All Products
Search
Document Center

Server Load Balancer:Access control

Last Updated:Sep 27, 2023

This topic describes how to enable access control for a listener. You can enable access control for each listener of a Classic Load Balancer (CLB) instance. You can configure access control when you create a listener or modify the access control settings of an existing listener.

Access control lists (ACLs)

You can configure whitelists or blacklists for different listeners:

  • Whitelist: Only requests from the IP addresses or CIDR blocks in the specified ACL are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access an application.

    Your service may be adversely affected if the whitelist is not properly configured. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If a whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests.

  • Blacklist: All requests from the IP addresses or CIDR blocks in the specified ACL are denied. Blacklists apply to scenarios in which you want to block access from specific IP addresses.

    If a blacklist is configured for a listener but no IP address is added to the blacklist, the listener forwards all requests.

Limits

  • You can associate only one ACL with each listener of a CLB instance.

  • IPv6 instances can be associated only with IPv6 ACLs, and IPv4 instances can be associated only with IPv4 ACLs.

  • The total number of IP entries added to the ACLs that are associated with the same listener cannot exceed 1,000.

  • An ACL can be associated with up to 50 listeners.

  • The IP entries in the ACLs that are associated with the same listener must be unique.

Procedure

The following figure shows how to configure an ACL for a listener.

image

Create an ACL

Before you enable access control for a listener, you must create an ACL.

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the CLB instance is deployed.

  3. In the left-side navigation pane, click CLB (FKA SLB) > Access Control.

  4. On the Access Control page, click Create ACL.

  5. In the Create ACL panel, configure the following parameters and click Create.

    Parameter

    Description

    ACL Name

    Enter a name for the ACL.

    Resource Group

    Select a resource group.

    Add Multiple Addresses/CIDR Blocks and Descriptions

    Enter one or more entries in the following format:

    • Enter one entry per line. Press the Enter key to start a new line.

    • Use a vertical bar (|) to separate the IP address or CIDR block from the description within an entry. Example: 192.168.1.0/24|Description.

    • You can add up to 50 entries at a time.

Add IP entries

After you create an ACL, you can add IP entries to the ACL. An IP entry can be an IP address or a CIDR block.

  1. Log on to the CLB console.
  2. In the top navigation bar, select the region where the ACL is created.

  3. In the left-side navigation pane, choose CLB (FKA SLB) > Access Control.

  4. Find the ACL that you want to manage and click Manage in the Actions column.

  5. Add IP entries.

    • Click Add ACL Entries. In the Add ACL Entries panel, add multiple IP addresses or CIDR blocks, enter descriptions, and then click Add.

      Take note of the following items:

      • Enter one entry per line. Press the Enter key to start a new line.

      • Use a vertical bar (|) to separate an IP address or a CIDR block and a comment within an entry. In this example, 192.168.1.0/24|Comment is entered.

    • Click Add Entry. In the Add ACL Entry panel, configure the IP Address/CIDR Block and Remarks parameters and click Add.

  6. After you add the IP entries, you can perform the following operations as needed:

    • You can view the IP addresses or CIDR blocks that you added in the Entry column.

    • To delete an IP entry, find the IP entry that you want to delete and click Delete in the Actions column. You can also select an IP entry and click Delete below the list.

Enable access control

You can set whitelists or blacklists for different listeners to control network access.

  1. Log on to the CLB console.
  2. Select the region where the CLB instance is deployed.

  3. Click the ID of the CLB instance for which you want to enable access control.

  4. Click the Listener tab. In the Actions column, choose 更多 > Configure Access Control.

  5. In the Configure Access Control panel, configure the following parameters and click OK.

    Parameter

    Description

    Access Control

    Enable access control.

    ACL Type

    Select an access control mode. Valid values:

    • Whitelist: After you associate an ACL with the listener, the listener forwards only requests from IP addresses or CIDR blocks that are added to the ACL.

      Your service may be adversely affected if the whitelist is not properly configured. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If a whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests.

    • Blacklist: After you associate an ACL with the listener, the listener denies requests from IP addresses or CIDR blocks that are added to the ACL.

      If a blacklist is configured for a listener but no IP address is added to the blacklist, the listener forwards all requests.

    ACL

    Select an ACL.

    IPv6 instances can be associated only with IPv6 ACLs, and IPv4 instances can be associated only with IPv4 ACLs.

    Note

    Separate multiple IP entries with commas (,). You can add up to 300 IP entries to each ACL. IP entries must be unique within each ACL.

Disable access control

You can disable access control for a listener.

  1. Log on to the CLB console.
  2. Select the region where the CLB instance is deployed.

  3. Click the ID of the CLB instance for which you want to disable access control.

  4. On the instance details page, click the Listener tab.

  5. Find the listener that you want to manage and choose 更多图标 > Configure Access Control.

  6. In the Configure Access Control panel, disable access control and click OK.