This topic describes how to create an access control list (ACL) for a Smart Access Gateway (SAG) app instance.
Step 1: Create an ACL
- Log on to the SAG console.
- In the top navigation bar, select the region.
- In the left-side navigation pane, click ACL.
- On the ACL page, click Create access control.
In the Create access control dialog box, set the following parameters and click OK.
Parameter
Description
Resource Group
Select a resource group for the ACL.
Instance Name
Enter a name for the ACL.
Instance Type
Select the type of SAG instance to be associated with the ACL. Valid values:
SAG Device
SAG App
In this example, SAG App is selected.
Step 2: Add a rule to the ACL
- On the ACL page, find the ACL that you want to manage and click Configure Rules in the Actions column.
On the details page of the ACL, click the Rules tab and click Add Rule.
In the Add Rule dialog box, set the following parameters and click OK.
Parameter
Description
Instance Name
Enter a name for the rule.
Rule Direction
Select a direction for the rule.
Outbound: The rule applies to outbound network traffic from the SAG app.
Inbound: The rule applied to inbound network traffic to the SAG app.
Policy
Select Allow or Block to allow or reject requests.
Protocol
Select a protocol for the rule.
The supported protocols provided in this topic are for reference only. The information in the SAG console shall prevail.
Source CIDR Block
The source CIDR block is determined by the direction of the rule.
If the direction is Outbound, the source CIDR block is the CIDR block that the SAG app uses to initiate requests.
If the direction is Inbound, the source CIDR block is the CIDR block of the external service from which requests are sent to the SAG app instance.
Source Port Range
Enter a source port range.
The port range is determined by the selected protocol. Examples:
If Protocol is set to All (All Protocols Supported), the source port range is -1/-1 by default and cannot be modified.
If Protocol is set to HTTP, the source port range is 1/65535 and can be modified.
The ports supported by each protocol vary. The information in the console shall prevail. Valid formats:
1/200: specifies ports that range from 1 to 200.
80/80: specifies port 80.
-1/-1: specifies all ports.
Destination CIDR Block
The destination CIDR block is determined by the direction of the rule.
If the direction is Outbound, the destination CIDR block is the CIDR block of the external service for which requests are destined.
If the direction is Inbound, the destination CIDR block is the CIDR block of the SAG app for which requests are destined.
Destination Port Range
Enter a destination port range.
The destination port range is determined by the selected protocol. Examples:
If Protocol is set to All (All Protocols Supported), the destination port range is -1/-1 by default and cannot be modified.
If Protocol is set to TELNET, the destination port range is 23/23 and can be modified.
The ports supported by each protocol vary. The information in the console shall prevail. Valid formats:
1/200: specifies ports that range from 1 to 200.
80/80: specifies port 80.
-1/-1: specifies all ports.
Priority
Select a priority for the rule.
Valid values: 1 to 100. A smaller value indicates a higher priority.
Auto Generation of Reverse Direction Rule
Specify whether to automatically generate a rule that is in the reverse direction.
If you select this feature, a rule in the reverse direction is automatically generated. For example, if you create a rule in the inbound direction, a rule in the outbound direction is automatically generated.
ImportantWe recommend that you enable this feature. If you create only one rule in one direction, response timeouts may occur.
If the rule supports protocols other than UDP and TCP, the rule that is automatically generated in the reverse direction uses the TCP protocol by default.
Step 3: Associate the rule with the SAG app instance
- On the ACL details page, click the Associated Instances tab.
On the Associated Instances tab, click Associate with Instance.
In the Associate with Instance dialog box, select one or more SAG app instances and click OK.
In the Associate with Instance dialog box, you can search instances by resource group, instance name, and instance ID.
Related operations
Operation | Procedure |
Clone an ACL | You can clone an existing ACL, including its rules, and associate the new ACL with another SAG app instance.
|
Modify an ACL rule |
|
Delete an ACL rule |
|
Disassociate an ACL rule from an SAG app instance |
|
Delete an ACL |
|
References
CreateACL: creates an ACL.
ModifyACL: renames an ACL.
DeleteACL: deletes an ACL.
AssociateACL: associates an ACL with an SAG instance.
DisassociateACL: disassociates an ACL from an SAG instance.
AddACLRule: adds a rule to an ACL.
ModifyACLRule: modifies an ACL rule.
DeleteACLRule: deletes an ACL rule.
DescribeACLAttribute: queries a specified ACL.
DescribeACLs: queries ACLs in a specified region.