Cloud-native gateways provide the IP address blacklist and whitelist feature for security protection. You can configure a blacklist to deny access from specific IP addresses or configure a whitelist to allow access from specific IP addresses. Cloud-native gateways allow you to configure IP address blacklists or whitelists globally or at the domain name or route level. This helps implement fine-grained access control. This topic describes how to configure an IP address blacklist or an IP address whitelist for a cloud-native gateway.
Configure an IP address blacklist or whitelist
Log on to the MSE console.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.
On the Gateways page, click the name of the gateway.
In the left-side navigation pane, choose Security Management > Black/White List.
Click Create in the upper-left corner. In the Create panel, configure the parameters and click Save.
Parameter
Description
Name
The name of the IP address-based access control that you want to create.
Description
The description about the IP address-based access control.
Type
The type of the IP address-based access control that you want to create. Valid values:
Whitelist (Allow Access from Specific IP Addresses): Only the API requests from IP addresses or CIDR blocks in the whitelist are allowed by gateways.
Blacklist (Deny Access from Specific IP Addresses): The API requests from IP addresses or CIDR blocks in the blacklist are blocked by gateways.
Effective Granularity
The level at which the IP address-based access control takes effect.
Gateway: The IP address-based access control takes effect on the gateway.
Domain Name: The IP address-based access control takes effect on specific domains.
Routes: The IP address-based access control takes effect on specific routes.
NoteThe IP address-based access control takes effect at the following levels in descending order of priority: Routes > Domain Name > Gateway.
IP Address/CIDR Block
The IP addresses or CIDR blocks that you want to add to the IP address whitelist or blacklist.
Configuration example
Step 1: Create a mock route
Log on to the MSE console.
In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.
On the Gateways page, click the name of the gateway.
In the left-side navigation pane, click Routes, and click the Routes tab.
On the Routes tab, click Add Route. On the Add Route page, configure the parameters and click Save and Release.
Step 2: Test the mock route
Run the following command to access the mock route:
curl 47.100.xx.xx/mockIn the following returned result, the HTTP status code 200 indicates that the request is successful.
{
"code": 200,
"data": {
"message": "ok"
},
"HttpStatusCode": 200,
"successResponse": 200
}Step 3: Configure an IP address blacklist
Obtain the IP address of your on-premises machine.
Log on to the MSE console. Add the IP address of your on-premises machine to the IP address whitelist or blacklist to allow or deny requests from your on-premises machine to the MSE cloud-native gateway. In this example, the IP address of your on-premises machine is added to the IP address blacklist.
For more information, see Configure an IP address blacklist or whitelist in this topic.
Run the following command to perform a test:
curl -v 47.100.xx.xx/mockThe following result is returned:
* Trying 47.100.xx.xx... * TCP_NODELAY set * Connected to 47.100.xx.128 (47.100.xx.xx) port 80 (#0) > GET /mock HTTP/1.1 > Host: 47.100.xx.xx > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 403 Forbidden < content-length: 19 < content-type: text/plain < date: Thu, 25 Aug 2022 09:43:43 GMT < server: istio-envoy < * Connection #0 to host 47.100.xx.xx left intact RBAC: access denied* Closing connection 0