Network Shield

Network Shield is a Firewall module on the Azion Web Platform that provides programmable network-layer protection. It allows you to create Network Lists based on IP/CIDR addresses, Autonomous System Numbers (ASNs), and countries (geolocation), then reference those lists in the Firewall Rules Engine to block, deny, or rate-limit traffic. When a request arrives at an Azion location, it's evaluated against your configured rules and network lists , filtering out known offenders before the request reaches your infrastructure.

Network Shield operates at the network layer (Layer 3/4), filtering traffic based on IP addresses, CIDR blocks, ASNs, and geolocation before requests are processed. WAF operates at the application layer (Layer 7), analyzing HTTP/HTTPS request content to detect attacks like SQL injection and XSS. Both are modules within Azion's Firewall and can be combined in the same firewall configuration for comprehensive protection — Network Shield blocks known bad actors and regions, while WAF inspects the content of allowed requests for application-level threats.

Network Shield supports three types of Network Lists: IP/CIDR lists for blocking or allowing specific IP addresses and CIDR ranges, ASN lists for filtering traffic by Autonomous System Number (groups of IP networks managed by specific operators), and Country lists for geolocation-based access control. You can also use Azion-managed lists like the Tor Exit Nodes list, which is automatically maintained and updated by Azion's security team.

Network List updates propagate across Azion's entire global infrastructure in seconds. When you update a list via Console or API, changes are automatically applied to all firewalls that reference that list — without any service interruption or downtime window. This near-instant propagation enables real-time threat response, allowing your security automation tools to update blocklists and see immediate effects across all locations.

Yes. A single Network List can be associated with multiple firewalls and rules. When you update the list, changes propagate automatically to all associated firewalls. This centralized management approach ensures consistent security policies across all your applications without duplicating configuration or risking policy drift between environments.

Origin Shield is a security add-on that provides a dynamic Network List containing all IP/CIDR addresses used by Azion's infrastructure. By configuring your origin server's firewall to accept traffic only from Origin Shield addresses, you create a Layer 3/4 perimeter that blocks all direct external access to your origin. Origin Shield requires the Network Shield module to be enabled and is maintained automatically by Azion, with clients notified 7 days before any changes to the IP list.

Network Shield is included as a module within Azion's Firewall product. You can start with $300 in free credits to test the service with no credit card required. Pricing is usage-based with no hidden fees or infrastructure costs. Since Network Shield blocks unwanted traffic before it reaches your infrastructure, most customers see significant cost savings on bandwidth and infrastructure. For detailed pricing, visit the pricing page.

Yes. Network Shield integrates with your existing security infrastructure through the Azion API. Stream security events in real time to your SIEM using Data Stream, then use automated playbooks to update Network Lists via API with effects propagated in seconds. You can also use Functions to implement programmable per-request logic, enabling dynamic threat response that adapts to evolving attack patterns without manual intervention.