This topic describes how to enable access control for the listeners of an Application Load Balancer (ALB) instance. When you configure an ALB listener, you can set a whitelist or blacklist to accept or block inbound traffic from specified IP addresses or CIDR blocks. You can use this feature to implement fined-grained access control on client requests that are distributed by listeners.

Network ACLs

You can set whitelists or blacklists for different listeners:
  • Whitelist: A whitelist allows requests from IP addresses or CIDR blocks specified in an access control list (ACL). Whitelists apply to scenarios in which you want to allow access from only specific IP addresses.

    However, your business may be adversely affected if the whitelist is not set properly. After you set a whitelist for an ALB listener, only requests from IP addresses that are added to the whitelist are distributed by the listener. If no IP address is added to the whitelist, the listener forwards all requests.

  • Blacklist: A blacklist blocks requests from IP addresses or CIDR blocks specified in an ACL. Blacklists apply to scenarios in which you want to block access from specific IP addresses.

    After you set a blacklist for an ALB listener, if no IP address is added to the blacklist, the listener forwards all requests.

Procedure

The following figure shows how to configure a network ACL for a listener.

Procedure
To configure a network ACL for a listener, perform the following steps:
  • Create a network ACL and add one or more IP addresses or CIDR blocks to the network ACL. For more information, see Create a network ACL and Add IP entries.
  • Enable access control for a listener. For more information, see Enable access control.
  • You can disable access control in the configuration of a listener based on your requirements. For more information, see Disable access control.

Create a network ACL

Before you enable access control for a listener, you must first create a network ACL.

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose ALB > Access Control.
  3. On the Access Control page, click Create ACL.
  4. In the Create ACL dialog box, set the following parameters and click OK to create a network ACL.
    Parameter Description
    ACL Name Enter a name for the network ACL. The name must be 2 to 128 characters in length, and must start with a letter. It can contain digits, periods (.), underscores (_), and hyphens (-).
    Resource Group Select a resource group.

Add IP entries

After you create a network ACL, you can add IP entries to the network ACL. IP entries specify source IP addresses of requests that are sent to an ALB instance. You can add multiple entries of IP addresses or CIDR blocks to each network ACL.

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose ALB > Access Control.
  3. Find the network ACL to which you want to add IP entries and click Manage ACL in the Actions column.
  4. On the Details page, click Add Entry or Add Multiple Entries.
  5. In the Add ACL Entry dialog box, enter the IP address or CIDR block that you want to add to the network ACL. You can also enter a comment for the entry. Click Add.
    Note To add multiple IP entries, take note of the following items:
    • Enter one entry per line. Press the Enter key to start a new line.
    • Use a vertical bar (|) to separate an IP address or a CIDR block and a comment within an entry. For example, 192.168.1.0/24|Comment.

Enable access control

You can set whitelists or blacklists for different listeners.

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose ALB > Instances.
  3. On the Instances page, click the ID of the ALB instance for which you want to enable access control.
  4. On the Listener tab, find the listener that you want to manage and click Enable in the Access Control List column. You can also click View Details in the Actions column.
  5. On the Listener Details tab, turn on Access Control to enable access control for the listener.
  6. In the Enable Access Control dialog box, set the following parameters and click OK.
    Parameter Description
    Access Control Method Select an access control method. Valid values:
    • Whitelist: forwards only requests from the IP addresses or CIDR blocks that are added to the ACL.
    • Blacklist: blocks requests from the IP addresses or CIDR blocks that are added to the ACL.
    Access Control List Select a network ACL.

Disable access control

You can disable access control in the configuration of a listener to meet your business requirements.

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose ALB > Instances.
  3. On the Instances page, click the ID of the ALB instance for which you want to disable access control.
  4. On the Listener tab, find the listener that you want to manage and click View Details in the Actions column.
  5. In the Access Control section of the Listener Details tab, turn off the switch to disable access control for the listener. Then, click OK in the message that appears.