This topic describes how to create an access control list (ACL) for a Smart Access Gateway (SAG) CPE instance.
Background information
SAG CPE instances support ACLs that match requests against application types. If you set the Application Group or Application parameter when you create an ACL, the ACL filters requests based on applications. Application-aware ACL rules can be applied only to SAG instances that have deep packet inspection (DPI) enabled. For more information about how to enable the DPI feature, see Enable DPI.
Step 1: Create an ACL
- Log on to the SAG console.
- In the top navigation bar, select the region.
- In the left-side navigation pane, click ACL.
- On the ACL page, click Create access control.
In the Create access control dialog box, set the following parameters and click OK.
Parameter
Description
Resource Group
Select a resource group for the ACL.
Instance Name
Enter a name for the ACL.
Instance Type
Select the type of SAG instance to be associated with the ACL. Valid values:
SAG Device
SAG App
In this example, SAG Device is selected.
Step 2: Add a rule to the ACL
- On the ACL page, find the ACL that you want to manage and click Configure Rules in the Actions column.
On the details page of the ACL, click the Rules tab and click Add Rule.
In the Add Rule dialog box, set the following parameters and click OK.
Parameter
Description
Instance Name
Enter a name for the rule.
Network Type
Select a network type for the rule.
Private Network: The ACL rule controls network traffic originated from and destined for private IP addresses.
Public Network: The ACL rule controls network traffic originated from and destined for public IP addresses.
Rule Direction
Select a direction for the rule.
Outbound: The ACL rule controls outbound network traffic from the on-premises network that is associated with the SAG instance.
Inbound: The ACL rule controls inbound network traffic to the on-premises network that is associated with the SAG instance.
Policy
Select Allow or Block to allow or reject requests.
Protocol
Select a protocol for the rule.
The supported protocols provided in this topic are for reference only. The actual protocols in the SAG console shall prevail.
Source CIDR Block
The source CIDR block is determined by the direction of the rule.
If the direction is Outbound, the source CIDR block is the CIDR block of the on-premises network from which requests are initiated.
If the direction is Inbound, the source CIDR block is the CIDR block of the external service from which requests are initiated.
Source Port Range
Enter a source port range.
The port range is determined by the selected protocol. Examples:
If Protocol is set to All (All Protocols Supported, the source port range is -1/-1 by default and cannot be modified.
If Protocol is set to HTTP, the source port range is 1/65535 and can be modified.
The ports supported by each protocol vary. The information in the console shall prevail. Valid formats:
1/200: specifies ports that range from 1 to 200.
80/80: specifies port 80.
-1/-1: specifies all ports.
Destination CIDR Block
The destination CIDR block is determined by the direction of the rule.
If the direction is Outbound, the destination CIDR block is the CIDR block of the external service for which requests are destined.
If the direction is Inbound, the destination CIDR block is the CIDR block of the on-premises network for which requests are destined.
Destination Port Range
Enter a destination port range.
The destination port range is determined by the selected protocol. Examples:
If Protocol is set to All (All Protocols Supported), the destination port range is -1/-1 by default and cannot be modified.
If Protocol is set to TELNET, the destination port range is 23/23 and can be modified.
The ports supported by each protocol vary. The information in the console shall prevail. Valid formats:
1/200: specifies ports that range from 1 to 200.
80/80: specifies port 80.
-1/-1: specifies all ports.
Priority
Select a priority for the rule.
Valid values: 1 to 100. A smaller value indicates a higher priority.
Application Group
Select an application group to which you want to apply the rule.
An application group contains one or more applications. After you select an application group, the rule applies to all applications in the group.
The supported application groups provided in this topic are for reference only. The information in the SAG console shall prevail.
Application
Select applications to which you want to apply the rule.
You can select an application from the specified application group.
The supported applications provided in this topic are for reference only. The information in the SAG console shall prevail.
If you select both an Application Group and an Application, the rule is applied to all applications in the specified application group and the specified Application.
Step 3: Associate the rule with the SAG CPE instance
- On the ACL details page, click the Associated Instances tab.
On the Associated Instances tab, click Associate with Instance.
In the Associate with Instance dialog box, select one or more SAG CPE instances and click OK.
In the Associate with Instance dialog box, you can search instances by resource group, instance name, and instance ID.
Related operations
Operation | Procedure |
Clone an ACL | You can clone an existing ACL, including its rules, and associate the new ACL with other SAG CPE instance.
|
Modify an ACL rule |
|
Delete an ACL rule |
|
Disassociate an ACL rule from an SAG CPE instance |
|
Delete an ACL |
|
> CloneReferences
CreateACL: creates an ACL.
ModifyACL: renames an ACL.
DeleteACL: deletes an ACL.
AssociateACL: associates an ACL with an SAG instance.
DisassociateACL: disassociates an ACL from an SAG instance.
AddACLRule: adds a rule to an ACL.
ModifyACLRule: modifies an ACL rule.
DeleteACLRule: deletes an ACL rule.
DescribeACLAttribute: queries a specified ACL.
DescribeACLs: queries ACLs in a specified region.