Network Layer Protection

Network Layer Protection is an Edge Firewall module that allows you to create lists based on the network IP/CIDR, user location (countries), Autonomous System Number (ASN), or use automatic lists maintained and updated by Azion, such as the Azion IP Tor Exit Nodes list.

With Network Layer Protection, you can monitor and block suspicious behavior or apply restrictions, such as access limits.

Network Layer Protection has a programmable security perimeter, where you configure Network Layer Protection, at the edge, from all inbound and outbound traffic.

Advantages of using Azion’s Network Layer Protection:

  • Easy to integrate with SIEM and other security tools in your infrastructure using blocklist maintenance APIs.
  • Processing on the edge in real time, enabling the origin infrastructure to maintain its level of performance.
  • The option to run business rules on the edge.


Create network listHow to create IP, ASN, and geolocation block/allow lists with Network Lists
Block Tor addressesHow to block Tor exit node IP addresses

How Network Layer Protection works

When activating the Network Layer Protection module in the Main Settings of an Edge Firewall Rule Set, the conditions (criteria) and commands (behavior) will be enabled in the Rules Engine tab of the edge firewall.

The criteria available with the activation of the Network Layer Protection module are:

  • Hostname
  • Network
  • Request URI
  • Scheme

And the behaviors are:

  • Deny (403 forbidden)
  • Drop (close without response)
  • Set Rate Limit

Network Layer Protection configuration is done in the Edge Firewall Rules Engine tab. There, you can use the Network criteria, to create rules with Network Lists, based on the network, user location, or ASN, or use ready-to-use lists that are kept up-to-date by Azion itself. You can also monitor and block suspicious behavior, or even apply restrictions according to the chosen behavior.

Activate other modules in the edge firewall to get numerous combinations of conditions and behavior in the Rules Engine.

Criteria and behavior logic example using Network Layer Protection and Web Application Firewall:

Criteria: [If] [Network] [matches] [My-Country-BlockList] [and] [Header User Agent] [does not match] [Googlebot].

Behavior: [Then] [Deny (403 Forbidden)].

In this example, requests originating from countries that are on the blocklist will be blocked unless the User-Agent header contains the string “Googlebot”.

go to work with rules engine guide

Network Lists

Through Network Lists, you can create, search, or update all Network Lists used in the Edge Firewall Rules Engine. Also, you can maintain your own lists, via Azion Console, through the Network Lists configuration page, or via Azion API, through the Network Lists endpoints.

A single Network List can be associated with more than one edge firewall and rule. Whenever a Network List is updated, it’ll automatically propagate to all the rules in the associated Network List.

go to Network Lists reference

Origin Shield

Origin Shield is an Azion Network Layer Protection add-on that allows you to create security perimeters for your origin infrastructure, be it a cloud, hosting provider, or even your own data center. With this service, your origin will be able to restrict access only to specific IP addresses of our network and block any other access to your origin.

Azion’s IP list may change frequently, but after updating it, the new servers will only be put into production for those using the Origin Shield add-on 7 days after the list is published. You can also track and trace the changes made to the list through the History in Azion Console. There, you can find which IPs have been added or deleted from the list.

The quarantine process allows you to add new addresses one week in advance, which means that whenever a new address is added to the list, it will be on standby for seven days before being activated, giving you that time to update your firewall rules.

go to automate origin shield guide