How to automate Origin Shield
Origin Shield provides the list of Azion Edge Nodes’ IP addresses.
Go to secure an infrastructureBy activating Origin Shield, your application’s is protected from a network list maintained by Azion. The IP addresses in it change from time to time, but you can automate a behavior using Rules Engine to guarantee you’re always using the updated list.
Creating a rule
- On Azion Console, navigate to Edge Firewall.
- Select the edge firewall in which you want to configure the rule.
- Click the Rules Engine tab.
- Click the + Rules Engine button.
- Give your rule a name and, optionally, a description.
- In the Criteria section, select the
Network
variable. - As a comparison operator, select does not match.
- As an argument, select the
Azion Origin Shield
list. - In the Behaviors section, select Drop (Close Without Response) from the behavior list.
- Click the Save button.
- On Real-Time Manager (RTM), navigate to Edge Firewall.
- Select the edge firewall in which you want to configure the rule.
- Click the Rules Engine tab.
- Click the New Rule button.
- Give your rule a name and, optionally, a description.
- In the Criteria section, select the
Network
variable. - As a comparison operator, select does not match.
- As an argument, select the
Azion Origin Shield
list. - In the Behaviors section, select Drop (Close Without Response) from the behavior list.
- Click the Save button.
- Run the following
GET
request to retrieve theid
of the Azion Origin Shield list:
curl --location 'https://api.azionapi.net/network_lists' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]'
- You’ll receive a response similar to this:
{ "count": 1, "total_pages": 1, "schema_version": 3, "links": { "previous": null, "next": null }, "results": [ { "id": 6217, "last_editor": "user@email.com", "last_modified": "2023-11-14T21:35:39.808175Z", "list_type": "ip_cidr", "name": "Azion Origin Shield", "country_list": [], "ip_list": [ "192.168.0.5" ] } ]
}
}
- Run the following
POST
request in your terminal, replacing[TOKEN VALUE]
with your personal token, the<edge_firewall_id>
variable with your edge firewall ID, and the<network_list_id>
value with the Origin Shield list ID:
curl --location 'https://api.azionapi.net/edge_firewall/<edge_firewall_id>/rules_engine' \
--header 'Accept: application/json; version=3' \
--header 'Authorization: Token [TOKEN VALUE]' \
--header 'Content-Type: application/json' \
--data '{ "name": "Automate Origin Shield", "is_active": true, "behaviors": [ { "name": "drop" } ], "criteria": [ [ { "variable": "network", "operator": "is_not_in_list", "conditional": "if", "argument": "<network_list_id>" } ] ]
}'
Key | Description |
---|---|
name | Name of the rule |
behaviors | Array that stores objects that define behaviors |
criteria | Array that stores objects that define criteria |
See the Azion API documentation to find out more about criteria and behavior objects.
- You’ll receive the following response:
{ "results": { "name": "Automate Origin Shield", "is_active": true, "behaviors": [ { "name": "drop" } ], "criteria": [ [ { "variable": "network", "operator": "is_not_in_list", "conditional": "if", "argument": "6217" } ] ], "last_modified": "2023-11-29T19:53:56.476161Z", "last_editor": "user@email.com", "id": 28629, "order": 3 }, "schema_version": 3
}
- Wait a few minutes for the changes to propagate.
If your application receives a request generated from an IP that isn’t in the list, the edge firewall will drop the request.