Control which source IP addresses can access your Anti-DDoS Proxy instance by adding them to a blacklist (deny) or whitelist (allow). This setting applies to all services associated with the instance.
How it works
Anti-DDoS Proxy maintains two types of IP-based access control lists:
Blacklist: Requests from blacklisted IP addresses are denied.
Whitelist: Requests from whitelisted IP addresses are always allowed.
If the same IP address appears on both lists, the whitelist takes precedence.
Anti-DDoS Proxy supports both IP-address-based and domain-name-based blacklists and whitelists:
IP-address-based (this topic): affects all services added to an instance. Use this when you need instance-wide access control.
Domain-name-based: affects specific domain names only. Use this when you need to restrict access for a subset of domains without affecting the entire instance. See Configure blacklists and whitelists for domain names.
Validity period
| List type | Duration |
|---|---|
| Custom blacklist | Permanent |
| Blacklist issued by the intelligent protection algorithm | 5 minutes to 1 hour. For IP addresses that frequently launch attacks, the blocking period may automatically extend. |
| Custom whitelist | Permanent |
Note: Only custom whitelists are supported. There is no algorithm-generated whitelist.
Limits
You can add up to 2,000 IP addresses or CIDR blocks to the blacklist and another 2,000 to the whitelist, across all Anti-DDoS Proxy instances under the same Alibaba Cloud account.
To move an IP address from the whitelist to the blacklist, first remove it from the whitelist.
IP address format constraints:
IPv4-only instances support IPv4 addresses and CIDR blocks (/8–/32).
IPv6-only instances support IPv6 addresses and CIDR blocks (/32–/128).
The following addresses are not allowed:
0.0.0.0,255.255.255.255(IPv4);::,ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff(IPv6).
Prerequisites
Before you begin, ensure that you have:
An Anti-DDoS Proxy (Chinese Mainland) or Anti-DDoS Proxy (Outside Chinese Mainland) instance. See Purchase an Anti-DDoS Proxy instance
Configure the IP blacklist or whitelist
Log on to the Anti-DDoS Proxy console.Anti-DDoS Proxy console
In the top navigation bar, select the region of your instance:
Chinese Mainland for Anti-DDoS Proxy (Chinese Mainland) instances
Outside Chinese Mainland for Anti-DDoS Proxy (Outside Chinese Mainland) instances
In the left-side navigation pane, choose Mitigation Settings > General Policies.
On the Protection for Infrastructure tab, select your Anti-DDoS Proxy instance from the list. You can search by instance ID or description.
In the Blacklist and Whitelist (IP address-based) section, click Settings.
In the Configure Blacklist and Whitelist panel, select Blacklist or Whitelist, then enter the IP addresses or CIDR blocks to add.
Use commas to separate multiple entries. IP address or subnet mask format is supported. Examples:
Format Example Description Single IPv4 address 203.0.113.42Blocks or allows one specific IP address IPv4 CIDR block 203.0.113.0/24Covers the range 203.0.113.0–203.0.113.255 Single IPv6 address 2001:db8::1Blocks or allows one specific IPv6 address IPv6 CIDR block 2001:db8::/32Covers a range of IPv6 addresses After saving, you can batch delete, download, or clear the list.
Related topics
To restrict access for specific domain names instead of the entire instance, see Configure blacklists and whitelists for domain names.