All Products
Search
Document Center

Microservices Engine:Configure IP address blacklists and whitelists for cloud-native gateways

Last Updated:Apr 12, 2024

Cloud-native gateways provide the IP address blacklist and whitelist feature for security protection. You can configure a blacklist to deny access from specific IP addresses or configure a whitelist to allow access from specific IP addresses. Cloud-native gateways allow you to configure IP address blacklists or whitelists globally or at the domain name or route level. This helps implement fine-grained access control. This topic describes how to configure an IP address blacklist or an IP address whitelist for a cloud-native gateway.

Configure an IP address blacklist or whitelist

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the name of the gateway.

  4. In the left-side navigation pane, choose Security Management > Black/White List.

  5. Click Create in the upper-left corner. In the Create panel, configure the parameters and click Save.

    Parameter

    Description

    Name

    The name of the IP address-based access control that you want to create.

    Description

    The description about the IP address-based access control.

    Type

    The type of the IP address-based access control that you want to create. Valid values:

    • Whitelist (Allow Access from Specific IP Addresses): Only the API requests from IP addresses or CIDR blocks in the whitelist are allowed by gateways.

    • Blacklist (Deny Access from Specific IP Addresses): The API requests from IP addresses or CIDR blocks in the blacklist are blocked by gateways.

    Effective Granularity

    The level at which the IP address-based access control takes effect.

    • Gateway: The IP address-based access control takes effect on the gateway.

    • Domain Name: The IP address-based access control takes effect on specific domains.

    • Routes: The IP address-based access control takes effect on specific routes.

      Note

      The IP address-based access control takes effect at the following levels in descending order of priority: Routes > Domain Name > Gateway.

    IP Address/CIDR Block

    The IP addresses or CIDR blocks that you want to add to the IP address whitelist or blacklist.

Configuration example

Step 1: Create a mock route

  1. Log on to the MSE console.

  2. In the left-side navigation pane, choose Cloud-native Gateway > Gateways. In the top navigation bar, select a region.

  3. On the Gateways page, click the name of the gateway.

  4. In the left-side navigation pane, click Routes, and click the Routes tab.

  5. On the Routes tab, click Add Route. On the Add Route page, configure the parameters and click Save and Release.

Step 2: Test the mock route

Run the following command to access the mock route:

curl 47.100.xx.xx/mock

In the following returned result, the HTTP status code 200 indicates that the request is successful.

{
  "code": 200,
  "data": {
    "message": "ok"
  },
  "HttpStatusCode": 200,
  "successResponse": 200
}

Step 3: Configure an IP address blacklist

  1. Obtain the IP address of your on-premises machine.

  2. Log on to the MSE console. Add the IP address of your on-premises machine to the IP address whitelist or blacklist to allow or deny requests from your on-premises machine to the MSE cloud-native gateway. In this example, the IP address of your on-premises machine is added to the IP address blacklist.

    For more information, see Configure an IP address blacklist or whitelist in this topic.

  3. Run the following command to perform a test:

    curl -v 47.100.xx.xx/mock

    The following result is returned:

    *   Trying 47.100.xx.xx...
    * TCP_NODELAY set
    * Connected to 47.100.xx.128 (47.100.xx.xx) port 80 (#0)
    > GET /mock HTTP/1.1
    > Host: 47.100.xx.xx
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    < HTTP/1.1 403 Forbidden
    < content-length: 19
    < content-type: text/plain
    < date: Thu, 25 Aug 2022 09:43:43 GMT
    < server: istio-envoy
    <
    * Connection #0 to host 47.100.xx.xx left intact
    RBAC: access denied* Closing connection 0