How to create IP, ASN, and geolocation blocklists with Network Lists
Network Layer Protection allows the creation of Network Lists, to allow (allowlists) or disallow (blocklists) visitors from interacting with edge applications at Azion.
Network Lists can be based on user’s IP addresses, ASN, and geolocation addresses. They can be custom-made, considering the application scope and actual requests, or pre-made and maintained by Azion, such as the Azion IP Tor Exit Nodes Network List.
Go to Network Lists referenceGo to Network Layer Protection reference
To create, manage, and use Network Lists, you must to complete the following steps:
- Create an edge firewall with the Network Layer Protection module activated.
- Create a Network List.
- Associate this Network List within the Edge Firewall Rules Engine tab.
Creating an edge firewall
To create a new edge firewall with the Network Layer Protection module activated:
- Access Azion Console > Edge Firewall.
- Click the + Edge Firewall button.
- Write the edge firewall identification name on the Name placeholder.
- In the Domains section, select the domains where you want the firewall to be active and click the
>button to move them to the Selected field. - Make sure the Network Layer Protection switch is enabled at the Modules section.
- In Status, make sure the Active switch is enabled.
- Click the Save button.
- Access Real-Time Manager (RTM).
- Open the Products menu, represented by three horizontal lines, and select Edge Firewall.
- Click the Add Rule Set button.
- Write the edge firewall identification name on the Edge Firewall Name placeholder.
- Select the domains where you want the firewall to be active and click the
>button to move them to the Chosen Domains field. - Make sure the Network Layer Protection switch is enabled at the Edge Firewall Modules section.
- Make sure the Active switch is enabled.
- Click the Save button.
You can see the created edge firewall from the list.
Activating the Network Layer Protection module
For already created edge firewalls, follow the steps:
- Access Azion Console > Edge Firewall.
- From the edge firewalls list, select the edge firewall you wish to add a Network List.
- In the Main Settings tab, enable the Network Layer Protection switch.
- Click the Save button.
- Access Real-Time Manager (RTM).
- Open the Products menu, represented by three horizontal lines, and select Edge Firewall.
- From the edge firewalls list, select the edge firewall you wish to add a Network List.
- In the Edge Firewall Main Settings tab, enable the Network Layer Protection switch.
- Click the Save button.
Creating a Network List
- Access Real-Time Manager (RTM).
- Open the Products menu, represented by three horizontal lines, and select Network Lists, from the Edge Libraries section.
- When opening the Network Lists page, all lists created by the user and those items automatically provided by Azion will be displayed.
- Click the Add button.
- Fill in the following fields:
| Field | Description |
|---|---|
Add Network List | Identification name of your Network List. This name will appear in the list of options in the Criteria section, within the Edge Firewall Rules Engine configuration |
Type | Type of the network list: Autonomous System Number (ASN) Countries IP/CIDR |
List | Add the items that will make up your list here |
For ASN and IP/CIDR list types, a typing field will be displayed. List items must be separated by line and you must write one address per line. Duplicated items will be deleted. For the Countries type, a selection list will be presented.
- Click the Save button.
IP/CIDR type list example:
123.456.789.1123.456.789.2/3210.1.1.0/16- Access Azion Console > Network Lists, from the Edge Libraries section.
- When opening the Network Lists page, all lists created by the user and those items automatically provided by Azion will be displayed.
- Click the + Network List button.
- Fill in the following fields:
| Field | Description |
|---|---|
Name | Identification name of your Network List. This name will appear in the list of options in the Criteria section, within the Edge Firewall Rules Engine configuration |
Type | Type of the network list: Autonomous System Number (ASN) Countries IP/CIDR |
List | Add the items that will make up your list here |
- For
ASNandIP/CIDRlist types, a typing field will be displayed. List items must be separated by line and you must write one address per line. Duplicated items will be deleted. - For the
Countriestype, a selection list will be presented.
- Click the Save button.
IP/CIDR type list example:
123.456.789.1123.456.789.2/3210.1.1.0/16Associating a Network List with Edge Firewall Rule Set
- Access Azion Console > Edge Firewall.
- Select the edge firewall you created on the first section.
- Select the Rules Engine tab.
- Click the + Rule button.
- Write the name and description for the rule set.
- On the Criteria section, choose the logical operator, variable, comparison operator, and network list name on the dropdown menus to follow this logic:
[If]: [Network] [matches] [Network List identification name]
- On the Behavior section, select
Drop (Close Without Response). - Make sure the Active switch is enabled.
- Click the Save button.
In this example, if the conditions set by the rules are met, a drop will be run for the request without sending any return to the sender.
- Access Real-Time Manager (RTM).
- Open the Products menu, represented by three horizontal lines, and select Edge Firewall.
- Select the Edge Firewall Rule Set you created on the first section.
- Select the Rules Engine tab.
- Click the New Rule button.
- Write the name and description for the rule set.
- On the Criteria section, choose the logical operator, variable, comparison operator, and network list name on the dropdown menus to follow this logic:
[If]: [Network] [matches] [Network List identification name]
- On the Behavior section, select
Drop (Close Without Response). - Make sure the Active switch is enabled.
- Click the Save button.
In this example, if the conditions set by the rules are met, a drop will be run for the request without sending any return to the sender.
Contributors
