6 Address Book, Port Address Book, or Domain Address Book tab, click Create Address Book, and then configure the parameters.

    Create an IPv4 address book

    You can create an IPv4 address book based on the IP address or ECS tag.

    • IP address: Enter an IPv4 address.

    • ECS tag: If you want to add public IP addresses of multiple ECS instances to the address book, and you have added tags to the ECS instances, you can select ECS tags to add the public IP addresses in a quick manner.

      Note

      Cloud Firewall automatically updates the addresses books that are created based on ECS tags every 100 minutes, and the updates are automatically synchronized to the access control policies that reference the address books.

    Address Book Type

    Parameter

    Description

    IP Address

    Address Book Name

    Enter an informative name for the address book to help you identify the address book.

    IP Address

    Enter one or more IPv4 CIDR blocks. Example: 100.100.XX.XX/32. Separate multiple CIDR blocks with commas (,).

    Description

    Enter information about the address book and scenarios in which you want to use the address book.

    ECS Tag

    Address Book Name

    Enter an informative name for the address book to help you identify the address book.

    ECS Tag Update

    Specify whether to automatically add the public IP addresses of ECS instances to the address book if the ECS instances match the specified tags. By default, the switch is turned on. The switch cannot be turned off.

    ECS Tag

    Select the ECS tags and the values of the tags.

    If different tags are added to the required ECS instances, you can click Add ECS Tag to add multiple public IP addresses of ECS instances with different tags.

    For more information about ECS tags, see Modify the tags of an instance.

    Description

    Enter information about the address book and scenarios in which you want to use the address book.

    Create an IPv6 address book

    Parameter

    Description

    Address Book Name

    Enter an informative name for the address book to help you identify the address book.

    IP Address

    Enter one or more IPv6 CIDR blocks. Example: 2001:3caf:10f:****:****/56. Separate multiple CIDR blocks with commas (,).

    Description

    Enter information about the address book and scenarios in which you want to use the address book.

    Create a port address book

    Parameter

    Description

    Address Book Name

    Enter an informative name for the address book to help you identify the address book.

    Port

    Enter one or more port ranges. Valid values: 0 to 65535. Separate multiple port ranges with commas (,).

    • A port range must be in the Start port/End port format. For example, the value 22/25 indicates ports 22, 23, 24, and 25, and the value 80/80 indicates port 80.

    • The value 0/0 specifies all ports.

    Description

    Enter information about the address book and scenarios in which you want to use the address book.

    Create a domain address book

    Parameter

    Description

    Address Book Name

    Enter an informative name for the address book to help you identify the address book.

    Description

    Enter information about the address book and scenarios in which you want to use the address book.

    Domain Name

    Enter one or more domain names. You can enter wildcard domain names. Separate multiple domain names with commas (,).

    Note
    • If you set Destination Type of an access control policy to Domain Name, the application type supports only HTTP, HTTPS, SSL, SMTP, and SMTPS.

    • If you reference an address book of wildcard domain names when you create an access control policy for a NAT firewall, you can set Domain Name Identification Mode only to FQDN-based Dynamic Resolution (Extract Host and SNI Fields).

  5. Click OK.

    After an address book is created, you can view, modify, or delete the address book in the address book list.

    Note

    You cannot modify the Address Book Type parameter of an address book or delete a custom address book that is being referenced by access control policies.

View a recommended intelligent address book

You can view a recommended intelligent address book. However, you cannot create or edit a recommended intelligent address book.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > Address Books.

  3. Click the Recommended Intelligent Address Book tab to view the list of recommended intelligent address books.

    image

  4. Click View in the Actions column of an address book to view the details of the address book.