All Products
Search

This Product

    Alibaba Cloud Service Mesh:Configure a blacklist or whitelist for an ingress gateway

    Document Center

    Alibaba Cloud Service Mesh:Configure a blacklist or whitelist for an ingress gateway

    Last Updated:Mar 11, 2026

    When your applications run behind a Service Mesh (ASM) ingress gateway, you may need to restrict which clients can reach them. A blacklist rejects traffic from specified sources and allows everything else. A whitelist allows traffic only from specified sources and rejects everything else. You can filter by source IP address, HTTP domain name, port, or remote IP block.

    The following procedure walks through IP-based access control: finding your client's source IP, then configuring a blacklist or whitelist in the ASM console.

    How matching rules work

    ASM evaluates blacklist and whitelist rules with the following logic:

    BehaviorDescription
    Within a ruleA request must match all criteria in the rule (AND logic)
    Across rulesA request only needs to match one rule (OR logic)
    DisablingTurning off the blacklist or whitelist automatically clears the corresponding authorization rules

    Domain name matching

    Domain names (host names) in HTTP requests support three match types:

    Match typePatternMatches
    Exactaliyun.comaliyun.com only
    Prefixaliyun*aliyun.com, aliyundoc.com, etc.
    Suffix*aliyun.comwww.aliyun.com, docs.aliyun.com, etc.

    How IP address is determined

    Note

    For north-south traffic, a client request is first sent to the load balancer, forwarded to the ingress gateway, and then to the backend service. Because the ingress gateway is involved, it becomes complicated to obtain the source IP address of the client. For more information about how to preserve source IP addresses for north-south traffic, see Scenario 2: North-south traffic.

    Prerequisites

    An application is deployed in the Container Service for Kubernetes (ACK) cluster that is added to your ASM instance. For more information, see Deploy an application in an ASM instance.

    Find the client source IP address

    To identify the source IP that ASM uses for access control evaluation, check the ingress gateway access logs.

    1. Open a browser and go to http://<ingress-gateway-ip>/productpage to generate access logs. To find the IP address of your ingress gateway, see Obtain the IP address of the ingress gateway.

    2. Run the following command with the kubeconfig file of the data plane cluster to retrieve the latest access log entry: Replace <ingress-gateway-pod-name> with the name of the pod that runs your ingress gateway. Sample output:

         kubectl -n istio-system logs <ingress-gateway-pod-name> -c istio-proxy | grep "/productpage" | tail -n 1
         {
     "method": "GET",
     "authority": "47.99.XXX.XXX",
     "response_code": 403,
     "downstream_remote_address": "10.0.XX.XX:XXXXX",
     "x_forwarded_for": "112.124.XXX.XX",
     "upstream_cluster": "outbound|9080||productpage.default.svc.cluster.local",
     "path": "/productpage",
     ...
   }

    3. Locate the downstream_remote_address field. This value is the source IP address that ASM uses for blacklist and whitelist evaluation.

    Configure a blacklist

    A blacklist rejects requests from specified IP addresses and allows all other traffic.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance that you want to manage. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. Click the name of the target ingress gateway. In the left-side navigation pane, choose Gateway Security > Black/White List.

    4. Configure the blacklist:

      1. Turn on Enable Black/White List.

      2. For Match Mode, select Black List.

      3. Turn on IPBlock.

      4. Enter the source IP address of the client that you want to block.

      5. Click Submit.

      Note

      To block requests from multiple sources, click Add Request Matching Rule and configure additional rules.

    5. After the Gateway Black/White List created successfully message appears, the blacklist is active. To view the underlying AuthorizationPolicy, click YAML.

    6. Verify that the blacklist blocks traffic: A 403 response confirms that the request is blocked. You can also verify in a browser -- the page returns an RBAC access denied error:

         curl -s -o /dev/null -w "%{http_code}\n" http://<ingress-gateway-ip>/productpage

      RBAC access denied - blacklist enforcement

    Configure a whitelist

    A whitelist allows requests only from specified IP addresses and rejects all other traffic. The steps are the same as for a blacklist, except for the match mode selection.

    1. On the Ingress Gateway page, click the name of the ingress gateway. In the left-side navigation pane, choose Gateway Security > Black/White List.

    2. In the Black/White List Matching Rules step, select White list for Match Mode, then click Submit.

    3. Verify the whitelist: From the whitelisted client: A 200 response confirms that the whitelisted client is allowed. From a different client (with a different IP address), run the same command. A 403 response confirms that unwhitelisted clients are rejected:

         curl -s -o /dev/null -w "%{http_code}\n" http://<ingress-gateway-ip>/productpage

      RBAC access denied - blacklist enforcement

    See also