How to create IP, ASN, and geolocation blocklists with Network Lists

Network Layer Protection allows the creation of Network Lists, to allow (allowlists) or disallow (blocklists) visitors from interacting with edge applications at Azion.

Network Lists can be based on user’s IP addresses, ASN, and geolocation addresses. They can be custom-made, considering the application scope and actual requests, or pre-made and maintained by Azion, such as the Azion IP Tor Exit Nodes Network List.

Learn more about Network Lists, Network Layer Protection, Edge Firewall modules

To create, manage, and use Network Lists, you must to complete the following steps before:

  1. Create an Edge Firewall Rule Set with the Network Layer Protection module activated.
  2. Create a Network List.
  3. Associate this Network List within the Edge Firewall Rules Engine tab.

Create an Edge Firewall Rule Set

Section titled Create an Edge Firewall Rule Set
  1. Access Azion Console.
  2. Open the Products menu, represented by three horizontal lines, and select Edge Firewall.
  3. Write the Rule Set identification name on the Edge Firewall Name placeholder.
  4. Select the domains where you want the firewall to be active and click the > button to move them to the Chosen Domains field.
  5. Make sure the Network Layer Protection switch is enabled at the Edge Firewall Modules section.
  6. Make sure the Active switch is enabled.
  7. Click the Save button.

You can see the created Edge Firewall Rule Set from the Edge Firewall list.

Activate the Network Layer Protection module

Section titled Activate the Network Layer Protection module

For already created Edge Firewall Rule Sets, follow the steps:

  1. Access Azion Console.
  2. Open the Products menu, represented by three horizontal lines, and select Edge Firewall.
  3. From the Edge Firewall list, select the Edge Firewall Rule Set you wish to add a Network List.
  4. In the Edge Firewall Main Settings tab, enable the Network Layer Protection switch.
  1. Access Azion Console.
  2. Open the Products menu, represented by three horizontal lines, and select Network Lists, from the Edge Libraries section.

    When opening the Network Lists page, all lists created by the user and those items automatically provided by Azion will be displayed.

  3. Click the Add button.
  4. Fill in the following fields:
FieldDescription
Add Network ListIdentification name of your Network List. This name will appear in the list of options in the Criteria section, within the Edge Firewall Rules Engine configuration.
TypeType of the network list:
Autonomous System Number (ASN)
Countries
IP/CIDR
ListAdd the items that will make up your list here.

For ASN and IP/CIDR list types, a typing field will be displayed. List items must be separated by line and you must write one address per line. Duplicated items will be deleted. For the Countries type, a selection list will be presented.

  1. Click the Save button.

IP/CIDR type list example:

123.456.789.1
123.456.789.2/32
10.1.1.0/16

Associate Network List with Edge Firewall Rule Set

Section titled Associate Network List with Edge Firewall Rule Set
  1. Access Azion Console.
  2. Open the Products menu, represented by three horizontal lines, and select Edge Firewall.
  3. Select the Edge Firewall Rule Set you created, or configured, on the first section.
  4. Select the Rules Engine tab.
  5. Click the New Rule button.
  6. Write the name and description for the rule set.
  7. On the Criteria section, choose the logical operator, variable, comparison operator, and network list name on the dropdown menus to follow this logic:
[If]: [Network] [matches] [Network List identification name]
  1. On the Behavior section, select Drop (Close Without Response).
  2. Make sure the Active switch is enabled.
  3. Click the Save button.

In this example, if the conditions set by the rules are met, a drop will be run for the request without sending any return to the sender.


Contributors