You can set a whitelist or blacklist by configuring HTTP ACL policies in WAF. The whitelist and blacklist are only effective on the specific domain that has the HTTP ACL policy configured.


Follow these steps to configure a whitelist or blacklist:

Note Make sure that you have added your domain to the WAF protection list before proceeding with the following operations. For more information, see WAF deployment guide.
  1. Log on to the Alibaba Cloud WAF console.
  2. Go to the Management > Website Configuration page, and select the region of your WAF instance (Mainland China or International).
  3. Select the domain to be configured, and click Policies.
  4. Enable HTTP ACL Policy, and click Settings.

  5. Click Add Rule.
    • Whitelist configuration example. Use the following configuration to allow all requests from IP

      Note If you want to allow all requests from this IP, do not select any “Proceed to …” protection option in the Add Rule dialog box. If any protection option is selected, some requests from this IP can still be blocked.
    • Similarly, you can also follow this procedure to set blacklist for a specific domain.


  • A rule supports up to three matching conditions. All conditions in a rule must be matched to trigger the rule. If you want to whitelist or blacklist multiple discrete IP addresses/IP segments, you must configure multiple HTTP ACL rules. For example, to block access requests from,, and, you must configure three rules separately.

  • The IP matching filed in HTTP ACL rules supports mask format (for example,, and the logical operator supports “does not have”. For example, you can use the following configuration to only allow requests from specific IP segment to one domain.

  • Priority exists among multiple HTTP ACL rules. WAF applies the HTTP ACL rules according to the displayed sequence (from top to bottom) of HTTP ACL rules in the HTTP ACL Policy list. Additionally, you can click Sort Rules to change the priority among the HTTP ACL rules.