Network Lists
Network Lists is a feature from the Network Layer Protection Edge Firewall module. With Network Lists, you can create and manage allowlists, blocklists, and even greylists, based on the user’s network, IP address, geolocation (countries), or Autonomous System Number (ASN). With this feature, it’s possible to prevent different types of attacks to your network, as well as prevent users with malicious behavior from accessing to your applications.
Use blocklists to monitor suspicious behavior, create intelligent rules, and apply restrictions on malicious activity by blocking or limiting access and giving protection to your applications’ incoming and outgoing traffic in the network layer on the edge. You can also create allowlists in case of internal access, tests, and false positives being blocked.
Network Lists are used in the business rules of the Rules Engine for Edge Firewall through restrictions rules by IPs, Autonomous System Number (ASN), or geolocation, mitigating security risks and optimizing the performance of your resources. Whenever a network list is associated with a rule, it’s compared with the IP address of the client performing the HTTP request, taking into account the comparison operators configured in the Rules Engine Rule.
Learn more about Edge Firewall modules, Network Layer Protection, and the Rules Engine for Edge Firewall.
Implementation
Section titled Implementation| Scope | Source |
|---|---|
| Network Lists | How to create IP, ASN, and geolocation block/allow lists with Network Lists |
How Network Lists works
Section titled How Network Lists worksThe Network Layer Protection service uses a series of lists maintained by the user themselves or by Azion, which can be updated manually or via the Azion API. When a request reaches an Azion Edge Node, it’s assessed and, if it meets the criteria set in the Rule Set for that node, the configured lists are queried, thereby filtering out known offenders even before the request reaches the client’s infrastructure.
When activating the module within an Edge Firewall, the Network criteria and the Deny, Drop, and Set Rate Limit Behaviors become available in the Rules Engine settings of the selected Rule Set. This allows the client to define under what conditions (criteria) the lists will be queried and what behaviors should be executed.
Prerequisites
Section titled PrerequisitesTo create and manage Network Lists, you need to have an Edge Firewall configuration with the Network Layer Protection module activated.
Types of Network Lists
Section titled Types of Network Lists| Type | Description |
|---|---|
| IP/CIDR | It corresponds to a list of IP addresses or CIDR, one address per line must be filled in. If you prefer, also enter the subnet mask of the IP addresses. |
| ASN | Autonomous System Number (ASN) which corresponds to a group of IP address networks managed by one or more network operators that have a clear and unique routing policy. Consulting the ASN Whois service for LACNIC, Azion’s ASN, for example, is AS52580. Choose the ASN type to represent a list of AS groups, filling in one address per line, with only the number without the prefix. |
| Countries | It corresponds to a list of Countries. To include Countries in the list, select the items in the Available Countries tab and move to the Chosen Countries tab. |
After creating a Network List, associate it with one or more Edge Firewall Rule Set that have the Network Layer Protection module activated.
To provide even more agility to your processes, Azion provides and maintains Network Lists that are updated automatically and ready to use. One of them is the Azion IP Tor Exit Nodes Network List, which contains the IP addresses of the Tor network that can be used in one or more Rules through the condition (criteria) Network according to your business needs.
The content of the Network Lists provided by Azion are made by the specialized team and can’t be modified.