This topic describes how to configure access control for a listener. You can configure different access control policies for different listeners of a Global Accelerator (GA) instance.

Access control policies

Access control policies consist of access control modes and access control lists (ACLs). Access control modes include the whitelist and blacklist modes. An ACL can contain multiple IP addresses and CIDR blocks. You can configure whitelists or blacklists for different listeners to implement access control:
  • Whitelist: Only the requests from the IP addresses or CIDR blocks in the specified ACL are forwarded. If you want to allow access from specific IP addresses, you can configure a whitelist.

    Exercise caution when you configure a whitelist. Otherwise, risks may occur. After you configure a whitelist for a listener, only requests from the IP addresses that are added to the whitelist are distributed by the listener. If the whitelist is enabled but no IP addresses are added to the ACL, the listener blocks all requests.

  • Blacklist: All requests from the IP addresses or CIDR blocks in the specified ACL are not forwarded. If you want to deny access from specific IP addresses, you can configure a blacklist.

    If the blacklist is enabled but no IP addresses are added to the ACL, the listener forwards all requests.

Limits

  • The total number of IP addresses and CIDR blocks added to the ACLs that are associated with a listener cannot exceed 200. Each IP address and CIDR block must be unique.
  • An ACL can be associated with up to 10 listeners.

Procedure

The following figure shows how to configure access control for a listener.

Procedure
To configure access control for a listener, perform the following steps:
  1. Create an ACL: Before you enable access control, create an ACL.
  2. Add IP addresses or CIDR blocks to the ACL: Add multiple IP addresses or CIDR blocks to the ACL.
  3. Enable access control: Enable access control for the listener.

Create an ACL

Before you enable access control for a listener, you must create an ACL.

  1. Log on to the Global Accelerator console.
  2. In the left-side navigation pane, click Access Control.
  3. On the Access Control page, click Create ACL. In the Create ACL dialog box, specify ACL Name and IP Version.
  4. Click OK.

Add IP addresses or CIDR blocks to the ACL

After the ACL is created, you can add IP addresses or CIDR blocks to the ACL.

The IP addresses or CIDR blocks are the source IP addresses or CIDR blocks from which access requests to the GA instance are initiated. A listener processes the requests based on its access control policy. For more information, see Access control policies.

  1. Log on to the Global Accelerator console.
  2. Find the ACL to which you want to add IP addresses or CIDR blocks and click Manage ACL in the Actions column.
  3. Add IP addresses or CIDR blocks to the ACL.
    • Add a single IP address or CIDR block to the ACL

      On the page that appears, click Add Rule. In the Add ACL Rule dialog box, enter an IP address or a CIDR block and a description. Then, click OK.

      Add a single IP address or CIDR block to the ACL
    • Add multiple IP addresses or CIDR blocks at a time

      On the page that appears, click Add Multiple Rules. In the Add ACL Rules dialog box, enter multiple IP addresses or CIDR blocks in the Add IP Addresses and Remarks field, and click OK.

      Take note of the following requirements when you enter IP addresses or CIDR blocks:

      • Enter one IP address or CIDR block in each line. Press the Enter key to start a new line.
      • Separate each IP address or CIDR block and its description with a vertical bar (|). Example:47.XX.XX.142|Description of the IP address or CIDR block.
      Add multiple IP addresses or CIDR blocks at a time

Enable access control

GA allows you to implement access control by using listeners. You can configure whitelists or blacklists for different listeners.

Before you enable access control, make sure that a listener is created. For more information, see Create a listener.

  1. Log on to the Global Accelerator console.
  2. On the Instances page, find the GA instance that you want to enable access control and click Configure Listener in the Actions column.
  3. On the Listeners tab, click the ID of the listener for which you want to enable access control.
  4. On the Listener Details tab, turn on Access Control.
  5. In the Enable Access Control dialog box, configure the following parameters and click OK.
    Parameter Description
    Access Control Mode Select an access control mode. Valid values:
    • Whitelist: Only the requests from the IP addresses or CIDR blocks in the specified ACL are forwarded.

      Exercise caution when you configure a whitelist. Otherwise, risks may occur. After you configure a whitelist for a listener, only requests from the IP addresses that are added to the whitelist are distributed by the listener. If the whitelist is enabled but no IP addresses are added to the ACL, the listener blocks all requests.

    • Blacklist: All requests from the IP addresses or CIDR blocks in the specified ACL are not forwarded.

      If the blacklist is enabled but no IP addresses are added to the ACL, the listener forwards all requests.

    Select ACL Select an ACL.

Remove one or more IP addresses or CIDR blocks from the ACL

You can remove one or more IP addresses or CIDR blocks from the ACL.

  1. Log on to the Global Accelerator console.
  2. Find the ACL to which you want to add IP addresses or CIDR blocks and click Manage ACL in the Actions column.
  3. Find the IP address or CIDR block that you want to remove from the ACL and click Delete in the Actions column. Or select multiple IP addresses or CIDR blocks and click Delete below the IP address or CIDR block list.
  4. In the message that appears, click OK.

Disable access control

If you do not want to implement access control for a listener, you can disable access control.

  1. Log on to the Global Accelerator console.
  2. On the Instances page, find the GA instance that you want to enable access control and click Configure Listener in the Actions column.
  3. On the Listeners tab, click the ID of the listener for which you want to disable access control.
  4. On the Listener Details tab, turn off Access Control.