Configure a blacklist or whitelist for an ingress gateway - Alibaba Cloud Service Mesh

Service Mesh (ASM) allows you to configure a blacklist or whitelist for an ingress gateway to reject or allow requests from a specific IP address, HTTP domain, or port. This topic describes how to configure a blacklist or whitelist for an ingress gateway to reject or allow requests from a specific IP address. This ensures the security of applications in the mesh.

Prerequisites

An application is deployed in the Container Service for Kubernetes (ACK) cluster that is added to your ASM instance. For more information, see Deploy an application in an ASM instance.

Matching rule description

A request for which a blacklist or whitelist takes effect must match one of the rules and match all the criteria in the rule.
After you turn off Enable Black/White List on the Black/White List Matching Rules page, the corresponding authorization rules are automatically cleared.
HTTP domain names, or host names, support exact match, prefix match, and suffix match. Examples:
- Exact match: aliyun.com
- Prefix match: aliyun*
- Suffix match: *aliyun.com

Preparations

Expand to view how to obtain the source IP address of a client by using ingress gateway logs.

Note

For north-south traffic, a client request is first sent to the load balancer, forwarded to the ingress gateway, and then to the backend service. Because the ingress gateway is involved, the complexity to obtain the source IP address of the client increases. For more information about how to preserve source IP addresses for north-south traffic, see Preserve the source IP address of a client when the client accesses services in ASM.

Open a browser and enter http://{IP address of the ingress gateway}/productpage in the address bar to access the productpage service. Access logs are generated.

Run the following command to obtain the access logs of the ingress gateway and the source IP address of the client by using the kubeconfig file of the cluster on the data plane:

kubectl -n istio-system logs ${Name of the pod to which the ingress gateway belongs} -c istio-proxy | grep "/productpage" | tail -n 1

Sample output:

{"method":"GET","authority":"47.99.XXX.XXX","response_flags":"-","start_time":"XXXXXX","requested_server_name":null,"request_id":"*****","upstream_local_address":null,"duration":0,"downstream_local_address":"10.34.0.25:80","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.X.X Safari/537.36","upstream_host":null,"bytes_received":0,"istio_policy_status":null,"protocol":"HTTP/1.1","bytes_sent":19,"downstream_remote_address":"XXXXXXX","response_code":403,"x_forwarded_for":"112.124.XXX.XX","upstream_cluster":"outbound|9080||productpage.default.svc.cluster.local","trace_id":null,"path":"/productpage","upstream_transport_failure_reason":null,"upstream_service_time":null,"route_name":null}

The value of downstream_remote_address in the sample output is the source IP address of the client.

Configure a blacklist for the ingress gateway to reject requests from the source IP address of the client

Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
On the Ingress Gateway page, click the name of the ingress gateway. In the left-side navigation pane on the Gateway overview page, choose Gateway Security > Black/White List.
In the Black/White List Matching Rules step of the configuration wizard, turn on Enable Black/ White List, select Blacklist for Match Mode, turn on IPBlock, enter the source IP address of the client, and then click submit.
For more information about how to obtain the source IP address of the client, see Preparations.
Note
If you want to configure multiple matching rules, click Add Request Matching Rule. Multiple matching rules allow you to block or allow requests from multiple sources.
If the Gateway Black/White List created successfully message appears, it indicates that the blacklist is created and takes effect. You can click View YAML next to AuthorizationPolicy to view the semantic information of the blacklist.
Open a browser and enter http://{IP address of the ingress gateway}/productpage in the address bar to access the productpage service.
If the following message appears, it indicates that the blacklist takes effect.

Configure a whitelist for the ingress gateway to allow only requests from the source IP address of the client

The method of configuring a whitelist is similar to that of configuring a blacklist, except that match modes are different.

On the Ingress Gateway page, click the name of the ingress gateway. In the left-side navigation pane on the Gateway overview page, choose Gateway Security > Black/White List.
In the Black/White List Matching Rules step of the configuration wizard, select Whitelist for Match Mode and click submit.
Access the productpage service.
1. Enter http://{IP address of the ingress gateway}/productpage in the address box of your browser.
  You can access the productpage service.
2. Enter http://{IP address of another ingress gateway}/productpage in the address box of your browser.
  If the following message appears, it indicates that the whitelist takes effect and blocks the request from a client IP address that is not in the whitelist.