Skip to content

Address Objects

An Address Object represents a set of one or more IPs, CIDRs or FQDNs for use as a Source or Destination in a Security Policy Ruleset Rule, or as a Target Backend Address in a Reverse Proxy Service Object, depending on how it is defined. The Address Object can be configured statically using traditional constructs or dynamically using cloud constructs.

An Address Object is created as either a Src/Dest or Reverse Proxy Target, and can be configured in various ways.

Src/Dest

A Src/Dest Address Object is specified as a Source or Destination in a Security Policy Ruleset Rule. It is used by the Rule to match traffic based on its Source or Destination IP address. The different types of Src/Dest Address Objects are defined as follows:

IP/CIDR (Static)

An IP/CIDR Address Object is configured as a set of IP addresses or CIDR blocks

Cloud Constructs (Dynamic)

A Cloud Construct Address Object is configured as an individual cloud resource such as a VPC/VNet ID, Security Group, Instance ID, Subnet ID, or Service End Point, or a set of cloud resources determined by their User Defined Tags. The configuration will dynamically populate one or more IPs or CIDRs represented by the cloud resource, obtained from the cloud account using the Valtix real-time Inventory Discovery. Any changes to the cloud resource will be automatically reflected in the Address Object.

Geo IP

A Geo IP Address Object is configured as a set of Geo IP country names. A Geo IP Address Object is used to allow or block traffic that is coming from or going to IP addresses based on their geographic location (country). A full list of country names can be obtained from the GeoNames Countries site.

Group

A Group Address Object is configured as a set of Src/Dest Address Objects. A Group provides flexibility by defining individual Address Objects and then grouping them together, simplifying the number of Rules necessary to match traffic based on the members of the Group. The Group will inherit the set of IPs, CIDRs or FQDNs from the members of the group, whether the members are static, dynamic or a combination of the two.

Parameter Deonticity

Type Mode Parameter Deonticity Note
IP/CIDR Static Value Required
VPC/VNet ID Dynamic CSP Account Required
Region Required
Resource Group Optional Azure Only
VPC/VNet ID Required
Security Group Dynamic CSP Account Required
Region Required
VPC/VNet ID Required
Resource Group Optional Azure Only
Security Group ID Required
Instance ID Dynamic CSP Account Required
Region Required
VPC/VNet ID Required
Resource Group Optional Azure Only
Instance ID Required
Subnet ID Dynamic CSP Account Required
Region Required
VPC/VNet ID Required
Resource Group Optional Azure Only
Subnet ID Required
User Defined Tag Dynamic CSP Account Optional
Region Optional
VPC/VNet ID Optional
Resource Group Optional Azure Only
Tag/Value Required List of Tag Key-Value Pairs
Geo IP Value Required
Group Address Required

Reverse Proxy Target

A Reverse Proxy Target Address Object is specified as a Backend Target Address in a Reverse Proxy Service Object. It is used by the Service Object to establish a backend connection to an application. The application can be the address of one or more Application Load Balancers or Instances in the form of IPs or FQDNs. The different types of Reverse Proxy Target Address Objects are defined as follows:

IP/FQDN (Static)

An IP/FQDN Address Object is configured as a set of IP addresses or FQDNs. When more than one IP or FQDN is configured, the Gateway will round-robin amongst the set when setting up a backend connection. When an FQDN is configured, the Gateway will resolve the FQDN via DNS to determine the IP address to use when setting up a backend connection.

Applications (Dynamic)

An Applications Address Object is configured as an individual Application Load Balancer cloud resource determined by its Applications Tag. The configuration will dynamically populate a set of IPs or FQDNs represented by the cloud resources, obtained from the cloud account using the Valtix real-time Inventory Discovery. Any changes to the cloud resources will be automatically reflected in the Address Object. When the configuration results in more than one IP or FQDN, the Gateway will round-robin amongst the set when setting up a backend connection. When the configuration result is an FQDN, the Gateway will resolve the FQDN via DNS to determine the IP address to use when setting up a backend connection.

Parameter Deonticity

Type Mode Parameter Deonticity Note
IP/FQDN Static Value Required
Applications Dynamic CSP Account Required
Region Required
VPC/VNet ID Required
Resource Group Optional Azure Only
Tag/Value Required Single Tag Key-Value Pair

Operations

Manage

  • Navigate to Manage > Security Policies > Addresses

Create

  1. Click Create
  2. Select either Src/Dest or Reverse Proxy Target
  3. Specify the required and optional parameters as desired
  4. Click Save when complete

Note

Some parameters will be common to all Address Object types and some parameters will be based on the specific Address Object type

Edit

  1. Check the box next to the Address Object you would like to Edit
  2. Click Edit
  3. Modify the parameters as desired
  4. Click Save when complete

Note

Not all parameters can be modified. If you need to modify a parameter that cannot be modified, you will need to Clone the Address Object and then change the parameters as desired. If the desire is to use the clone in place of the original, you will need to replace all associations of the original with the clone. The associations will be in a set of one or more Security Policy Ruleset Rules or Reverse Proxy Service Objects. The associations can be seen by viewing the Address Object Details.

Clone

  1. Check the box next to the Address Object you would like to Clone
  2. Click Clone
  3. Specify and modify the parameters as desired
  4. Click Save when complete

Delete

  1. Check the box next to the Address Object you would like to Delete
  2. Click Delete
  3. Click Save to confirm the delete

Note

If an Address Object is actively used in a Policy Ruleset Rule or Reverse Proxy Service Object, it will have one more associations and you will be unable to delete the Address Object. In order to delete an Address Object, you must first remove all associations, then the Address Object can be deleted. The associations can be seen by viewing the Address Object Details.

View Details

You can view the Address Object Details by clicking the Name. The Details will display the IPs, CDIRs and FQDNs populated based on its type and configuration. It will also display the associations with Policy Rule Sets (Security Policy Ruleset) and Services (Service Objects).