All Products
Search
Document Center

Microservices Engine:Configure IP address blacklists and whitelists for cloud-native gateways

Last Updated:Dec 25, 2023

Cloud-native gateways provide the IP address blacklist and whitelist feature for security protection. You can configure a blacklist to deny access from specific IP addresses or configure a whitelist to allow access from specific IP addresses. Cloud-native gateways allow you to configure IP address blacklists or whitelists globally or at the domain name or route level. This helps implement fine-grained access control. This topic describes how to configure an IP address blacklist or an IP address whitelist for a cloud-native gateway.

Configure an IP address blacklist or whitelist

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the name of the gateway.

  4. In the left-side navigation pane, choose Security > Black/White List.

  5. Click Create in the upper-left corner. In the Create panel, configure the parameters and click Save.

    Parameter

    Description

    Name

    The name of the IP address-based access control that you want to create.

    Description

    The description about the IP address-based access control.

    Type

    The type of the IP address-based access control that you want to create. Valid values:

    • Whitelist (Allow Access from Specific IP Addresses): Only the API requests from IP addresses or CIDR blocks in the whitelist are allowed by gateways.

    • Blacklist (Deny Access from Specific IP Addresses): The API requests from IP addresses or CIDR blocks in the blacklist are blocked by gateways.

    Effective Granularity

    The level at which the IP address-based access control takes effect.

    • Gateway: The IP address-based access control takes effect on the gateway.

    • Domain Name: The IP address-based access control takes effect on specific domains.

    • Routes: The IP address-based access control takes effect on specific routes.

      Note

      The IP address-based access control takes effect at the following levels in descending order of priority: Routes > Domain Name > Gateway.

    IP Address/CIDR Block

    The IP addresses or CIDR blocks that you want to add to the IP address whitelist or blacklist.

Configuration example

Step 1: Create a mock route

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the name of the gateway.

  4. In the left-side navigation pane, choose Routes > Route Settings.

  5. In the upper-left corner of the Route Settings page, click Add Route.

  6. In the Add Route panel, configure the parameters and click Save and Release.

    For more information, see Create a routing rule.

    Parameter

    Description

    Route Name

    The name of the route that you want to create.

    Domain Name

    Select *.

    Match Rule

    Path

    The Path parameter that is used to match HTTP requests with a route. For example, you can select Exact Match and enter /user in the field to match all HTTP requests in the /user path.

    Method

    The Method parameter that is used to match HTTP requests with a route. If you do not specify this parameter, requests with any Method parameter value can match the route. You can specify multiple Method values in the matching condition to match more requests with a route.

    Header

    The Header parameter that is used to match HTTP requests with a route. If multiple routes have the same matching conditions aside from the number of specified Header parameters, the more Header parameters in the rule, the higher priority a route has. Click + Request Header to add a Header parameter in the routing rule.

    Query Parameters

    The Query parameter that is used to match HTTP requests with a route. If multiple routes have the same matching conditions aside from the number of Query parameters, the more Query parameters in the rule, the higher priority a route has. Click + Request Parameters to add a Query parameter in the routing rule.

    Destination Service

    Select Mock.

    Specify the Status Code and Response Content parameters.

Step 2: Test the mock route

Run the following command to access the mock route:

curl 47.100.xx.xx/mock

In the following returned result, the HTTP status code 200 indicates that the request is successful.

{
  "code": 200,
  "data": {
    "message": "ok"
  },
  "HttpStatusCode": 200,
  "successResponse": 200
}

Step 3: Configure an IP address blacklist

  1. Obtain the IP address of your on-premises machine.

  2. Log on to the MSE console. Add the IP address of your on-premises machine to the IP address whitelist or blacklist to allow or deny requests from your on-premises machine to the MSE cloud-native gateway. In this example, the IP address of your on-premises machine is added to the IP address blacklist.

    For more information, see Configure an IP address blacklist or whitelist in this topic.

  3. Run the following command to perform a test:

    curl -v 47.100.xx.xx/mock

    The following result is returned:

    *   Trying 47.100.xx.xx...
    * TCP_NODELAY set
    * Connected to 47.100.xx.128 (47.100.xx.xx) port 80 (#0)
    > GET /mock HTTP/1.1
    > Host: 47.100.xx.xx
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    < HTTP/1.1 403 Forbidden
    < content-length: 19
    < content-type: text/plain
    < date: Thu, 25 Aug 2022 09:43:43 GMT
    < server: istio-envoy
    <
    * Connection #0 to host 47.100.xx.xx left intact
    RBAC: access denied* Closing connection 0