You can add multiple IP addresses, including IPv4 and IPv6 addresses, ports, or domain names to an address book. Then, you can reference the address book when you create an access control policy. This can help you control the network traffic of specified groups. You can use address books to simplify the configuration of access control policies. The updates in the address books are automatically synchronized to the related access control policies. This helps improve the response speed of policy adjustment and the overall management efficiency.
Address book types
Cloud Firewall supports custom address books and provides recommended intelligent address books. You can flexibly create custom address books and apply them to meet the diverse security requirements of your workloads.
Address book type | Description |
Custom address book | Custom address books refer to address books that you create. You can create custom IPv4 address books, IPv6 address books, port address books, domain address books, and Container Service for Kubernetes (ACK) address books. You can create up to 5,000 custom address books. The maximum number of addresses that can be added to an address book is based on the type of address book. IPv4 Address Book: You can add up to 2,000 IPv4 addresses or 500 tags of Elastic Compute Service (ECS) instances to each address book. IPv6 Address Book: You can add up to 2,000 IPv6 addresses to each address book. Port Address Book: You can add up to 50 ports to each address book. Domain Address Book: You can add up to 2,000 domain names to each address book. ACK address book: You can add up to 10 namespaces or labels to each address book.
Note An item can be added to multiple address books. For example, an IPv4 address can be added to two different address books. |
Recommended intelligent address book | Recommended intelligent address books refer to built-in address books, including cloud service address books and threat intelligence address books. You can directly reference a recommended intelligent address book when you configure an access control policy. You cannot modify or delete a recommended intelligent address book.
Note Recommended intelligent address books are automatically updated on a regular basis, and the updates are automatically synchronized to the related access control policies. The automatic update time varies based on the address book type. The automatic update time of cloud service address books ranges from 10 to 100 minutes, and the automatic update time of threat intelligence address books is 1 day. Cloud Service Address Book contains the back-to-origin addresses of Alibaba Cloud services, such as the server IP addresses of the Security Center vulnerability scanner, the public IP addresses of all ECS instances within your account, the back-to-origin addresses of Anti-DDoS instances, the back-to-origin addresses of Web Application Firewall (WAF) instances, and the back-to-origin addresses of Edge Security Acceleration (ESA) point of presences (POPs). If a cloud service address book is disabled, the normal operation of the related services may be affected. We recommend that you allow traffic of IP addresses and domain names in all cloud service address books. The list of Threat Intelligence Address Book contains the address books of malicious IP addresses or domain names detected by Alibaba Cloud and address books of common websites. In most cases, address books of malicious IP addresses or domain names are obtained and continuously updated by security researchers and automated systems based on analysis of cyber attacks and malware activities. If the traffic of IP addresses or domain names in malicious address books is denied, communications with known malicious sources can be intercepted and the security of your system can be enhanced. We recommend that you deny the traffic of IP addresses or domain names in all malicious address books. Address books of common websites contain frequently accessed websites, such as common online document websites, social networking websites, and cloud disk websites. Administrators of enterprises can configure access control policies to allow or deny access to these common websites. The address books of common websites can be used in scenarios in which enterprises want to manage the network activities of employees. This helps ensure that network bandwidth is preferentially used for business-critical activities and restrict access to specific websites that do not meet compliance and security requirements.
|
Create a custom address book
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Address Books page, click the Custom Address Book tab and click a tab based on the type of the address book that you want to create.
Click the IPv4 Address Book, IPv6 Address Book, Port Address Book, Domain Address Book, or ACK address book tab, click Create Address Book, and then configure the parameters.
Create an IPv4 address book
You can create an IPv4 address book based on the IP address or ECS tag.
IP address: Enter an IPv4 address.
ECS tag: If you want to add public IP addresses of multiple ECS instances to the address book, and you have added tags to the ECS instances, you can select ECS tags to add the public IP addresses in a quick manner.
Note Cloud Firewall automatically updates the address books that are created based on ECS tags every 100 minutes, and the updates are automatically synchronized to the access control policies that reference the address books.
Address Book Type | Parameter | Description |
Address Book Name | Enter an informative name for the address book to help you identify the address book. |
IP Address | Enter one or more IPv4 CIDR blocks. Example: 100.100.XX.XX/32. Separate multiple CIDR blocks with commas (,). |
Description | Enter a description for the address book and scenarios in which you want to use the address book. |
ECS Tag | Address Book Name | Enter an informative name for the address book to help you identify the address book. |
ECS Tag Update | Specify whether to automatically add the public IP addresses of ECS instances to the address book if the ECS instances match the specified tags. By default, the switch is turned on. The switch cannot be turned off. |
ECS Tag | Select the ECS tags and the values of the tags. If different tags are added to the required ECS instances, you can click Add ECS Tag to add multiple public IP addresses of ECS instances with different tags. For more information about ECS tags, see Modify the tags of an instance. |
Description | Enter a description for the address book and scenarios in which you want to use the address book. |
Create an IPv6 address book
Parameter | Description |
Address Book Name | Enter an informative name for the address book to help you identify the address book. |
IP Address | Enter one or more IPv6 CIDR blocks. Example: 2001:3caf:10f:****:****/56. Separate multiple CIDR blocks with commas (,). |
Description | Enter a description for the address book and scenarios in which you want to use the address book. |
Create a port address book
Parameter | Description |
Address Book Name | Enter an informative name for the address book to help you identify the address book. |
Port | Enter one or more port ranges. Valid values: 0 to 65535. Separate multiple port ranges with commas (,). A port range must be in the Start port/End port format. For example, the value 22/25 indicates ports 22, 23, 24, and 25, and the value 80/80 indicates port 80. The value 0/0 indicates all ports.
|
Description | Enter a description for the address book and scenarios in which you want to use the address book. |
Create a domain address book
Parameter | Description |
Address Book Name | Enter an informative name for the address book to help you identify the address book. |
Description | Enter a description for the address book and scenarios in which you want to use the address book. |
Domain Name | Enter one or more domain names. You can enter wildcard domain names. Separate multiple domain names with commas (,).
Note If you set Destination Type of an access control policy to Domain Name, the application type supports only HTTP, HTTPS, SSL, SMTP, and SMTPS. If you reference an address book of wildcard domain names when you create an access control policy for a NAT firewall, you can set Domain Name Identification Mode only to FQDN-based Resolution (Extract Host or SNI Field in Packets).
|
Create an ACK address book
Important Before you create an ACK address book, you must first create an ACK cluster synchronization node and obtain the ID or name of the node.
ACK address books are provided based on ACK cluster synchronization nodes. After you create an ACK address book, you cannot change the value of Instance ID/name of the ACK cluster synchronization node or ACK address book type. To modify an ACK address book, delete it and create another one.
Parameter | Description |
Address Book Name | Enter an informative name for the address book to help you identify the address book. |
Description | Enter a description for the address book and scenarios in which you want to use the address book. |
Instance ID/name of the ACK cluster synchronization node | Enter the ID or name of the ACK cluster synchronization node that you want to use. The ACK cluster synchronization node periodically and automatically synchronizes the latest IP addresses of the related pods to the ACK address book. |
ACK address book type | ACK cluster namespace: If you select this option, the IP addresses of all pods in the specified namespaces are synchronized to the ACK address book. ACK Cluster Pod Tag: If you select this option, the IP addresses of all pods with the specified labels are synchronized to the ACK address book.
|
Content | Enter a value based on the value that you select for ACK address book type. If you select ACK cluster namespace for ACK address book type, you can specify namespaces.
Note The system does not verify the specified namespaces. If the specified namespaces are invalid, the related IP addresses are not displayed. A namespace can be up to 63 characters in length. It must start with a letter or a digit and end with a hyphen (-), underscore (_), period (.), letter, or digit.
If you select ACK Cluster Pod Tag for ACK address book type, you can specify multiple pairs of keys and values.
|
Click OK.
After an address book is created, you can view, modify, or delete it in the address book list.
Important You cannot modify Address Book Type or the specified ACK cluster synchronization node of an address book, or delete a custom address book that is being referenced by access control policies.
View a recommended intelligent address book
You can view a recommended intelligent address book. However, you cannot create or edit a recommended intelligent address book.
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
Click the Recommended Intelligent Address Book tab to view the list of recommended intelligent address books.
Click View in the Actions column of an address book to view the details of the address book.