Address Objects¶
An Address Object represents a set of one or more IPs, CIDRs or FQDNs for use as a Source or Destination in a Security Policy Rule Set Rule, or as a Target Backend Address in a Reverse Proxy Service Object, depending on how it is defined. The Address Object can be configured statically using traditional constructs or dynamically using cloud constructs.
An Address Object is created as either a Src/Dest or Reverse Proxy Target, and can be configured in various ways.
Src/Dest¶
A Src/Dest Address Object specifies a Source or Destination for a Rule inside a Security Policy Rule Set. It is used by the Rule to match traffic based on its Source or Destination IP address. The different types of Src/Dest Address Objects are defined as follows:
IP/CIDR/FQDN (Static)¶
An IP/CIDR/FQDN Address Object is configured as a set of IP addresses, CIDR blocks or FQDNs
Cloud Constructs (Dynamic)¶
A Cloud Construct Address Object is configured as an individual cloud resource such as a VPC/VNet ID, Security Group, Instance ID, Subnet ID, or Service End Point, or a set of cloud resources determined by their User Defined Tags. The configuration will dynamically populate one or more IPs or CIDRs represented by the cloud resource, obtained from the cloud account using the Valtix real-time Inventory Discovery. Any changes to the cloud resource will be automatically reflected in the Address Object.
Geo IP¶
A Geo IP Address Object is configured as a set of Geo IP country names. A Geo IP Address Object is used to allow or block traffic that is coming from or going to IP addresses based on their geographic location (country). Valtix integrates with the MaxMind GeoIP2 Database for maintaining a list of updated GeoIPs.
A full list of country names and codes can be obtained from the GeoNames Countries site.
An IP address to GeoIP country code lookup can be obtained from the GeoIP Database site.
Group¶
A Group Address Object is configured as a set of Src/Dest Address Objects. A Group provides flexibility by defining individual Address Objects and then grouping them together, simplifying the number of Rules necessary to match traffic based on the members of the Group. The Group will inherit the set of IPs, CIDRs or FQDNs from the members of the group, whether the members are static, dynamic or a combination of the two.
Parameter Deonticity¶
Type | Mode | Parameter | Deonticity | Note |
---|---|---|---|---|
IP/CIDR/FQDN | Static | Value | Required | The total number of FQDNs per Address Object is limited to 200 where each FQDN can resolve to at most 400 IPs. The Valtix Gateway will perform DNS resolution every 60 seconds, regardless of the DNS record TTL. |
VPC/VNet ID | Dynamic | CSP Account | Required | |
Region | Required | |||
Resource Group | Optional | Azure Only | ||
VPC/VNet ID | Required | |||
Security Group | Dynamic | CSP Account | Required | |
Region | Required | |||
VPC/VNet ID | Required | |||
Resource Group | Optional | Azure Only | ||
Security Group ID | Required | |||
Application Security Group | Dynamic | CSP Account | Required | Azure Only |
Region | Required | |||
Resource Group | Required | |||
Application Security Group | Required | |||
Instance ID | Dynamic | CSP Account | Required | |
Region | Required | |||
VPC/VNet ID | Required | |||
Resource Group | Optional | Azure Only | ||
Instance ID | Required | |||
Subnet ID | Dynamic | CSP Account | Required | |
Region | Required | |||
VPC/VNet ID | Required | |||
Resource Group | Optional | Azure Only | ||
Subnet ID | Required | |||
User Defined Tag | Dynamic | CSP Account | Optional | |
Region | Optional | |||
VPC/VNet ID | Optional | |||
Resource Group | Optional | Azure Only | ||
Resource/Tag/Value | Required | List of Resources and Tag Key-Value Pairs. Resources can be Instance, VPC/VNet, Subnet, Load Balancer, Security Group, Security Group (Azure). |
||
Geo IP | Value | Required | ||
Group | Address | Required |
Reverse Proxy Target¶
A Reverse Proxy Target Address Object is specified as a Backend Target Address in a Reverse Proxy Service Object. It is used by the Service Object to establish a backend connection to an application. The application can be the address of one or more Application Load Balancers or Instances in the form of IPs or FQDNs. The different types of Reverse Proxy Target Address Objects are defined as follows:
IP/FQDN (Static)¶
An IP/FQDN Address Object is configured as a set of IP addresses or FQDNs. When more than one IP or FQDN is configured, the Gateway will round-robin amongst the set when setting up a backend connection. When an FQDN is configured, the Gateway will resolve the FQDN via DNS to determine the IP address to use when setting up a backend connection.
Applications (Dynamic)¶
An Applications Address Object is configured as an individual Application Load Balancer cloud resource determined by its Applications Tag. The configuration will dynamically populate a set of IPs or FQDNs represented by the cloud resources, obtained from the cloud account using the Valtix real-time Inventory Discovery. Any changes to the cloud resources will be automatically reflected in the Address Object. When the configuration results in more than one IP or FQDN, the Gateway will round-robin amongst the set when setting up a backend connection. When the configuration result is an FQDN, the Gateway will resolve the FQDN via DNS to determine the IP address to use when setting up a backend connection.
Parameter Deonticity¶
Type | Mode | Parameter | Deonticity | Note |
---|---|---|---|---|
IP/FQDN | Static | Value | Required | |
Applications | Dynamic | CSP Account | Required | |
Region | Required | |||
VPC/VNet ID | Required | |||
Resource Group | Optional | Azure Only | ||
Tag/Value | Required | Single Tag Key-Value Pair |
System Objects¶
Valtix provides a list of pre-defined Address Objects to simplify policy creation. All system objects cannot be deleted or modified. Users can choose to clone system objects if modification is needed.
Name | Description |
---|---|
Any | This represents the entire IPv4 address space. |
any-private-rfc-1918 | This represents all IPv4 private address as defined in RFC-1918 |
Internet | This represents the entire IPv4 public address space, minus the private IPv4 addresses (RFC1918) |
Operations¶
Manage¶
- Navigate to Manage > Security Policies > Addresses
Create¶
- Click Create
- Select either Src/Dest or Reverse Proxy Target
- Specify the required and optional parameters as desired
- Click Save when complete
Note
Some parameters will be common to all Address Object types and some parameters will be based on the specific Address Object type
Edit¶
- Check the box next to the Address Object you would like to Edit
- Click Edit
- Modify the parameters as desired
- Click Save when complete
Note
Not all parameters can be modified. If you need to modify a parameter that cannot be modified, you will need to Clone the Address Object and then change the parameters as desired. If the desire is to use the clone in place of the original, you will need to replace all associations of the original with the clone. The associations will be in a set of one or more Security Policy Rule Set Rules or Reverse Proxy Service Objects. The associations can be seen by viewing the Address Object Details.
Clone¶
- Check the box next to the Address Object you would like to Clone
- Click Clone
- Specify and modify the parameters as desired
- Click Save when complete
Delete¶
- Check the box next to the Address Object you would like to Delete
- Click Delete
- Click Save to confirm the delete
Note
If an Address Object is actively used in a Policy Rule Set Rule or Reverse Proxy Service Object, it will have one more associations and you will be unable to delete the Address Object. In order to delete an Address Object, you must first remove all associations, then the Address Object can be deleted. The associations can be seen by viewing the Address Object Details.
View Details¶
You can view the Address Object Details by clicking the Name. The Details will display the IPs, CDIRs and FQDNs populated based on its type and configuration. It will also display the associations with Policy Rule Sets (Security Policy Rule Set) and Services (Service Objects).