How to create IP, ASN, and geolocation blocklists with Network Lists

Network Layer Protection allows the creation of Network Lists, to allow (allowlists) or disallow (blocklists) visitors from interacting with edge applications at Azion.

Network Lists can be based on user’s IP addresses, ASN, and geolocation addresses. They can be custom-made, considering the application scope and actual requests, or pre-made and maintained by Azion, such as the Azion IP Tor Exit Nodes Network List.

go to Network Lists reference
go to Network Layer Protection reference

To create, manage, and use Network Lists, you must to complete the following steps:

  1. Create an edge firewall with the Network Layer Protection module activated.
  2. Create a Network List.
  3. Associate this Network List within the Edge Firewall Rules Engine tab.

Creating an edge firewall

To create a new edge firewall with the Network Layer Protection module activated:

  1. Access Azion Console > Edge Firewall.
  2. Click the + Edge Firewall button.
  3. Write the edge firewall identification name on the Name placeholder.
  4. In the Domains section, select the domains where you want the firewall to be active and click the > button to move them to the Selected field.
  5. Make sure the Network Layer Protection switch is enabled at the Modules section.
  6. In Status, make sure the Active switch is enabled.
  7. Click the Save button.

You can see the created edge firewall from the list.

Activating the Network Layer Protection module

For already created edge firewalls, follow the steps:

  1. Access Azion Console > Edge Firewall.
  2. From the edge firewalls list, select the edge firewall you wish to add a Network List.
  3. In the Main Settings tab, enable the Network Layer Protection switch.
  4. Click the Save button.

Creating a Network List

  1. Access Real-Time Manager (RTM).
  2. Open the Products menu, represented by three horizontal lines, and select Network Lists, from the Edge Libraries section.
  • When opening the Network Lists page, all lists created by the user and those items automatically provided by Azion will be displayed.
  1. Click the Add button.
  2. Fill in the following fields:
FieldDescription
Add Network ListIdentification name of your Network List. This name will appear in the list of options in the Criteria section, within the Edge Firewall Rules Engine configuration
TypeType of the network list:
Autonomous System Number (ASN)
Countries
IP/CIDR
ListAdd the items that will make up your list here

For ASN and IP/CIDR list types, a typing field will be displayed. List items must be separated by line and you must write one address per line. Duplicated items will be deleted. For the Countries type, a selection list will be presented.

  1. Click the Save button.

IP/CIDR type list example:

123.456.789.1
123.456.789.2/32
10.1.1.0/16

Associating a Network List with Edge Firewall Rule Set

  1. Access Azion Console > Edge Firewall.
  2. Select the edge firewall you created on the first section.
  3. Select the Rules Engine tab.
  4. Click the + Rule button.
  5. Write the name and description for the rule set.
  6. On the Criteria section, choose the logical operator, variable, comparison operator, and network list name on the dropdown menus to follow this logic:
[If]: [Network] [matches] [Network List identification name]
  1. On the Behavior section, select Drop (Close Without Response).
  2. Make sure the Active switch is enabled.
  3. Click the Save button.

In this example, if the conditions set by the rules are met, a drop will be run for the request without sending any return to the sender.


Contributors