Anti-DDoS Proxy lets you configure per-domain blacklists and whitelists to block or allow specific IP addresses without applying protection policies.
-
Whitelist: Allows trusted IP addresses — office networks, API callers, or other verified IPs — to bypass all protection policies.
-
Blacklist: Blocks access requests from specific IP addresses.
If an IP address appears on both the blacklist and the whitelist, the whitelist takes precedence.
Two types of blacklists and whitelists are available:
-
IP-address-based: Applies to all services on an instance, including port services. Configure blacklists and whitelists for IP addresses.
-
Domain-name-based: Applies to specific domain names only. Described below.
Prerequisites
A website is added to Anti-DDoS Proxy. Add websites.
Configure a blacklist or whitelist for a domain name
Log on to the Anti-DDoS Proxy console.
In the top navigation bar, select the region of your instance.
Anti-DDoS Proxy (Chinese Mainland): Choose the Chinese Mainland region.
Anti-DDoS Proxy (Outside Chinese Mainland): Choose the Outside Chinese Mainland region.
In the left-side navigation pane, choose .
-
On the General Policies page, select the Protection for Website Services tab, and then select a domain name from the left panel.
-
In the Blacklist and Whitelist section, click Settings.
-
In the Configure Blacklist and Whitelist dialog box, enter IP addresses or CIDR blocks for the blacklist and whitelist, and then click OK. Separate multiple entries with commas. Both IP address and CIDR block formats are supported.
-
In the Blacklist and Whitelist section, turn on the Status switch.
Verify the configuration
After enabling the policy, verify the settings:
-
Send a request from a blacklisted IP. Verify it is blocked.
-
Send a request from a whitelisted IP. Verify it is allowed.
Validity period
The policy is permanent. Once enabled, settings apply to all instances associated with the domain names and take effect immediately.
In some cases, policies take effect only after the instance processes inbound traffic. If settings do not apply immediately, send a few requests to the domain name to trigger activation.
Limits
Entry limits by plan
| Plan | Blacklist entries | Whitelist entries | Scope |
|---|---|---|---|
| Standard | 200 | 200 | All domain names under the same Alibaba Cloud account |
| Enhanced | 2,000 | 2,000 | All domain names under the same Alibaba Cloud account |
IP address and CIDR block restrictions
| Restriction | IPv4 | IPv6 |
|---|---|---|
| Supported formats | IPv4 addresses and CIDR blocks | IPv6 addresses and CIDR blocks |
| Instance requirement | IPv4-only instances | IPv6-only instances |
| CIDR prefix length (blacklist) | /8 to /32 | /32 to /128 |
| CIDR prefix length (whitelist) | /9 to /32 | /32 to /128 |
| Forbidden addresses | 0.0.0.0, 255.255.255.255 | ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
CIDR blocks with a subnet mask of /0 to /8 cannot be added to the whitelist.
CIDR block examples:
| Notation | Description |
|---|---|
192.168.1.1 or 192.168.1.1/32 |
Single IPv4 address |
192.168.1.0/24 |
IPv4 range: 192.168.1.0 -- 192.168.1.255 (256 addresses) |
10.0.0.0/8 |
IPv4 range: 10.0.0.0 -- 10.255.255.255 (blacklist only) |
2001:db8::1/128 |
Single IPv6 address |
2001:db8::/32 |
IPv6 range starting at 2001:db8:: |
References
To identify attack source IPs, check the Attack Analysis page and consider blacklisting suspicious addresses. View information on the Attack Analysis page.