All Products
Search
Document Center

Global Accelerator:Enable access control for GA listeners

Last Updated:Jul 10, 2024

To precisely control requests from clients, you can enable access control for Global Accelerator (GA) listeners. You can configure a whitelist or blacklist to allow or disallow specific IP addresses to access GA listeners.

Introduction

An access control policy is configured by specifying access control lists (ACLs) and access control modes.

  • ACL: You can add multiple IP addresses or CIDR blocks to an ACL to allow or deny access from them.

  • Access control modes: You can specify ACLs as whitelists or blacklists for different listeners.

    • Whitelist: allows specific IP addresses to access GA listeners. Only requests from the IP addresses or CIDR blocks in the whitelist are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access GA listeners.

    • Blacklist: disallows specific IP addresses to access GA listeners. Requests from the IP addresses or CIDR blocks in the blacklist are blocked. Blacklists apply to scenarios in which you want to limit specific IP addresses from accessing GA listeners.

Warning
  • Risks may occur if a whitelist is improperly configured. After you configure a whitelist for a listener, only the requests from the IP addresses in the whitelist are forwarded by the listener. If access control is enabled and a whitelist is configured for a listener but no IP address is added to the whitelist, the GA listener forwards all requests.

  • If a blacklist is enabled but no IP addresses are added to the blacklist, the listener forwards all requests.

ACLs support IPv4 and IPv6. When you configure access control for a listener, you can select an ACL that uses the same IP version as the accelerated IP address of the access point.

image

Limits

Pay-as-you-go standard GA instances

  • You can enable the access control feature only for intelligent routing listeners.

  • The total number of IP addresses and CIDR blocks in the ACLs that are associated with listeners of a Global Accelerator instance cannot exceed 600.

    The maximum number of IP addresses and CIDR blocks in the ACLs that are associated with a listener is calculated based on the following formula:

    • Total number of listening ports × Number of ACLs

    • If an HTTP/3 listener is used, the maximum number of IP addresses and CIDR blocks is calculated based on the following formula: Total number of listening ports × Number of ACLs × 2

  • An ACL can be associated with up to 10 listeners.

  • A listener can be associated with only one IPv4 ACL and one IPv6 ACL.

    • If a GA instance uses IPv4 or IPv6 accelerated IP addresses and the listener is associated with an IPv4 ACL and an IPv6 ACL, only the ACL that uses the same IP version as the accelerated IP addresses takes effect.

    • If a GA instance uses dual-stack accelerated IP addresses and the listener is associated with an IPv4 ACL and an IPv6 ACL, both ACLs take effect.

Subscription standard GA instances

  • You can enable the access control feature only for intelligent routing listeners.

  • The total number of IP addresses and CIDR blocks in the ACLs that are associated with a listener cannot exceed 200. The IP addresses and CIDR blocks must be unique.

  • An ACL can be associated with up to 10 listeners.

  • A listener can be associated with only one IPv4 ACL and one IPv6 ACL.

    • If a GA instance uses IPv4 or IPv6 accelerated IP addresses and the listener is associated with an IPv4 ACL and an IPv6 ACL, only the ACL that uses the same IP version as the accelerated IP addresses takes effect.

    • If a GA instance uses dual-stack accelerated IP addresses and the listener is associated with an IPv4 ACL and an IPv6 ACL, both ACLs take effect.

Procedure

image

Create an ACL

Before you enable access control for a listener, you must create an ACL.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. On the Access Control page, click Create ACL.

  4. In the Create ACL dialog box, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Procedure

    ACL Name

    Enter a name for the ACL.

    IP Version

    Select the IP version of the ACL.

    • If you select IPv4, the ACL takes effect only in acceleration regions that use accelerated IPv4 addresses.

    • If you select IPv6, the ACL takes effect only in acceleration regions that use accelerated IPv6 addresses.

    Resource Group

    Select the resource group to which the ACL belongs.

    The resource group is a resource group created by the current Alibaba Cloud account in Resource Management. For more information, see Create a resource group.

    Tag

    Add tags to the ACL.

    Configure Tag Key and Tag Value.

    For more information about how to manage ACL tags, see Manage tags.

Add IP addresses or CIDR blocks to the ACL

After the ACL is created, you can add multiple IP addresses or CIDR blocks to the ACL. This way, you can enable a listener to allow or block access from the specified IP addresses or CIDR blocks.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. Find the ACL that you want to manage and click Actions in the Manage ACL column.

  4. On the ACL Details page, you can use the following methods to add IP addresses or CIDR blocks to the ACL:

    • Add one IP address or CIDR block to the ACL

      Click Add Rule. In the Add ACL Entry dialog box, configure the IP Address/CIDR Block and Remark parameters and click OK.

    • Add multiple IP addresses or CIDR blocks at a time

      Click Add Multiple Rules. In the Add Multiple Rules dialog box, enter multiple IP addresses or CIDR blocks by following the prompt and then click OK.

Enable access control for a listener.

Before you enable access control, make sure that a listener is created. For more information, see Add and manage intelligent routing listeners.

  1. Log on to the GA console.

  2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.

  3. On the Listeners tab, click the ID of the listener for which you want to enable access control.

  4. In the Listener Details section of the Access Control tab, turn on Access Control.

  5. In the Enable Access Control dialog box, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Procedure

    Access Control Mode

    Select an access control mode. Valid values:

    • Whitelist: After you associate an ACL with the listener, the listener forwards only requests from IP addresses or CIDR blocks that are added to the ACL.

    • black: Requests from the IP addresses or CIDR blocks in the blacklist are not forwarded.

    Warning
    • Risks may occur if a whitelist is improperly configured. After you configure a whitelist for a listener, only the requests from the IP addresses in the whitelist are forwarded by the listener. If access control is enabled and a whitelist is configured for a listener but no IP address is added to the whitelist, the GA listener forwards all requests.

    • If a blacklist is enabled but no IP addresses are added to the blacklist, the listener forwards all requests.

    Select ACL

    Select an ACL.

    You can also click + Add ACL and add two ACLs at a time.

Disassociate an ACL from a listener

You can disassociate ACLs that you no longer require from a listener.

After you disassociate all ACLs from a listener, the system disables the access control feature for the listener.

  1. Log on to the GA console.

  2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.

  3. On the Listeners tab, click the ID of the listener from which you want to disassociate ACLs.

  4. In the Access Control section of the Listener Details tab, click the 编辑 icon next to Access Control List.

  5. In the Modify ACL dialog box, find the ACL that you want to disassociate, click Disassociate in the Actions column, and then click OK.

Disable access control for a listener

If a listener no longer requires access control, you can disable access control for the listener.

  1. Log on to the GA console.

  2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.

  3. On the Listeners tab, click the ID of the listener for which you want to disable access control.

  4. In the Access Control section of the Listener Details tab, turn off Access Control.

  5. In the message that appears, click OK.

Remove IP addresses or CIDR blocks from an ACL

You can remove IP addresses or CIDR blocks from an ACL.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. Find the ACL that you want to manage and click Actions in the Manage ACL column.

  4. Find the IP address or CIDR block that you want to remove from the ACL and click Actions in the Delete column or select multiple IP addresses and click Delete under the IP entry list.

  5. In the message that appears, click OK.

Delete an ACL

You can delete ACLs that you no longer require.

Before you delete an ACL, disassociate the ACL from the listener. For more information, see Disassociate an ACL from a listener.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. Find the ACL that you want to delete and click Actions in the Delete column.

  4. In the Release Cluster message, click OK.

References