Smart Access Gateway (SAG) supports access control lists (ACLs) that allow you to reject or allow requests from specified sources. ACLs improve network security.
Feature description
Components
An ACL is used to filter traffic based on the specified ACL rule and action policy. An ACL rule consists of match conditions and an action policy.
Match conditions: An ACL rule consists of rule direction, protocol, source CIDR block, source port, destination CIDR block, and destination port. Requests are matched against these match conditions.
SAG CPE instances and app instances support different match conditions. For more information, see Create an ACL for an SAG app instance and Create an ACL for an SAG CPE instance.
Action policy: You can specify whether to allow or reject requests that match the ACL rule.
Match rules
You can add one or more ACL rules to an ACL. By default, requests are matched against ACL rules in descending order of rule priority. A smaller priority value indicates a higher priority. If a request matches multiple ACL rules, the ACL rules are applied based on the following conditions:
The ACL rule whose action is Deny is applied first.
If multiple ACL rules have the same priority and action, the ACL rule whose source and destination CIDR blocks match those of the request is applied first.
If multiple ACL rules have the same priority, action, source CIDR block, and destination CIDR block, the ACL rule that is added the earliest is applied first.
If a request matches an ACL rule, the system allows or rejects the request based on the action specified in the ACL rule. In this case, the matching process immediately ends and the system stops matching the request against the remaining ACL rules. If a request does not match an ACL rule, the system allows the request by default.
Limits
Only SAG app and CPE instances support ACLs. ACLs are unavailable for SAG app instances by default. To enable ACLs for SAG app instances, contact your account manager.
Only SAG CPE instances support application-aware ACLs.
After you create an ACL, the ACL type cannot be modified.
The following table describes the limits on resource quotas.
Resource
Default quota
Adjustable
The maximum number of ACLs that can be associated with an SAG CPE instance
1
No
The maximum number of ACLs that can be associated with an SAG app instance
1
No
The maximum number of ACL rules that can be created for an SAG CPE instance
50
No
The maximum number of ACL rules that can be created for an SAG app instance
50
No
The maximum number of ACLs that can be created by an Alibaba Cloud account
10
No