This topic describes how to enable access control for the listeners of an Application Load Balancer (ALB) instance. When you configure an ALB listener, you can set a whitelist or blacklist to accept or block inbound traffic from specified IP addresses or CIDR blocks. You can use this feature to regulate fined-grained access control on network traffic that is distributed by listeners.

Network ACLs

You can set whitelists or blacklists for different listeners to regulate access control:
  • Whitelist: A whitelist allows requests from specified IP addresses or CIDR blocks. After you set a whitelist for a listener, the listener forwards only requests from IP addresses or CIDR blocks that are added to the whitelist.

    However, your business may be adversely affected if the whitelist is not set properly. After you set a whitelist for an ALB listener, only requests from IP addresses that are added to the whitelist are distributed by the listener. After a whitelist is enabled for a listener, if no IP address is added to the whitelist, the listener does not forward any requests.

  • Blacklist: A blacklist blocks requests from specified IP addresses. After you set a blacklist for a listener, the listener does not forward requests from IP addresses or CIDR blocks that are added to the blacklist.

    After you set a blacklist for an ALB listener, if no IP address is added to the blacklist, the listener forwards all requests.

Configuration procedure

The following figure shows how to configure a network ACL for a listener.

Procedure
To configure a network ACL for a listener, perform the following steps:
  • Create a network ACL and add one or more IP addresses or CIDR blocks to the network ACL. For more information, see Create a network ACL and Add IP entries.
  • Enable access control for a listener. For more information, see Enable access control.
  • You can disable access control in the configuration of a listener based on your requirements. For more information, see Disable access control.

Create a network ACL

Before you enable access control for a listener, you must first create a network ACL.

  1. Log on to the Server Load Balancer console.
  2. In the left-side navigation pane, choose ALB > Access Control.
  3. On the Access Control page, click Create ACL.
  4. In the Create ACL dialog box, set the following parameters and click OK to create a network ACL.
    Parameter Description
    ACL Name Enter a name for the network ACL. The name must be 2 to 128 characters in length, and can contain digits, periods (.), underscores (_), and hyphens (-). It must start with a letter or Chinese character.
    Resource Group Select a resource group.

Add IP entries

After you create a network ACL, you can add IP entries to the network ACL. IP entries specify source IP addresses of requests that are sent to an ALB instance. You can add multiple entries of IP addresses or CIDR blocks to each network ACL.

  1. Log on to the Server Load Balancer console.
  2. In the left-side navigation pane, choose ALB > Access Control.
  3. Find the network ACL to which you want to add IP entries and click Manage ACL in the Actions column.
  4. On the Details page, click Add Entry or Add Multiple Entries.
  5. In the Add ACL Entry dialog box, enter the IP address or CIDR block that you want to add to the network ACL. You can also enter a comment for the entry.
    Note To add multiple IP entries, take note of the following items:
    • Enter one entry per line. Press the Enter key to start a new line.
    • Use a vertical bar (|) to separate an IP address or a CIDR block and a comment within an entry. In this example, 192.168.1.0/24|Comment is entered.
  6. Click Add.

Enable access control

You can set whitelists or blacklists for different listeners.

  1. Log on to the Server Load Balancer console.
  2. In the left-side navigation pane, choose ALB > Instance.
  3. Click the ID of the ALB instance for which you want to enable access control.
  4. Click the Listener tab, find the listener that you want to manage, and click Enable in the Access Control List column. You can also click View Details in the Actions column.
  5. In the Access Control section of the Listener Details tab, turn on the switch to enable access control for the listener.
  6. In the Enable Access Control dialog box, set the following parameters and click OK.
    Parameter Description
    Access Control Method Select an access control method. Valid values:
    • Whitelist: After you set a whitelist for a listener, the listener forwards only requests from IP addresses or CIDR blocks that are added to the whitelist.
    • Blacklist: After you set a blacklist for a listener, the listener blocks requests from IP addresses or CIDR blocks that are added to the blacklist.
    Access Control List Select a network ACL.
  7. Click OK.

Disable access control

You can disable access control in the configuration of a listener to meet your business requirements.

  1. Log on to the Server Load Balancer console.
  2. In the left-side navigation pane, choose ALB > Instance.
  3. Click the ID of the ALB instance that you want to manage.
  4. Click the Listener tab, find the listener for which you want to disable access control, and then click View Details in the Actions column.
  5. In the Access Control section of the Listener Details tab, turn on the switch to disable access control for the listener. Then, click OK in the message that appears.