API Gateway supports instance-level access control. You can configure IPv4 or IPv6 access control lists (ACLs) for dedicated instances. The ACLs take effect only for access requests that are sent to dedicated instances over the Internet.
1. Create an ACL
1.1 Log on to the API Gateway console. In the left-side navigation pane, click Instances. On the Instances page, click the Access Control List tab. Click Create Access Control List. In the Create Access Control List dialog box, enter a name for the ACL that you want to create. Select IPv4 if you want to configure RAM to IPv4 addresses; select IPv6 if you want to configure RAM to IPv6.
1.2 After the ACL is created, click Manage ACL in the Actions column to add one entry or add multiple entries at a time.
You can create up to five ACLs in a region.
You can bind only one ACL to a dedicated instance.
You can add up to 50 entries at a time.
If no entry is added to an ACL, the blacklist and whitelist that are associated with the ACL do not take effect.
2. Configure a blacklist or whitelist for a dedicated instance
2.1 Configure an IPv4 blacklist or whitelist
On the Instances page, find the dedicated instance for which you want to configure a blacklist or whitelist. In the IPv4 Access Control section, click Set Blacklist/Whitelist to add a blacklist or whitelist. In the Set IPv4 Access Control Policy dialog box, set Blacklist/Whitelist to Blacklist or Whitelist based on your requirements. Then, select the created ACL from the drop-down list. In the Caution dialog box, read the precautions and click I Have Read. Then, the Caution check box is selected and becomes the I Have Read check box. Click Confirm. The ACL takes effect immediately.
After the blacklist or whitelist is configured, the ACL takes effect for all API groups that belong to the instance. Proceed with caution.
2.2 Configure an IPv6 blacklist or whitelist
Before you configure an IPv6 blacklist or whitelist for a dedicated instance, make sure that inbound IPv6 traffic is enabled for the instance. On the Instances page, find the dedicated instance for which you want to configure an IPv6 blacklist or whitelist. In the Inbound IPv6 Traffic section, you can click Enable to enable inbound IPv6 traffic for the dedicated instance. The following figure shows the operation.
After inbound IPv6 traffic is enabled, click Set Blacklist/Whitelist in the IPv6 Access Control section. The system automatically filters IPv6 ACLs from which you can choose in the Set IPv6 Access Control Policy dialog box.
You can use only IPv6 ACLs to configure IPv6 access control. You can use only IPv4 ACLs to configure IPv4 access control.
3. FAQ
1. After a whitelist is configured, what happens if a client whose IP address is not included in the whitelist sends an access request to API Gateway?
API Gateway denies the request at the access layer, and a timeout error is reported on the client.
The debugging feature of API Gateway does not use fixed IP addresses to debug APIs. Therefore, if you configured ACL for your instance, you cannot use the debugging feature to debug your API. In this case, you can use IP addresses in the whitelist to manually debug your API.
2. What is the difference between the instance-level access control feature and the IP address-based access control plug-in?
The IP address-based access control plug-in controls access to specific APIs. The instance-level access control feature controls access to an entire dedicated instance in API Gateway and does not consider traffic as a billable item.