All Products
Search

This Product

    Cloud Firewall:Address book management

    Document Center

    Cloud Firewall:Address book management

    Last Updated:Jan 07, 2026

    You can add numerous IP addresses (including IPv4 and IPv6), ports, or domain names to address books. You can then reference these address books in access control policies to efficiently manage network traffic for specific groups of assets. Address books eliminate the need to repeatedly define the same targets for multiple access control policies. Updates to address books are automatically synchronized to all related policies, eliminating the need for manual reconfiguration. This helps you respond faster to policy adjustments and improve overall management efficiency.

    Address book types

    Cloud Firewall provides Custom Address Books and Intelligently Recommended Address Books. You can flexibly create and apply various types of address books to meet diverse business and security requirements.

    Address Book Type

    Description

    Custom Address Book

    Address books that you create. You can create custom IPv4, IPv6, Port, Domain Name, and ACK Address Books.

    You can add up to 5,000 custom address books. The limits on the number of objects in a single address book are as follows:

    • IPv4 Address Book: A single address book can contain up to 2,000 IPv4 addresses or 500 ECS tags.

    • IPv6 Address Book: A single address book can contain up to 2,000 IPv6 addresses.

    • Port Address Book: A single address book can contain up to 50 ports.

    • Domain Address Book: A single address book can contain up to 2,000 domain names.

    • ACK address book: A single address book can contain up to 10 groups of namespaces or labels.

    Note

    The same object can be added to multiple address books. For example, the same IPv4 address can be added to two different address books.

    Intelligently Recommended Address Book

    Built-in address books provided by Cloud Firewall. You can directly reference them when you configure access control policies, but you cannot modify or delete them. These address books are categorized into Cloud Service Address Books and Threat Intelligence Address Books.

    Note

    Intelligently Recommended Address Books are automatically and periodically updated. These updates are automatically applied to the associated access control policies. The update frequency varies by address book type. Cloud Service Address Books are updated every 10 to 100 minutes. Threat Intelligence Address Books are updated daily.

    • Cloud Service Address Book: Contains the back-to-source IP addresses of internal Alibaba Cloud services, such as the addresses of Security Center vulnerability scanners, public IP addresses of all ECS instances under your account, and back-to-source IP addresses for Anti-DDoS, WAF, and ESA instances.

      To ensure the normal operation of corresponding cloud products, allow traffic from all Cloud Service Address Books.

    • Threat Intelligence Address Book: Includes address books of malicious IP addresses or domain names detected by Alibaba Cloud and a Common Website Address Book.

      • Information for malicious IP or domain name address books is typically gathered and continuously updated by security researchers and automated systems by analyzing network attacks, malware activity, and other threats. To interrupt communication with known malicious sources and enhance system security, block all malicious address books.

      • The Common Website Address Book contains frequently accessed websites, such as popular online document sites, social networking sites, and cloud storage sites. To easily allow or block access to these common websites, enterprise administrators can configure access control policies.

        This is useful in scenarios where enterprises need to manage employee internet access, ensure network bandwidth is prioritized for business-critical activities, or restrict access to specific websites for compliance and security reasons.

    Create a custom address book

    1. Log on to the Cloud Firewall console.

    2. In the navigation pane on the left, choose Protection Configuration > Access Control > Address Books.

    3. On the Address Books page, click the Custom Address Book tab, and then click the desired address book type tab.

    4. On the IPv4 Address Book, IPv6 Address Book, Port Address Book, Domain Address Book, or ACK address book tab, click Create Address Book and configure the parameters.

      IPv4 Address Book parameters

      When creating an IPv4 address book, you can add addresses by entering them manually or by using ECS tags.

      • IP Address: Manually enter IPv4 addresses.

      • ECS Tag: To quickly add the public IP addresses of multiple ECS instances that have tags configured, use ECS tags.

        Note

        Cloud Firewall automatically updates ECS Tag-based Address Books every 100 minutes and applies the changes to the access control policies that reference them.

      Address Book Type

      Parameter

      Description

      IP Address

      Address Book Name

      Enter a custom name for the address book. We recommend that you use a descriptive name for easy identification and application.

      IP Address

      Enter IPv4 addresses in CIDR format, such as 100.100.XX.XX/32. Separate multiple addresses with commas (,).

      Description

      Enter a description of the address book's contents and usage scenarios. This helps you identify and apply the address book.

      ECS Tag

      Address Book Name

      Enter a custom name for the address book. We recommend that you use a descriptive name for easy identification and application.

      ECS Tag Update

      When new ECS instances match the specified tags, they are automatically added to this address book. This feature is enabled by default and cannot be disabled.

      ECS Tag

      Select the required ECS tag and its corresponding value.

      If the ECS instances you want to add have different tags, click Add ECS Tag to add public IP addresses of ECS instances that have different tags.

      For more information about ECS tags, see Edit tags of an instance.

      Description

      Enter a description of the address book's contents and usage scenarios. This helps you identify and apply the address book.

      IPv6 Address Book parameters

      Parameter

      Description

      Address Book Name

      Enter a custom name for the address book. We recommend that you use a descriptive name for easy identification and application.

      IP Address

      Enter IPv6 address ranges, such as 2001:3caf:10f:****:****/56. Separate multiple addresses with commas (,).

      Description

      Enter a description of the address book's contents and usage scenarios. This helps you identify and apply the address book.

      Port Address Book parameters

      Parameter

      Description

      Address Book Name

      Enter a custom name for the address book. We recommend that you use a descriptive name for easy identification and application.

      Port

      Enter a port range. Valid values: 0 to 65535. Separate multiple entries with commas (,).

      • The format for a port range is start port/end port. For example, 22/25 represents ports 22, 23, 24, and 25. 80/80 represents port 80.

      • 0/0 represents all ports.

      Description

      Enter a description of the address book's contents and usage scenarios. This helps you identify and apply the address book.

      Domain Name Address Book parameters

      Parameter

      Description

      Address Book Name

      Enter a custom name for the address book. We recommend that you use a descriptive name for easy identification and application.

      Description

      Enter a description of the address book's contents and usage scenarios. This helps you identify and apply the address book.

      Domain Name

      Enter domain names or wildcard domain names. Separate multiple entries with commas (,).

      Note

      • If the destination in an access control policy is a wildcard domain name, the supported applications are HTTP, HTTPS, SSL, SMTP, and SMTPS.

      • If you reference a wildcard domain name address book in an access control policy for a NAT firewall, the only supported Domain Name Identification Mode is FQDN-based Resolution (Extract Host or SNI Field in Packets).

      ACK Address Book parameters

      Important

      • Before you create the address book, you must create an ACK Cluster Synchronization Node and obtain its ID or name.

      • ACK Address Books have a strong dependency on the Synchronization Nodes. After creation, the Instance ID/name of the ACK cluster synchronization node and ACK address book type cannot be changed.

        To change these settings, delete the address book and create a new one.

      Parameter

      Description

      Address Book Name

      Enter a custom name for the address book. We recommend that you use a descriptive name for easy identification and application.

      Description

      Enter a description of the address book's contents and usage scenarios. This helps you identify and apply the address book.

      Instance ID/name of the ACK cluster synchronization node

      The synchronization node periodically syncs the latest Pod IP addresses to the ACK cluster address book. For more information, see ACK Cluster Synchronization Node.

      ACK address book type

      • ACK cluster namespace: Syncs all Pod IP addresses under the specified namespace.

      • ACK Cluster Pod Tag: Syncs all Pod IP addresses that match the specified labels.

      Content

      Enter the details based on the selected ACK address book type:

      • ACK cluster namespace: Enter one or more namespaces.

        Note

        • The namespace name is not validated here. If you enter an incorrect name, no IP addresses will be populated into the address book.

        • A namespace must start with a letter or a number, and end with a hyphen (-), an underscore (_), a period (.), or a letter or number. The total length cannot exceed 63 characters.

      • ACK Cluster Pod Tag: Enter one or more label Keys and Values.

        Note

        • The label key-value pair is not validated here. If you enter an incorrect pair, IP addresses will not be displayed.

        • Key:

          • A key consists of two parts: an optional prefix and a name, separated by a forward slash (/).

          • The name segment is required and must meet the following requirements:

            • Must be 63 characters or less.

            • Must begin and end with a letter or a number.

            • Can contain letters, numbers, hyphens (-), underscores (_), and periods (.).

          • The prefix is optional. If specified, it must meet the following requirements:

            • Must be a DNS subdomain, which is a series of DNS labels separated by periods (.).

            • Must be 253 characters or less.

            • Must end with a forward slash (/).

        • Value:

          • Must begin with a letter or a number.

          • Must end with a letter, number, hyphen (-), underscore (_), or period (.).

          • Must be 63 characters or less.

    5. Click OK to add the address book.

      After the address book is created, you can view its information, modify it, or delete it from the address book list.

      Important

      You cannot modify the Address Book Type or the referenced ACK Cluster Synchronization Node. You also cannot delete a custom address book that is currently being referenced by a policy.

    View Intelligently Recommended Address Books

    You can only view Intelligently Recommended Address Books. You cannot create, modify, or perform other operations on them.

    1. Log on to the Cloud Firewall console.

    2. In the navigation pane on the left, choose Protection Configuration > Access Control > Address Books.

    3. Click the Recommended Intelligent Address Book tab to view the list of built-in address books.

      image

    4. In the Actions column of the target address book, click View to see the details of the address book.