All Products
Search

This Product

    Microservices Engine:Configure a public IP address whitelist

    Document Center

    Microservices Engine:Configure a public IP address whitelist

    Last Updated:Jan 30, 2024

    You can configure a public IP address whitelist for a Microservices Engine (MSE) Nacos instance. This way, you can access the instance from a specified IP address or CIDR block. This improves the security of the instance. When you configure a whitelist, you must obtain the public IP address of the device that initiates access to the Nacos instance. After the whitelist is configured, the device can access the Nacos instance over the Internet. This improves security without affecting the use of the Nacos instance.

    Usage notes

    Limits

    • MSE instances do not support private IP address whitelists.

    • The public IP addresses may change. You must periodically check and update the IP addresses in the whitelist to ensure that authorized devices can access the Nacos instance.

    Procedure

    1. Log on to the MSE console and select a region in the top navigation bar.

    2. In the left-side navigation pane, choose Microservices Registry > Instances.

    3. On the Instances page, click the name of the instance.

    4. On the Basic Information page, click the 编辑图标 icon next to Public IP Address Whitelist.

    5. In the Public IP Address Whitelist dialog box, enter the public IP addresses or CIDR blocks that are allowed to access the instance, and click OK.

      • If you do not add public IP addresses or CIDR blocks to the whitelist, all public IP addresses can be used to access the instance.

        Important

        If access authentication is not enabled for the Nacos instance in this case, sensitive data may be leaked. Proceed with caution when you clear the whitelist configuration. We recommend that you enable access authentication before you clear the whitelist configuration. For more information about how to enable access authentication, see Access authentication by the Nacos client.

      • If you add IP addresses or CIDR blocks to the whitelist, only the IP addresses or CIDR blocks in the whitelist can access the instance.

        CIDR blocks must be in the X.X.X.X/X format. X that follows a forward slash (/) indicates a subnet mask. If you add the CIDR block 127.0.0.1/32 to the whitelist, all public IP addresses are not allowed to access the instance.

        You can configure multiple public IP addresses or CIDR blocks in the whitelist. Separate public IP addresses or CIDR blocks with commas (,). Each subnet mask ranges from 1 to 32. The host IDs of IP addresses in the whitelist must be 0.

    Commands for querying public IP addresses

    • curl ipinfo.io

    • curl ip.cn

    • curl cip.cc

    • curl ifconfig.me

    • curl myip.ipip.net

    Configuration example

    Query the public IP address by running the curl cip.cc command, as shown in the following figure.

    查询结果-公网IP地址。

    You can add the public IP address that you queried to the IP address whitelist of the MSE instance.

    After the whitelist is configured, you can access the instance by using the public IP address.