Address books group IP addresses (IPv4 and IPv6), ports, or domain names for use in access control policies. They eliminate repeated configuration across policies and automatically propagate updates to all referencing policies.
Address book types
Cloud Firewall provides three types of address books:
1. IP Address Book
Manages IP addresses (IPv4 and IPv6). Three subtypes:
-
Custom IP Address Book: You can manually enter IP addresses. A single address book can contain up to 2,000 IPv4 or IPv6 addresses.
-
Cloud Asset IP Address Book: Aggregates public IP addresses of your Alibaba Cloud assets by the selected Asset Type. No manual entry required.
-
Cloud Service IP Address Book: Predefined with back-to-origin IP addresses of Alibaba Cloud services, such as Security Center vulnerability scanners and WAF instance origin URLs. Read-only.
2. Domain Address Book
Manages domain names. Two subtypes:
-
Custom Domain Name Address Book: You can manually enter domain names. A single address book can contain up to 2,000 domain names.
-
Cloud Service Domain Address Book: Predefined with trusted Alibaba Cloud domains and common public documentation sites. Read-only.
3. Port Address Book
Manages ports. You can manually enter up to 2,000 port ranges per book.
Create an address book
-
Log on to the Cloud Firewall console.
-
In the navigation pane on the left, choose .
-
On the Address Book page, click the tab for the address book type you want to create.
IP Address Book
Custom IP Address Book
On the tab, click Create Custom IP Address Book. Configure the following parameters:
|
Configuration item |
Description |
|
Address Book Name and Address Book Description |
Set a descriptive name and describe the applicable scenario for easy identification. |
|
IP Type |
Select IPv4 or IPv6. |
|
Custom IP |
Enter IPv4 or IPv6 address ranges, separated by commas (,) or line feeds. Add a description after each address with a space (maximum 64 characters).
|
Cloud Asset IP Address Book
On the tab, click Create Cloud Asset IP Address Book. Configure the following parameters:
-
Address Book Name and Address Book Description: Set a descriptive name and describe the applicable scenario for easy identification.
-
Asset Type: The following three categories are supported.
-
Public Assets: Aggregates public IP addresses in your account by asset type, including EIPs, ECS public IPs, Server Load Balancer (SLB) public IPs, and Bastionhost IPs. With the multi-account management feature enabled, member account assets are also included.
-
ACK Asset: Adds IP addresses of ACK clusters. You must first create an ACK cluster sync node.
-
ECS Tags: Filters ECS instances with public IPs by tag. Use this to include only specific ECS instances.
Public Assets
-
Asset Accounts: Select the Alibaba Cloud account that owns the target assets. To include other accounts, configure multi-account management first.
-
IP Type: Select IPv4 or IPv6.
-
Public Assets: Select the required asset types. Click Preview Asset IPs to view the IP addresses that will be included.
Note-
If you select All Accounts for Asset Accounts, public assets from newly added member accounts are synced automatically.
-
The sync cycle for a Public Assets address book matches the public asset sync cycle. Asset changes may cause sync latency, potentially triggering access control policy blocks.
-
After changing public assets, go to and click Synchronize Assets in the upper-right corner of the asset list to refresh the address book.
ACK Asset
-
Instance ID/Name of the ACK Cluster Synchronization Node: Select an existing ACK cluster sync node.
-
ACK Address Book Type:
-
ACK Cluster Namespace: Syncs all pod IP addresses in the selected namespaces. You can select multiple namespaces.
-
ACK Cluster Pod Tag: Syncs all pod IP addresses that have the selected labels. You can select multiple labels.
-
ECS Tags
-
ECS Tag Filter: ECS instances matching the specified tags are automatically added. Enabled by default and cannot be disabled.
-
ECS Tags: Select tags and values for the target ECS instances. To add more tag conditions, click Add ECS Tag. Matching ECS instance IPs are displayed below.
NoteCloud Firewall updates ECS tag-based address books every 100 minutes and syncs changes to all referencing access control policies.
-
Domain Address Book
On the tab, click Create Custom Domain Name Address Book. Configure the following parameters:
|
Configuration item |
Description |
|
Address Book Name and Address Book Description |
Set a descriptive name and describe the applicable scenario for easy identification. |
|
Domain Name |
Enter domain names or wildcard domain names, separated by commas (,) or line feeds. Add a description after each domain with a space (maximum 64 characters). Note
|
Port Address Book
On the Port Address Book tab, click Create Port Address Book. Configure the following parameters:
|
Configuration item |
Description |
|
Address Book Name and Address Book Description |
Set a descriptive name and describe the applicable scenario for easy identification. |
|
Port |
Enter port ranges (0-65535), separated by commas (,) or line feeds. Add a description after each range with a space (maximum 8 characters).
|
After creation, you can view, modify, or delete the address book from the list.
-
You cannot delete an address book that is referenced by a policy.
-
After creating an ACK address book, you cannot modify its Instance ID/Name of the ACK Cluster Synchronization Node or ACK Address Book Type. Delete the address book and create a new one instead.
View cloud service address books
The Cloud Service IP Address Book and Cloud Service Domain Address Book are read-only. You can view and reference them but cannot create or modify them.
-
Log on to the Cloud Firewall console.
-
In the navigation pane on the left, choose .
-
Navigate to the target address book.
-
Cloud Service IP Address Book: Go to the tab.
-
Cloud Service Domain Address Book: Go to the tab.
-
-
Click View in the Actions column to view the address book details.