For precise control over client access, enable access control for a listener. A whitelist allows access only from specific IP addresses. A blacklist denies access from specific IP addresses.
How access control works
The access control feature consists of access control lists (ACLs) and access control modes.
ACL: Contain one or multiple IP address or CIDR block entries. Use an ACL to manage IP addresses that have the same security requirements.
Access control mode: You can configure a whitelist or a blacklist for listeners.
Whitelist: Allows access to a Global Accelerator listener only from specific IP addresses. Requests are forwarded only if they originate from the IP addresses or CIDR blocks specified in the selected ACL. Whitelists are ideal for granting access only to specific clients.
Blacklist: Denies access to a Global Accelerator listener from specific IP addresses. Requests that originate from the IP addresses or CIDR blocks specified in the selected ACL are not forwarded. Blacklists are ideal for blocking specific clients.
Using a whitelist carries certain risks. Once a whitelist is enabled, only the IP addresses on the whitelist can access the listener.
If you enable a whitelist for a listener but do not add any IP addresses to the associated ACL, the listener forwards all requests.
If you enable a blacklist for a listener but do not add any IP addresses to the associated ACL, the listener forwards all requests.
When you create an ACL, you can select IPv4 or IPv6. You can then enable an ACL of the corresponding IP version for a listener based on the IP version of the acceleration endpoint.
Limitations
Pay-as-you-go GA
The access control feature is available only for smart routing listeners.
A GA instance can manage a total of 600 IP address or CIDR block entries. This is the sum of all entries in the ACLs associated with all listeners of the instance.
For a listener, the maximum number of IP address entries or CIDR block entries in the associated ACL is calculated as follows:
Total number of ports for the listener (a port range counts as one port) × Number of entries in the ACL
If the listener protocol is HTTP/3, the calculation is: Total number of ports for the listener (a port range counts as one port) × Number of entries in the ACL × 2
An ACL can be associated with a maximum of 10 listeners.
A listener can be associated with a maximum of one IPv4 ACL and one IPv6 ACL.
If the accelerated IP protocol is IPv4 or IPv6, and the listener is associated with both an IPv4 ACL and an IPv6 ACL, only the ACL that matches the accelerated IP version takes effect.
If the accelerated IP protocol is dual-stack, and the listener is associated with both an IPv4 ACL and an IPv6 ACL, both ACLs take effect.
Subscription GA
The access control feature is available only for smart routing listeners.
An ACL associated with a listener can contain a maximum of 200 unique IP address or CIDR block entries.
You can associate an ACL with up to 10 listeners.
A listener can be associated with a maximum of one IPv4 ACL and one IPv6 ACL.
If the accelerated IP protocol is IPv4 or IPv6, and the listener is associated with both an IPv4 ACL and an IPv6 ACL, only the ACL that matches the accelerated IP version takes effect.
Procedure
Create an ACL
Create an ACL before enabling access control.
Log on to the GA console.
In the navigation pane on the left, choose .
On the Access Control page, click Create ACL.
In the Create ACL dialog box, configure the ACL based on the following information and then click OK.
Parameter
Description
ACL Name
Enter a name for the ACL.
IP Version
Select the IP version for the ACL. Select IPv4 or IPv6 to match the IP version of your acceleration regions.
Resource Group
Select the resource group to which the ACL belongs.
This resource group is created by the current Alibaba Cloud account in Resource Management. For more information, see Create a resource group.
Tag
Add a tag to the ACL.
Select or enter a Tag Key and a Tag Value.
For more information, see Tag Management.
Add entries to an ACL
Once an ACL is created, you must populate it with IP address or CIDR block entries. These entries will be used to filter traffic. You can add entries one by one or in bulk.
Log on to the GA console.
In the navigation pane on the left, choose .
Find the target ACL and click Manage ACL in the Actions column.
On the ACL details page, add entries in one of the following ways:
Add a single entry
Click Add Rule. In the Add ACL Entry dialog box, enter an IP Address/CIDR Block and Remark, and then click OK.
Add entries in a batch
Click Add Multiple Rules. In the Add Multiple Rules dialog box, add multiple IP addresses or CIDR blocks as prompted and click OK.
Enable access control for a listener
Before enabling access control, ensure you have created a listener. For more information, see Add and manage smart routing listeners.
Log on to the GA console.
On the Instances page, find the target Global Accelerator instance and click Configure Listeners in the Actions column.
On the Listeners tab, click the ID of the listener.
On the Listener Details tab, in the Access Control section, toggle the Access Control switch.
In the Enable Access Control dialog box, configure the following parameters and click OK.
Parameter
Description
Access Control Mode
Select an access control mode:
Whitelist: Allows traffic only from IPs in the specified ACL.
Blacklist: Blocks traffic from IPs in the specified ACL.
WarningUsing a whitelist carries certain risks. Once a whitelist is enabled, only the IP addresses on the whitelist can access the listener.
If you enable a whitelist for a listener but do not add any IP addresses to the associated ACL, the listener forwards all requests.
If you enable a blacklist for a listener but do not add any IP addresses to the associated ACL, the listener forwards all requests.
Select ACL
Select an ACL.
You can also click + Add ACL to add two ACLs at the same time.
Dissociate an ACL from a listener
You can dissociate an ACL that is no longer in use from a listener.
When all ACLs are dissociated, access control is disabled for the listener.
Log on to the GA console.
On the Instances page, find the target Global Accelerator instance and click Configure Listeners in the Actions column.
On the Listeners tab, click the ID of the listener.
Under the Listener Details tab, find the Access Control section click the
icon next to ACL.In the Modify ACL dialog box, find the ACL that you want to dissociate, click Dissociate in the Actions column, and then click OK.
Disable access control for a listener
If you no longer need to restrict access to a listener, disable access control for it.
Log on to the GA console.
On the Instances page, find the target Global Accelerator instance and click Configure Listeners in the Actions column.
On the Listeners tab, click the ID of the listener.
On the Listener Details tab, in the Access Control section, turn off the Access Control switch.
In the dialog box that appears, click OK.
Delete entries from an ACL
You can delete IP address entries from an ACL.
Log on to the GA console.
In the navigation pane on the left, choose .
Find the target ACL and click Manage ACL in the Actions column.
In the Actions column of the target IP entry, click Delete. Alternatively, select multiple IP entries and click Delete below the list of entries.
In the dialog box that appears, click OK.
Delete an ACL
Delete an ACL that is no longer in use.
Before deletion, you must dissociate an ACL from all its listeners.
Log on to the GA console.
In the navigation pane on the left, choose .
Find the ACL that you want to delete and click Delete in the Actions column.
In the dialog box that appears, click OK.
References
CreateAcl: Creates an ACL.
AddEntriesToAcl: Adds IP entries to an ACL.
AssociateAclsWithListener: Associates ACLs with a listener.
DissociateAclsFromListener: Dissociates ACLs from a listener.
RemoveEntriesFromAcl: Deletes IP entries from an ACL.
DeleteAcl: Deletes an ACL.