Configure a blacklist - Website Protection Settings| Alibaba Cloud Documentation Center

After you add a website to Web Application Firewall (WAF), you can enable the blacklists feature. This feature blocks access requests from specified IP addresses, Classless Inter-Domain Routing (CIDR) blocks, and IP addresses in specified regions. You can specify either an IP address blacklist or a region blacklist based on your requirements.

Prerequisites

A WAF instance is purchased. The instance runs the Pro edition or higher.

Notice WAF instances of the Pro edition support only the IP Address Blacklist feature and do not support the Region Blacklist feature.
To use the Region Blacklist feature, your WAF instance must run the Business edition or higher.

For more information, see Purchase a WAF instance.
Your website is added to WAF.
For more information, see Tutorial.

Background information

WAF supports both IP address and region blacklists.

An IP address blacklist blocks access requests from specified IP addresses and CIDR blocks.
A region blacklist blocks the access requests from administrative regions in China or countries and areas outside China. You can specify a total of 247 entries as blocked regions.
You can use the IP address library of Taobao to query the source region of an IP address. For more information, visit the IP address library of Taobao.

Procedure

Log on to the WAF console.
In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
In the left-side navigation pane, choose Protection Settings > Website Protection.
In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist.
On the Access Control/Throttling tab, find the Blacklists section. Then, turn on Status and click Settings.

Note If you specify an IP address blacklist, all requests destined for your website are checked by this blacklist. You can also configure the whitelist for Access Control/Throttling to allow requests that match rules to bypass the check. For more information, see Configure a whitelist for Access Control/Throttling.
On the Blacklists page, configure Blacklists and Region Blacklist.
- Blacklists: Enter IP addresses that you want to block and click Save in the lower part of the page. Separate multiple IP addresses with commas (,). You can add a maximum of 200 IP addresses.
- Region Blacklist: Select the administrative regions that you want to block from the Inside China tab and countries and areas from the Outside China tab. Then, click Save in the lower part of the page.
After the blacklists feature is enabled, all the access requests from IP addresses and regions in the blacklists are blocked.

References

If you need more precise access control based on blacklists, we recommend that you use a custom protection policy. For more information, see Create a custom protection policy.
If you want to allow access requests from specified IP addresses, we recommend that you configure the whitelist for Access Control/Throttling. For more information, see Configure a whitelist for Access Control/Throttling.