Configure a blacklist or whitelist for an ingress gateway to reject or allow requests from a specific IP address to access applications in an ASM instance - Alibaba Cloud Service Mesh

Service Mesh (ASM) allows you to configure a blacklist or whitelist for an ingress gateway to control access to applications in an ASM instance based on source IP addresses, domain names in HTTP requests, ports, and remote IP blocks. You can use this feature to ensure the security of applications in an ASM instance. This topic describes how to configure a blacklist or whitelist for an ingress gateway to reject or allow requests from a specific source IP address.

Prerequisites

An application is deployed in the Container Service for Kubernetes (ACK) cluster that is added to your ASM instance. For more information, see Deploy an application in an ASM instance.

Matching rule description

A request for which a blacklist or whitelist takes effect must match one of the rules and match all the criteria in the rule.
Once the blacklist or whitelist feature is disabled, the corresponding authorization rules are automatically cleared.
Domain names in HTTP requests, or host names, support exact match, prefix match, and suffix match. Examples:
- Exact match: aliyun.com
- Prefix match: aliyun*
- Suffix match: *aliyun.com

Obtain the source IP address of a specific client by using ingress gateway logs

Note

For north-south traffic, a client request is first sent to the load balancer, forwarded to the ingress gateway, and then to the backend service. Because the ingress gateway is involved, it becomes complicated to obtain the source IP address of the client. For more information about how to preserve source IP addresses for north-south traffic, see Scenario 2: North-south traffic.

Open a browser and enter http://{IP address of your ingress gateway}/productpage in the address bar to access the productpage service. Then, access logs are generated.
For more information about how to obtain the IP address of your ingress gateway, see Obtain the IP address of the ingress gateway.

Run the following command to obtain the access logs of the ingress gateway by using the kubeconfig file of the cluster on the data plane:

kubectl -n istio-system logs ${Name of the pod to which the ingress gateway belongs} -c istio-proxy | grep "/productpage" | tail -n 1

Sample output:

{"method":"GET","authority":"47.99.XXX.XXX","response_flags":"-","start_time":"XXXXXX","requested_server_name":null,"request_id":"*****","upstream_local_address":null,"duration":0,"downstream_local_address":"10.34.0.25:80","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.X.X Safari/537.36","upstream_host":null,"bytes_received":0,"istio_policy_status":null,"protocol":"HTTP/1.1","bytes_sent":19,"downstream_remote_address":"XXXXXXX","response_code":403,"x_forwarded_for":"112.124.XXX.XX","upstream_cluster":"outbound|9080||productpage.default.svc.cluster.local","trace_id":null,"path":"/productpage","upstream_transport_failure_reason":null,"upstream_service_time":null,"route_name":null}

The value of downstream_remote_address in the sample output is the source IP address of the client.

Configure a blacklist for the ingress gateway to reject requests from the source IP address of the specific client

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click the name of the desired ingress gateway. In the left-side navigation pane on the Gateway overview page, choose Gateway Security > Black/White List.
In the Black/White List Matching Rules step of the configuration wizard, turn on Enable Black/White List, select Black List for Match Mode, turn on IPBlock, enter the source IP address of the client, and then click Submit.
Note
If you want to configure multiple matching rules, click Add Request Matching Rule and complete configurations. Multiple matching rules allow you to block requests from more sources.
If the Gateway Black/White List created successfully message appears, it indicates that the blacklist is created and takes effect. You can click YAML on the right side of AuthorizationPolicy to view the semantic information of the blacklist.
Enter http://{IP address of your ingress gateway}/productpage in the address bar of your browser to access the productpage service.
If the following message appears, it indicates that the blacklist takes effect.

Configure a whitelist for the ingress gateway to allow only requests from the source IP address of the specific client

The method of configuring a whitelist is similar to that of configuring a blacklist, except that match modes are different.

On the Ingress Gateway page, click the name of the ingress gateway. In the left-side navigation pane on the Gateway overview page, choose Gateway Security > Black/White List.
In the Black/White List Matching Rules step of the configuration wizard, select White list for Match Mode and click Submit.
Access the productpage service.
1. Enter http://{IP address of your ingress gateway}/productpage in the address bar of your browser.
  You can access the productpage service.
2. Use other clients with different IP addresses and enter http://{IP address of your ingress gateway}/productpage in the address bar of your browser.
  If the following message appears, it indicates that the requests from other IP addresses are rejected. This indicates that the whitelist takes effect.

References

ASM allows you to collect access logs of ingress gateways. For more information, see Configure the features of generating and collecting the access logs of an ASM gateway.