All Products
Search
Document Center

Smart Access Gateway:ACL overview

Last Updated:Oct 11, 2023

Smart Access Gateway (SAG) supports access control lists (ACLs) that allow you to reject or allow requests from specified sources. ACLs improve network security.

Feature description

Components

An ACL is used to filter traffic based on the specified ACL rule and action policy. An ACL rule consists of match conditions and an action policy.

  • Match conditions: An ACL rule consists of rule direction, protocol, source CIDR block, source port, destination CIDR block, and destination port. Requests are matched against these match conditions.

    SAG CPE instances and app instances support different match conditions. For more information, see Create an ACL for an SAG app instance and Create an ACL for an SAG CPE instance.

  • Action policy: You can specify whether to allow or reject requests that match the ACL rule.

Match rules

You can add one or more ACL rules to an ACL. By default, requests are matched against ACL rules in descending order of rule priority. A smaller priority value indicates a higher priority. If a request matches multiple ACL rules, the ACL rules are applied based on the following conditions:

  • The ACL rule whose action is Deny is applied first.

  • If multiple ACL rules have the same priority and action, the ACL rule whose source and destination CIDR blocks match those of the request is applied first.

  • If multiple ACL rules have the same priority, action, source CIDR block, and destination CIDR block, the ACL rule that is added the earliest is applied first.

If a request matches an ACL rule, the system allows or rejects the request based on the action specified in the ACL rule. In this case, the matching process immediately ends and the system stops matching the request against the remaining ACL rules. If a request does not match an ACL rule, the system allows the request by default.

Limits

  • Only SAG app and CPE instances support ACLs. ACLs are unavailable for SAG app instances by default. To enable ACLs for SAG app instances, contact your account manager.

  • Only SAG CPE instances support application-aware ACLs.

  • After you create an ACL, the ACL type cannot be modified.

  • The following table describes the limits on resource quotas.

    Resource

    Default quota

    Adjustable

    The maximum number of ACLs that can be associated with an SAG CPE instance

    1

    No

    The maximum number of ACLs that can be associated with an SAG app instance

    1

    No

    The maximum number of ACL rules that can be created for an SAG CPE instance

    50

    No

    The maximum number of ACL rules that can be created for an SAG app instance

    50

    No

    The maximum number of ACLs that can be created by an Alibaba Cloud account

    10

    No

Procedure

访问控制使用流程

References