Create an ACL for an SAG app instance - Smart Access Gateway

This topic describes how to create an access control list (ACL) for a Smart Access Gateway (SAG) app instance.

Step 1: Create an ACL

Log on to the SAG console.
In the top navigation bar, select the region.
In the left-side navigation pane, click ACL.
On the ACL page, click Create access control.

In the Create access control dialog box, set the following parameters and click OK.

Parameter	Description
Resource Group	Select a resource group for the ACL.
Instance Name	Enter a name for the ACL.
Instance Type	Select the type of SAG instance to be associated with the ACL. Valid values: SAG Device SAG App In this example, SAG App is selected.

Step 2: Add a rule to the ACL

On the ACL page, find the ACL that you want to manage and click Configure Rules in the Actions column.
On the details page of the ACL, click the Rules tab and click Add Rule.

In the Add Rule dialog box, set the following parameters and click OK.

Parameter	Description
Instance Name	Enter a name for the rule.
Rule Direction	Select a direction for the rule. Outbound: The rule applies to outbound network traffic from the SAG app. Inbound: The rule applied to inbound network traffic to the SAG app.
Policy	Select Allow or Block to allow or reject requests.
Protocol	Select a protocol for the rule. The supported protocols provided in this topic are for reference only. The information in the SAG console shall prevail.
Source CIDR Block	The source CIDR block is determined by the direction of the rule. If the direction is Outbound, the source CIDR block is the CIDR block that the SAG app uses to initiate requests. If the direction is Inbound, the source CIDR block is the CIDR block of the external service from which requests are sent to the SAG app instance.
Source Port Range	Enter a source port range. The port range is determined by the selected protocol. Examples: If Protocol is set to All (All Protocols Supported), the source port range is -1/-1 by default and cannot be modified. If Protocol is set to HTTP, the source port range is 1/65535 and can be modified. The ports supported by each protocol vary. The information in the console shall prevail. Valid formats: 1/200: specifies ports that range from 1 to 200. 80/80: specifies port 80. -1/-1: specifies all ports.
Destination CIDR Block	The destination CIDR block is determined by the direction of the rule. If the direction is Outbound, the destination CIDR block is the CIDR block of the external service for which requests are destined. If the direction is Inbound, the destination CIDR block is the CIDR block of the SAG app for which requests are destined.
Destination Port Range	Enter a destination port range. The destination port range is determined by the selected protocol. Examples: If Protocol is set to All (All Protocols Supported), the destination port range is -1/-1 by default and cannot be modified. If Protocol is set to TELNET, the destination port range is 23/23 and can be modified. The ports supported by each protocol vary. The information in the console shall prevail. Valid formats: 1/200: specifies ports that range from 1 to 200. 80/80: specifies port 80. -1/-1: specifies all ports.
Priority	Select a priority for the rule. Valid values: 1 to 100. A smaller value indicates a higher priority.
Auto Generation of Reverse Direction Rule	Specify whether to automatically generate a rule that is in the reverse direction. If you select this feature, a rule in the reverse direction is automatically generated. For example, if you create a rule in the inbound direction, a rule in the outbound direction is automatically generated. Important We recommend that you enable this feature. If you create only one rule in one direction, response timeouts may occur. If the rule supports protocols other than UDP and TCP, the rule that is automatically generated in the reverse direction uses the TCP protocol by default.

Step 3: Associate the rule with the SAG app instance

On the ACL details page, click the Associated Instances tab.
On the Associated Instances tab, click Associate with Instance.
In the Associate with Instance dialog box, select one or more SAG app instances and click OK.
In the Associate with Instance dialog box, you can search instances by resource group, instance name, and instance ID.

Related operations

Operation	Procedure
Clone an ACL	You can clone an existing ACL, including its rules, and associate the new ACL with another SAG app instance. On the ACL page, find the ACL that you want to manage and choose > Clone in the Actions column. In the Clone ACL message, confirm the information and click OK.
Modify an ACL rule	On the details page of the ACL, click the Rules tab and find the rule that you want to modify. Click Modify in the Actions column. In the Edit Rule dialog box, modify the settings and click OK.
Delete an ACL rule	On the details page of the ACL, click the Rules tab and find the rule that you want to delete. Click Delete in the Actions column. In the Delete Rule message, click OK.
Disassociate an ACL rule from an SAG app instance	On the ACL instance details page, click the Associated Instances tab. On the Associated Instances tab, find the SAG app instance that you want to manage and click Disassociate in the Actions column. In the Disassociate Instance message, confirm the instance information and click OK.
Delete an ACL	On the ACL page, find the ACL that you want to delete and choose > Delete in the Actions column. In the Delete ACL message, confirm the information and click OK.

References

CreateACL: creates an ACL.
ModifyACL: renames an ACL.
DeleteACL: deletes an ACL.
AssociateACL: associates an ACL with an SAG instance.
DisassociateACL: disassociates an ACL from an SAG instance.
AddACLRule: adds a rule to an ACL.
ModifyACLRule: modifies an ACL rule.
DeleteACLRule: deletes an ACL rule.
DescribeACLAttribute: queries a specified ACL.
DescribeACLs: queries ACLs in a specified region.