Managing dynamic IP addresses is crucial for protecting origin servers. Alibaba Cloud simplifies this prcoess by integrating Cloud Firewall with Edge Security Acceleration (ESA). This solution uses a dynamic address book to automate protection.
Prerequisites
You have configured an access control policy in Cloud Firewall for your origin server.
Your origin server is deployed on an Alibaba Cloud service.
You have enabled origin server protection and auto-applied the latest IP list.
How it works
After enabling Cloud Firewall for your origin server, protect it by referencing the ESA Back-to-origin Address book in your firewall policy. This address book contains the POP IP addresses of ESA. After you add this address book to a Cloud Firewall border policy, Cloud Firewall filters all traffic that does not originate from an ESA POP. When the origin fetch IP addresses of ESA change, the address book automatically updates. This eliminates the need to manually maintain an IP whitelist for ESA POP IP addresses on your origin server.
Reference the ESA address book in Cloud Firewall
Log on to the Cloud Firewall console.
In the left navigation pane, choose Prevention Configuration > Access Control > Internet Border.
On the Inbound tab, select the IP version for the policy. IPv4 is selected by default. Then, click Create Policy.
In the Create Inbound Policy panel, select the Create Policy tab. For Source Type, select Address Book.
Click
and select Cloud Service Address Book.
Search for
ESA, select ESA Back-to-origin Address from the results, and then click Select in the Action column.
For Destination, enter the IP address or CIDR block of your origin server, such as
1.2.3.4/32.
Select a Protocol Type based on your needs. If you are unsure which protocol to use, select ANY. For Port, enter your service port. For Application, select ANY.
Set Action to Allow, Priority to Highest, and Policy Validity Period to Always. Enable Status
. Then, click OK.