All Products
Search

This Product

    ApsaraVideo VOD:Configure an IP blacklist or whitelist

    Document Center

    ApsaraVideo VOD:Configure an IP blacklist or whitelist

    Last Updated:Jan 26, 2026

    You can configure an IP blacklist or whitelist to filter user requests. This lets you block or allow access from specific IP addresses to restrict access sources and prevent issues such as malicious IP scraping and attacks.

    Usage notes

    • This feature is disabled by default. You can configure either an IP blacklist or an IP whitelist, but not both at the same time.

    • You can add up to approximately 700 IPv6 addresses or 2,000 IPv4 addresses.

    • After you configure an IP blacklist, requests from the blocked IP addresses can still reach CDN points of presence (POPs). However, the POPs reject the requests and return a 403 status code. The requests from the blocked IP addresses are still recorded in the logs of the accelerated domain name.

    • The IP blacklist and whitelist feature uses Layer 7 HTTP IP detection. When a CDN POP blocks a malicious request, you still incur a small amount of traffic fees. If the client uses the HTTPS protocol, you also incur fees for the HTTPS requests. This is because blocking malicious IP addresses consumes the processing resources of CDN POPs.

    • A few Internet Service Providers (ISPs) may assign private IP addresses to end users in certain regions. As a result, POPs receive the user's private IP address.

      Note

      Private IP addresses are:

      • Class A: 10.0.0.0 to 10.255.255.255. Subnet mask: 10.0.0.0/8.

      • Class B: 172.16.0.0 to 172.31.255.255. Subnet mask: 172.16.0.0/12.

      • Class C: 192.168.0.0 to 192.168.255.255. Subnet mask: 192.168.0.0/16.

    Procedure

    1. Log on to the ApsaraVideo VOD console.

    2. In the left-side navigation pane, choose Configuration Management > CDN Configuration > Domain Names.

    3. On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.

    4. In the navigation pane on the left, click Resource Access Control.

    5. On the IP Blacklist/Whitelist tab, click Modify.

    6. Follow the prompts to configure an IP Blacklist or IP Whitelist.

      Parameter

      Description

      Type

      Select Blacklist or Whitelist.

      • Blacklist: Requests from IP addresses in the list are denied, and a 403 status code is returned.

      • Whitelist: Only requests from IP addresses in the list are allowed. All other requests are denied.

      Rules

      Rule format requirements

      1. You can enter IP addresses or CIDR blocks.

      2. To enter multiple IP addresses or CIDR blocks, separate them with line feeds.

      3. IPv4 addresses and CIDR blocks are supported:

        1. Example of an IPv4 address: 192.168.0.1.

        2. Example of an IPv4 CIDR block: 192.168.0.0/24.

        3. The wildcard address 0.0.0.0/0 is not supported. To represent all IPv4 addresses, use the following two subnets:

          1. 0.0.0.0/1

          2. 128.0.0.0/1

      4. IPv6 addresses and CIDR blocks are supported:

        1. Example of an IPv6 address: FC00:AA3:0:23:3:300:300A:1234.

        2. Example of an IPv6 CIDR block: FC00:0AA3:0000:0000:0000:0000:0000:0000/48.

        3. The letters in the addresses are not case-sensitive. You can use uppercase, lowercase, or a mix of both. For example: FC00:AA3:0:23:3:300:300A:1234 or fc00:0aa3:0000:0023:0003:0300:300a:1234.

        4. The compressed format : : is not supported. For example, FC00:0AA3::0023:0003:0300:300A:1234 is not supported.

        5. The wildcard address 0000:0000:0000:0000:0000:0000:0000:0000/0 is not supported. To represent all IPv6 addresses, use the following two subnets:

          1. 0000:0000:0000:0000:0000:0000:0000:0000/1

          2. 8000:0000:0000:0000:0000:0000:0000:0000/1

      Rule length limit

      The value of Rules can be up to 30 KB in size. You can enter up to about 700 IPv6 addresses/CIDR blocks or 2,000 IPv4 addresses/CIDR blocks in this field based on the average size of IP addresses and CIDR blocks. To block more IP addresses, enable the ESA security protection feature. This feature supports blocking many IP addresses and geo-blocking. For more information, see Feature comparison among CDN, DCDN, and ESA and Configure IP access rules.

      IP Rules

      You can select one of the following three rules:

      1. Use the X-Forwarded-For header of the user request for verification (Default rule)

        This rule is recommended when all clients access through trusted proxies that correctly set the x-forwarded-for header.

      2. Use the actual connection IP address for verification

        This rule is recommended when clients connect directly to CDN without an intermediate proxy server, or when you want to control access based on the proxy server's IP address.

      3. Use both the X-Forwarded-For header and the actual connection IP address for verification

        This rule is recommended for mixed network environments where some users connect directly and others access through a proxy.

      Rule Condition

      Rule conditions identify various parameters in a user request to determine whether a configuration applies to the request.

      • Do not use: Do not use rule conditions.

      • To add or edit rule conditions, manage them in the Rules Engine.

    7. Click OK to complete the configuration.

    FAQ

    Related API operations

    BatchSetVodDomainConfigs: Configures multiple domain names in a batch. Set the ip_black_list_set and ip_allow_list_set parameters to specify an IP blacklist and an IP whitelist, respectively.