Configure a blacklist - Web Application Firewall - Alibaba Cloud Documentation Center

After you add a website to Web Application Firewall (WAF), you can enable the blacklists feature. This feature blocks access requests from specified IP addresses, Classless Inter-Domain Routing (CIDR) blocks, and IP addresses in specified regions. You can specify either an IP address blacklist or a region blacklist based on your requirements.

Background information

WAF supports both IP address and region blacklists.

An IP address blacklist blocks access requests from specified IP addresses and CIDR blocks.
A region blacklist blocks the access requests from administrative regions in China or countries and areas outside China.

Prerequisites

A WAF instance is purchased. The instance runs the Pro, Business, Enterprise or Exclusive.
Important WAF instances of the Pro and Business edition support only the IP Address Blacklist feature and do not support the Region Blacklist feature.
To use the Region Blacklist feature, your WAF instance must run the Enterprise or Exclusive edition.
Your website is added to WAF. For more information, see Tutorials.

Procedure

Log on to the WAF console.
In the top navigation bar, select the resource group and the region to which the WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Settings > Website Protection.
In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist.
On the Access Control/Throttling tab, find the Blacklists section. Then, turn on Status and click Settings.
Note If you specify an IP address blacklist, all requests destined for your website are checked by this blacklist. You can also configure the whitelist for Access Control/Throttling to allow requests that match rules to bypass the check. For more information, see Configure a whitelist for Access Control/Throttling.
On the Blacklists page, configure Blacklists and Region Blacklist.
- Blacklists: Enter IP addresses that you want to block and click Save in the lower part of the page. Separate multiple IP addresses with commas (,). You can add a maximum of 200 IP addresses.
- Region Blacklist: Select the administrative regions that you want to block from the Inside China tab and countries and areas from the Outside China tab. Then, click Save in the lower part of the page.
After the blacklists feature is enabled, all the access requests from IP addresses and regions in the blacklists are blocked.

References

If you need more precise access control based on blacklists, we recommend that you use a custom protection policy. For more information, see Create a custom protection policy.
If you want to allow access requests from specified IP addresses, we recommend that you configure the whitelist for Access Control/Throttling. For more information, see Configure a whitelist for Access Control/Throttling.