All Products
Search
Document Center

Server Load Balancer:Access control

Last Updated:Jun 25, 2024

This topic describes how to enable access control for a listener. You can enable access control for each listener of a Classic Load Balancer (CLB) instance. You can configure access control when you create a listener or modify the access control settings of an existing listener.

Access control lists (ACLs)

ACLs can work as whitelists or blacklists. You can configure whitelists or blacklists for different listeners:

  • Whitelist: Only requests from the IP addresses or CIDR blocks in the ACL are forwarded. Whitelists apply to scenarios in which you want to allow requests from only from specific IP addresses.

    Improperly configured whitelists may affect service availability. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If a whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests.

  • Blacklist: All requests from the IP addresses or CIDR blocks specified in the ACL are denied. Blacklists apply to scenarios in which you want to block access from specific IP addresses.

    If a blacklist is configured for a listener but no IP addresses are added to the blacklist, the listener forwards all requests.

Limits

  • By default, a CLB listener can be associated with at most three ACLs. Listener ACLs are supported in all CLB regions.

  • IPv6 instances can be associated only with IPv6 ACLs. IPv4 instances can be associated only with IPv4 ACLs.

  • The total number of IP entries added to the ACLs that are associated with the same listener cannot exceed 1,000.

  • An ACL can be associated with up to 50 listeners.

  • The IP entries in the ACLs that are associated with the same listener must be unique.

Procedure

The following figure shows how to configure an ACL for a listener.

image

Create an ACL

Before you enable access control for a listener, you must create an ACL.

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the CLB instance is deployed.

  3. In the left-side navigation pane, choose Access Control.

  4. On the Access Control page, click Create ACL.

  5. In the Create ACL panel, configure the parameters and click Create. The following table describes the parameters.

    Parameter

    Description

    ACL Name

    Enter a name for the ACL.

    Resource Group

    Select a resource group.

    Add Multiple Addresses/CIDR Blocks and Descriptions

    Enter one or more entries in the following format:

    • Enter one entry per line. Press the Enter key to start a new line.

    • Use a vertical bar (|) to separate the IP address or CIDR block from the description within an entry. Example: 192.168.1.0/24|Description.

    • You can add up to 50 entries at a time.

Add IP entries

After you create an ACL, you can add IP entries to the ACL. An IP entry can be an IP address or a CIDR block.

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the ACL is created.

  3. In the left-side navigation pane, choose CLB > Access Control.

  4. Find the ACL that you want to manage and click Manage in the Actions column.

  5. Add IP entries.

    • Click Add ACL Entries. In the Add ACL Entries panel, add multiple IP addresses or CIDR blocks and descriptions, and then click Add.

      Take note of the following items:

      • Enter one entry per line. Press the Enter key to start a new line.

      • Use a vertical bar (|) to separate an IP address or a CIDR block and a comment within an entry. In this example, 192.168.1.0/24|Comment is entered.

    • Click Add Entry. In the Add ACL Entry panel, configure the IP Address/CIDR Block and Remarks parameters and click Add.

  6. After you add the IP entries, you can perform the following operations as needed:

    • View the IP addresses or CIDR blocks that you added in the Entry column.

    • Delete IP entries. To delete an IP entry, find the IP entry that you want to delete and click Delete in the Actions column. You can also select an IP entry and click Delete below the list.

Enable access control

You can configure whitelists or blacklists for different listeners to control network access.

  1. Log on to the CLB console.
  2. Select the region where the CLB instance is deployed.

  3. Click the ID of the CLB instance for which you want to enable access control.

  4. Click the Listener tab. In the Actions column, choose 更多 > Configure Access Control.

  5. In the Configure Access Control panel, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Access Control

    Enable access control.

    ACL Type

    Select an ACL type. Valid values:

    • Whitelist: After you associate the ACL with the listener, the listener forwards only requests from IP addresses or CIDR blocks that are added to the ACL.

      Improperly configured whitelists may affect service availability. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If a whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests.

    • Blacklist: After you associate the ACL with the listener, the listener denies requests from IP addresses or CIDR blocks that are added to the ACL.

      If a blacklist is configured for a listener but no IP addresses are added to the blacklist, the listener forwards all requests.

    ACL

    Select an ACL.

    IPv6 instances can be associated only with IPv6 ACLs. IPv4 instances can be associated only with IPv4 ACLs.

    Note

    Separate multiple IP entries with commas (,). You can add up to 300 IP entries to each ACL. IP entries must be unique within each ACL.

Disable access control

If a listener no longer requires access control, you can disable access control for the listener.

  1. Log on to the CLB console.
  2. Select the region where the CLB instance is deployed.

  3. Click the ID of the CLB instance for which you want to disable access control.

  4. On the instance details page, click the Listener tab.

  5. Find the listener that you want to manage and choose 更多图标 > Configure Access Control.

  6. In the Configure Access Control panel, disable access control and click OK.