To improve the security of a Microservices Engine (MSE) instance, you can configure a public IP address whitelist for the instance. This way, only access from a specific public IP address or Classless Inter-Domain Routing (CIDR) block in the whitelist is allowed. When you configure a whitelist, you must obtain the public IP address of the device that initiates access to the instance. After the whitelist is configured, the device can access the instance over the Internet.
Prerequisites
MSE is activated. For more information, see Activate MSE.
An instance is created. For more information, see Create an instance.
Limits
MSE instances support public IP address whitelists instead of internal IP address whitelists. You can configure up to 1,000 items for a public IP address whitelist.
Public IP addresses may change. You must periodically check and update the IP addresses in the whitelist to ensure that authorized devices can access the instance.
For instances for which authentication is not enabled, the subnet masks in the public IP address whitelist must be greater than 16. This prevents security risks caused by an excessively large range of CIDR blocks.
Procedure
Log on to the MSE console, and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Registry > Instances.
On the Instances page, click the name of the instance.
On the Basic Information page, click the icon next to Public IP Address Whitelist.
In the Public IP Address Whitelist dialog box, enter the public IP addresses or CIDR blocks that are allowed to access the instance, and click OK.
If you do not add public IP addresses or CIDR blocks to the whitelist, all public IP addresses can be used to access the instance.
ImportantIf you configure a public IP address whitelist for a Nacos instance and access authentication is disabled for the Nacos instance, sensitive data may be leaked because the Nacos instance is exposed to the Internet. Proceed with caution when you clear the whitelist configuration. We recommend that you enable access authentication before you clear the whitelist configuration. For more information about how to enable access authentication, see Access authentication by the Nacos client.
If you add IP addresses or CIDR blocks to the whitelist, only the IP addresses or CIDR blocks in the whitelist can access the instance.
CIDR blocks must be in the X.X.X.X/X format. X that follows a forward slash (/) indicates a subnet mask. If you add the CIDR block 127.0.0.1/32 to the whitelist, all public IP addresses are not allowed to access the instance.
You can configure multiple public IP addresses or CIDR blocks in the whitelist. Separate public IP addresses or CIDR blocks with commas (,). The subnet mask of the CIDR blocks ranges from 1 to 32. The host IDs of IP addresses in the whitelist must be 0.
Commands for querying public IP addresses
curl ipinfo.io
curl ip.cn
curl cip.cc
curl ifconfig.me
curl myip.ipip.net