Creating Blacklists of IP Addresses in Edge, using Azion Network Layer Protection

Edit on GitHub

Network Layer Protection is a module within Edge Firewall from Azion’s Edge Computing platform. It allows you to create custom lists (Network Lists) based on the user’s IP, ASN and geolocation addresses, or to use automatic lists that are maintained and updated by Azion, such as the Tor network address list.

This allows you to monitor suspicious behavior, create intelligent rules and apply restrictions on malicious activity, by blocking or limiting access, giving protection on the Edge to your applications’ incoming and outgoing traffic in the network layer.

Some of the other advantages of using Azion’s Network Layer Protection are:

  • Easy to integrate with SIEM and other security tools in your infrastructure using blacklist maintenance APIs;
  • Processing on the Edge in real time, enabling the origin infrastructure to maintain its level of performance;
  • The option to run business rules on the Edge.

How it works

The Network Layer Protection service uses a series of lists maintained by the user themselves or by Azion, which can be updated manually or via an API. When a request reaches an Azion Edge Node, it is assessed and, if it meets the criteria set in the Rule Set for that Edge, the configured lists are queried, thereby filtering out known offenders even before the request reaches the client’s infrastructure.

When activating the module within an Edge Firewall, the Network Criteria and the Deny, Drop and Set Rate Limit Behaviors become available in the Rules Engine settings of the selected Rule Set. This allows the client to define under what conditions the lists will be queried and what behaviors should be executed.

Activating the Network Layer Protection module

To enable the Network Layer Protection module, simply access the desired Edge Firewall using Real-Time Manager (RTM), from the Edge Computing menu, and activate the service in the Main Settings tab.

Once enabled, custom lists need to be created and the evaluation criteria and behaviors set that will be applied by the Edge Firewall.

Creating a Network List

Path: Real-Time Manager > Edge Libraries > Network Lists

When opening the Network Lists page, all lists created by the user and those items automatically provided by Azion will be displayed, such as Origin Shield (contact the commercial team to get access to this service).

To create a new one, click the Add button, choose an identifiable name for your list (for example, BlockedIPsList, for a list of known malicious IPs), select the desired Type and complete the list according to the type you have chosen (ASN, Countries or IP / CIDR. For our example, we are using the IP/CIDR option), and then click on Save. The user’s list can be updated anytime, either manually or integrated through an API.

123.456.789.1
123.456.789.2/32
10.1.1.0/16

Example of the configuration of an IP/CIDR type list

Defining the Execution criteria (Rules Engine)

Path: Real-Time Manager > Edge Computing > Edge Firewall > Rules Engine

Create a new Rule Set inside your Edge Firewall or edit an existing one. The rules (or Rules Engines) determine the set of conditions that need to be met for Behaviors to be executed. You can create a new rule to set the validation parameters and the behaviors for this Rule Set to be run by Edge Firewall.

Defining the validation criteria: choose the variables, comparison operators and strings to create your business rule, as in the following example:

  • If: _Network _ matches BadBotsList (In order: logical operator, variable, comparison operator, string)

In this case, the rule will run if the IP address of the request is on the list BadBotsList that we created before.

Defining Behaviors: add the behaviors you want to be carried out when the rule’s conditions are met. Example:

  • Then: Drop (Close Without Response) (In order: logical operator, action)

In this example, if the conditions set by the rules are met, then a Drop will be run for the request without sending any return to the sender.

In this example, if the conditions set by the rules are met, then a Drop will be run for the request without sending any return to the sender.


Didn’t find what you were looking for? Open a support ticket.