How to automate Origin Shield

Origin Shield provides the list of Azion Edge Nodes’ IP addresses.

go to secure an infrastructure

By activating Origin Shield, your application’s is protected from a network list maintained by Azion. The IP addresses in it change from time to time, but you can automate a behavior using Rules Engine to guarantee you’re always using the updated list.

Via Azion Console

Section titled Via Azion Console

To create a rule:

  1. On Azion Console, navigate to Edge Firewall.
  2. Select the edge firewall in which you want to configure the rule.
  3. Click the Rules Engine tab.
  4. Click the New Rule button.
  5. Give your rule a name and, optionally, a description.
  6. In the Criteria section, select the Network variable.
  7. As a comparison operator, select does not match.
  8. As an argument, select the Azion Origin Shield list.
  9. In the Behaviors section, select Drop (Close Without Response) from the behavior list.
  10. Click the Save button.

If your application receives a request generated from an IP that isn’t in the list, the edge firewall will drop the request.

Via API

Section titled Via API
  1. Run the following GET request to retrieve the id of the Azion Origin Shield list:
Terminal window
curl --location 'https://api.azionapi.net/network_lists' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]'
  1. You’ll receive a response similar to this:
{
  "count": 1,
  "total_pages": 1,
  "schema_version": 3,
  "links": {
    "previous": null,
    "next": null
  },
  "results": [
    {
      "id": 6217,
      "last_editor": "user@email.com",
      "last_modified": "2023-11-14T21:35:39.808175Z",
      "list_type": "ip_cidr",
      "name": "Azion Origin Shield",
      "country_list": [],
      "ip_list": [
        "192.168.0.5"
      ]
    }
  ]
}
}
  1. Run the following POST request in your terminal, replacing [TOKEN VALUE] with your personal token, the <edge_firewall_id> variable with your edge firewall ID, and the <network_list_id> value with the Origin Shield list ID:
Terminal window
curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/rules_engine' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{
    "name": "Automate Origin Shield",
    "is_active": true,
    "behaviors": [
        {
            "name": "drop"
        }
    ],
    "criteria": [
        [
            {
                "variable": "network",
                "operator": "is_not_in_list",
                "conditional": "if",
                "argument": "<network_list_id>"
            }
        ]
    ]
}'
KeyDescription
nameName of the rule
behaviorsArray that stores objects that define behaviors
criteriaArray that stores objects that define criteria

See the Azion API documentation to find out more about criteria and behavior objects.

  1. You’ll receive the following response:
{
  "results": {
    "name": "Automate Origin Shield",
    "is_active": true,
    "behaviors": [
      {
        "name": "drop"
      }
    ],
    "criteria": [
      [
        {
          "variable": "network",
          "operator": "is_not_in_list",
          "conditional": "if",
          "argument": "6217"
        }
      ]
    ],
    "last_modified": "2023-11-29T19:53:56.476161Z",
    "last_editor": "user@email.com",
    "id": 28629,
    "order": 3
  },
  "schema_version": 3
}
  1. Wait a few minutes for the changes to propagate.

If your application receives a request generated from an IP that isn’t in the list, the edge firewall will drop the request.



Contributors