When you use an Application Load Balancer (ALB) Ingress to expose Services, you can configure access control lists (ACLs) to allow or deny requests from clients that use specific IP addresses to access the Services. This topic describes how to use an AlbConfig to create or modify an ACL and associate the ACL with a listener.
How ACLs work
ALB Ingresses implement fine-grained control over requests from clients that use specific IP addresses by associating ACLs with listeners and configuring whitelists or blacklists. An ACL contains a group of CIDR blocks. After you associate an ACL with a listener by using an AlbConfig, the listener uses the entries in the ACL to match the source IP addresses from which requests are sent to access the backend Service. You can use one of the following methods to control the requests:
Configure a whitelist to allow only requests from the source IP addresses that match the entries in the ACL to access the backend Service.
Configure a blacklist to deny the requests from the source IP addresses that match the entries in the ACL from accessing the backend Service.
An ACL supports access control by using only IPv4 addresses.
The following figure shows how ACLs work.
Configuration methods
The following table describes the methods that you can use to associate a listener with an ACL. We recommend that you use the aclIds parameter.
Item | ||
Version of the ALB Ingress controller | The ALB Ingress controller 2.7.0 and later supports this parameter. | All versions of the ALB Ingress controller support this parameter. |
Association with an existing ACL | You can use the ID of an existing ACL to associate a listener with the ACL. | The ALB Ingress controller 2.7.0 and later does not allow you to associate a listener with an existing ACL. |
Method for creating an ACL | You must manually create an ACL in the Server Load Balancer (SLB) console before you use the ACL. | You can create an ACL by using an AlbConfig. |
Use scenario | This method is suitable for scenarios in which you need to frequently change entries in an ACL and want to maintain the ACL in a cost-effective manner. | This method is suitable for scenarios in which you want to enable access control by using a small number of listeners and ACLs that contain a small number of entries. |
The
aclIds
andaclEntries
parameters are mutually exclusive in the ACL configuration. You can use only one of them to configure an ACL for a listener. If you use both parameters at the same time, an error occurs.In the ALB Ingress controller 2.7.0 and later, you can only use the
aclIds
parameter to associate an existing ACL with a listener.
Prerequisites
An AlbConfig is created, and a listener is configured by using the AlbConfig. The aclConfig
parameter is associated with the listener for use.
Use the aclIds parameter to associate a listener with an ACL
Step 1: Create an ACL
Before you enable access control, you must create an ACL.
- Log on to the ALB console.
In the top navigation bar, select the region in which you want to create the ACL.
In the left-side navigation pane, choose .
On the Access Control page, click Create Access Control List.
In the Create ACL dialog box, configure the following parameters and click OK.
Parameter
Description
ACL Name
Enter a name for the network ACL.
Resource Group
Select a resource group.
Tag
Configure the Tag Key and Tag Value parameters.
After you specify tags, you can filter ACLs by tag on the Access Control page.
Step 2: Add entries to the ACL
After you create an ACL, you can add entries to the ACL. ACL entries specify the source IP addresses or CIDR blocks from which requests are sent to your ALB instance. You can add multiple entries to each ACL.
On the Access Control page, find the ACL that you want to manage and click Manage in the Operations column.
On the Entry tab of the ACL details page, use one of the following methods to add entries:
Add a single IP address or CIDR block
Click Add Entry. In the Add ACL Entries dialog box, configure the IP/CIDR Block and Remarks parameters. Then, click Add.
Add multiple IP addresses or CIDR blocks at a time
Click Add ACL Entries. In the Add ACL Entries dialog box, add multiple IP addresses or CIDR blocks and the remarks. Then, click Add.
NoteWhen you add multiple entries at a time, take note of the following items:
Enter one entry per line. Press the ENTER key to start a new line.
Use a vertical bar (|) to separate an IP address or a CIDR block from the remarks within an entry. For example, you can enter 192.168.1.0/24|Remarks.
You can add at most 20 entries at a time.
After you add entries, perform the following operations based on your business requirements:
View the IP addresses or CIDR blocks that you added in the Entry column.
Delete entries. To do so, find the entry that you want to delete and click Delete in the Actions column. You can also select the entries that you want to delete and click Delete below the list.
To export entries, click the icon in the upper-right corner of the list to export all entries, or select the entries that you want to export and click the icon.
Step 3: Associate the ACL with a listener
The following sample YAML code adds the spec.listeners.aclConfig
parameter to the existing AlbConfig and specifies the ID of the created ACL as the value of the aclIds
parameter. In this example, the ID of the created ACL is acl-wtg***
.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclType: White # The whitelist mode.
aclIds:
- acl-wtg*** # Add the ID of the existing ACL to the ACL configuration. In this example, the ID of the existing ACL is acl-wtg***.
#...
The following table describes the parameters in aclConfig
.
Parameter | Description |
| The type of the ACL. Valid values: Black and White. |
| The ID of the ACL to be associated with a listener. Important Each listener can be associated with up to three ACLs. |
Step 4: Verify the access control effect
You can use a client whose public IP address matches an entry in the whitelist or no entry in the blacklist to access the backend Service and verify the effect of the ACL configuration.
In this example, the resources that are created in the Get started with ALB Ingress topic are used.
If the access from the client is allowed, the client can access the backend Service as expected.
Step 5: (Optional) Disassociate the ACL from the listener
In the following YAML file, if you want to disassociate the ACL from the listener, you need to only remove the ID of the ACL from the value of the aclIds
parameter or change the value of the aclIds
parameter to null
.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclType: White
aclIds: null # Remove the ID of the existing ACL from the value of this parameter. In this example, the ID of the existing ACL is acl-wtg***.
#...
You cannot delete an ACL from an AlbConfig. To delete the ACL, log on to the SLB console.
Use the aclEntries parameter to create an ACL
In the ALB Ingress controller 2.7.0 and later, you can no longer use the
aclName
parameter to associate existing ACLs with listeners. Each time you update the parameters inaclName
, a new ACL is created and associated with a listener.The ALB Ingress controller 2.6.0 and earlier supports the write-back mechanism. The following section describes how the write-back mechanism works:
If the
aclConfig
parameter is left empty in an AlbConfig, the entries of the ACL associated with the listener are written back to the AlbConfig.If the
aclConfig
parameter is configured or the entries of the ACL associated with the listener are written back to the AlbConfig, the AlbConfig remains unchanged.
If the Ingress resources are changed, the ALB Ingress controller uses the configured AlbConfig to overwrite the ACL configuration in the console. In this case, you need to maintain the configuration consistency.
Step 1: Configure the entries in an ACL
The following sample YAML code adds or modifies the spec.listeners.aclConfig
parameter in the existing AlbConfig and specifies CIDR blocks in the aclEntries
parameter. If a value is specified in the aclName
parameter, an ACL is created and uses the value as its name. If no value is specified in the aclName parameter, a name is automatically generated in the format of acl-{albName}-{port}
.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclEntries:
- 192.168.XX.XX/16
- 172.10.XX.XX/16
aclType: White # The whitelist mode.
aclName: "acl-test" # An ACL named acl-test is created and associated with a listener.
#...
The following table describes the parameters in aclConfig
.
Parameter | Description |
| The entries of the ACL. The entries must be CIDR blocks, such as 127.0.0.1/32. |
| The type of the ACL. Valid values: Black and White. |
| The name of the ACL. |
Step 2: Verify the access control effect
You can use a client whose public IP address matches an entry in the whitelist or no entry in the blacklist to access the backend Service and verify the effect of the ACL configuration.
In this example, the resources that are created in the Get started with ALB Ingress topic are used.
If the access from the client is allowed, the client can access the backend Service as expected.
Step 3: (Optional) Remove the ACL
The following sample YAML code shows how to remove the ACL by updating the AlbConfig. The sample code removes the ACL of the whitelist type that contains the 172.10.XX.XX/16
CIDR block. The updated aclEntries
parameter in the AlbConfig is synchronized to the associated ACL. In this example, the ACL is named acl-test. If the aclEntries
parameter is left empty, all entries are removed from the ACL.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclEntries:
- 192.168.XX.XX/16
aclType: White
aclName: "acl-test" # The 172.10.XX.XX/16 entry in the acl-test ACL is also removed.
#...
You cannot delete an ACL from an AlbConfig. To delete the ACL, log on to the SLB console.
References
You can configure ACLs for the API server of a cluster. For more information, see Configure network ACLs for the API server of an ACK cluster.
The inbound and outbound traffic of nodes in a cluster is controlled by security groups. For more information about how to configure a security group, see Configure security groups for clusters.