Configure IP blacklists - Web Application Firewall - Alibaba Cloud Documentation Center

After you add a website to Web Application Firewall (WAF), you can use IP blocklists. This feature blocks access requests from specific IP addresses, IP address ranges, and geographic locations. This topic shows how to configure standard and region IP blocklists.

Background information

WAF provides standard and region IP blacklists.

Standard IP blacklist: Blocks access requests from specific IP addresses and IP address ranges.
Region IP blacklist: Blocks access requests from IP addresses within or outside China.

Prerequisites

You have subscribed to a WAF instance, and the instance is a Pro, Enterprise, Ultimate, or Exclusive edition.
Important
Pro and Enterprise Edition instances support only IP blacklists (for specified IP addresses). They do not support region-level IP blacklists (for all IP addresses in a specified region).
To use a region IP blacklist, the instance must be Ultimate or Exclusive.
You have added your website to WAF. For more information, see Quick start.

Procedure

Log on to the WAF console. In the top navigation bar, select the resource group and the region (Chinese Mainland or Outside Chinese Mainland) of the WAF instance.
In the left navigation pane, choose Protection Configurations > Website Protection.
In the upper part of the Website Protection page, select your target domain name from the Switch Domain Name drop-down list.
Click the Access Control/Throttling tab, find the Blacklists card, turn on the Status switch, and then click Settings.
Note
After the IP blacklist is enabled, all requests to your website are checked against the IP blacklist by default. You can configure a whitelist for Access Control/Throttling to allow requests that meet specific conditions to bypass the IP blacklist check. For more information, see Configure a whitelist for Access Control/Throttling.
On the Blacklists page, configure the Blacklists and the Region Blacklist.
- Blacklists: Enter the IP addresses to block and click Save at the bottom of the page. Separate multiple IP addresses with commas (,). You can add up to 200 IP addresses.
- Region Blacklist: On the Inside China and Outside China tabs, select the regions to block. Then click Save at the bottom of the page.
After you enable the IP blacklist, it takes effect immediately. WAF blocks all access requests from IP addresses in the blacklist.

More operations

To configure more fine-grained access control rules based on IP addresses, create a custom protection policy. For more information, see Configure custom mitigation policies.
To allow traffic from specific IP addresses, configure an Access Control/Throttling allowlist. For more information, see Configure a whitelist for Access Control/Throttling.