Address books centrally manage IP addresses (IPv4 and IPv6), ports, and domain names. You can reference them in access control policies to efficiently control network traffic for specific groups of objects. Using address books avoids the need to repeatedly configure the same targets across multiple policies. When you update an address book, all policies that reference it automatically sync the changes. This process eliminates manual adjustments and improves policy responsiveness and management efficiency.
Address book types
Cloud Firewall provides three types of address books to support flexible configurations for diverse business and security needs:
1. IP Address Book
Manages a group of IP addresses and supports both IPv4 and IPv6. It includes the following three subtypes:
Custom IP Address Book: You can manually enter IP addresses. A single address book can contain up to 2,000 IPv4 or IPv6 addresses.
Cloud Asset IP Address Book: Automatically aggregates the public IP addresses of assets in your Alibaba Cloud account based on the selected Asset Type. Manual entry is not required.
Cloud Service IP Address Book: This address book is predefined with the back-to-origin IP addresses of internal Alibaba Cloud services, such as Security Center vulnerability scanners and WAF instance origin URLs. This type of address book is read-only and cannot be modified or customized.
2. Domain Address Book
Manages a group of domain names and includes two subtypes:
Custom Domain Name Address Book: You can manually enter domain names. A single address book can contain up to 2,000 domain names.
Cloud Service Domain Address Book: This address book is predefined with trusted Alibaba Cloud domains and commonly used public documentation websites. This type of address book is read-only and cannot be modified or customized.
3. Port Address Book
Manages a group of ports. You can manually enter port ranges. A single port book can contain up to 2,000 port ranges.
Create an address book
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
On the Address Book page, click the tab that corresponds to the type of address book that you want to create.
IP Address Book
Custom IP Address Book
On the tab, click Create Custom IP Address Book. Configure the following parameters:
Configuration item | Description |
Address Book Name and Address Book Description | Set a name and description for the custom address book. Use a meaningful name and describe its applicable scenario to help identify and apply the address book accurately and efficiently. |
IP Type | Select IPv4 or IPv6. |
Custom IP | Enter IPv4 or IPv6 address ranges. Separate multiple addresses with commas (,) or line feeds. Add a description after each address using a space (maximum length: 64).
|
Cloud Asset IP Address Book
On the tab, click Create Cloud Asset IP Address Book. Configure the following parameters:
Address Book Name and Address Book Description: Set a name and description for the address book. We recommend that you use a descriptive name and specify the applicable scenario to help you identify and use the address book.
Asset Type: The following three categories are supported.
Public Assets: Automatically aggregates all relevant public IP addresses in your account by asset type. Supported asset types include Elastic IP Addresses (EIPs), public IP addresses of Elastic Compute Service (ECS) instances, Server Load Balancer public IPs, and Bastionhost IPs. If you enable the multi-account management feature, assets from member accounts are also included.
ACK Asset: Adds the IP addresses of Container Service for Kubernetes (ACK) clusters. You must first create an ACK cluster sync node.
ECS Tags: Filters ECS instances that have public IPs based on their tags. This option is suitable if you want to include only specific ECS instances.
Public Assets
Asset Accounts: Select the Alibaba Cloud account to which the target assets belong. To include assets from other accounts, you must first configure the multi-account management feature.
IP Type: Select IPv4 or IPv6.
Public Assets: Select the required asset types from the list of supported assets. After you make a selection, you can click Preview Asset IPs to view the list of IP addresses that will be included.
NoteIf you select All Accounts for Asset Accounts, the system automatically syncs public assets from any newly added member accounts.
The sync cycle for a Public Assets address book is the same as the sync cycle for public assets. Changes to public assets may cause synchronization latency, which can trigger access control policy blocks.
After you change public assets, go to and click Synchronize Assets in the upper-right corner of the asset list to update the address book.
ACK Asset
Instance ID/Name of the ACK Cluster Synchronization Node: Select an existing ACK cluster sync node.
ACK Address Book Type:
ACK Cluster Namespace: Syncs all pod IP addresses in the selected namespaces. You can select multiple namespaces.
ACK Cluster Pod Tag: Syncs all pod IP addresses that have the selected labels. You can select multiple labels.
ECS Tags
ECS Tag Filter: New ECS instances that match the specified tags are automatically added to this address book. This feature is enabled by default and cannot be disabled.
ECS Tags: Select the tags and their values for the target ECS instances. To include ECS instances with different tags, click Add ECS Tag to specify multiple tag conditions. After the configuration is complete, the IP addresses of the matching ECS instances are displayed in the area below.
NoteCloud Firewall automatically updates ECS tag-based address books every 100 minutes and syncs the updates to all access control policies that reference them.
Domain Address Book
On the tab, click Create Custom Domain Name Address Book. Configure the following parameters:
Configuration item | Description |
Address Book Name and Address Book Description | Set a name and description for the custom address book. Use a meaningful name and describe its applicable scenario to help identify and apply the address book accurately and efficiently. |
Domain Name | Enter domain names or wildcard domain names. Separate multiple domain names with commas (,) or line feeds. Add a description after each domain using a space (maximum length: 64). Note
|
Port Address Book
On the Port Address Book tab, click Create Port Address Book. Configure the following parameters:
Configuration item | Description |
Address Book Name and Address Book Description | Set a name and description for the custom address book. Use a meaningful name and describe its applicable scenario to help identify and apply the address book accurately and efficiently. |
Port | Enter port ranges. Port values range from 0 to 65535. Separate multiple port ranges with commas (,) or line feeds. Add a description after each range using a space (maximum length: 8).
|
After you create an address book, you can view its details, modify it, or delete it from the address book list.
You cannot delete an address book that is referenced by a policy.
After you create an ACK address book, you cannot modify its associated Instance ID/Name of the ACK Cluster Synchronization Node or ACK Address Book Type. To make changes, you must delete the original address book and create a new one.
View cloud service address books
The Cloud Service IP Address Book and Cloud Service Domain Address Book are read-only. You can only view and reference them. You cannot create or modify them.
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
Navigate to the target address book.
Cloud Service IP Address Book: Go to the tab.
Cloud Service Domain Address Book: Go to the tab.
Click View in the Actions column for the target address book to view its details.