All Products
Document Center

API Gateway:Configure instance-level access control

Last Updated:Feb 01, 2023

API Gateway supports instance-level access control. You can configure IPv4 or IPv6 access control lists (ACLs) for dedicated instances. The ACLs take effect only for access requests that are sent to dedicated instances over the Internet.

1. Create an ACL

1.1 Log on to the API Gateway console. In the left-side navigation pane, click Instances. On the Instances page, click the Access Control List tab on which you can create and manage ACLs. Click Create Access Control List. In the Create Access Control List dialog box, enter a name for the ACL that you want to create. If you want to configure IPv4 access control, select IPv4. If you want to configure IPv6 access control, select IPv6. In this example, IPv4 is selected.image

1.2 After the ACL is created, click Manage ACL in the Actions column to add one entry or add multiple entries at a time. The following figures show the operations.

Add one entryAdd multiple entries at a time


  • You can create up to five ACLs in a region.

  • You can bind only one ACL to a dedicated instance.

  • You can add up to 50 entries at a time.

  • If no entry is added to an ACL, the blacklist and whitelist that are associated with the ACL do not take effect.

2. Configure a blacklist or whitelist for a dedicated instance

2.1 Configure an IPv4 blacklist or whitelist

On the Instances page, find the dedicated instance for which you want to configure a blacklist or whitelist. In the IPv4 Access Control section, click Set Blacklist/Whitelist to add a blacklist or whitelist. In the Set IPv4 Access Control Policy dialog box, set Blacklist/Whitelist to Blacklist or Whitelist based on your requirements. Then, select the created ACL from the drop-down list. Click Caution. In the Caution dialog box, read the precautions and click I Have Read. Then, the Caution check box is selected and becomes the I Have Read check box. Click Confirm. The ACL takes effect immediately.


After the blacklist or whitelist is configured, the ACL takes effect for all API groups of the instance. Proceed with caution.


2.2 Configure an IPv6 blacklist or whitelist

Before you configure an IPv6 blacklist or whitelist for a dedicated instance, make sure that inbound IPv6 traffic is enabled for the instance. On the Instances page, find the dedicated instance for which you want to configure an IPv6 blacklist or whitelist. In the Inbound IPv6 Traffic section, you can click Enable to enable inbound IPv6 traffic for the dedicated instance. The following figure shows the operation.


After inbound IPv6 traffic is enabled, click Set Blacklist/Whitelist in the IPv6 Access Control section. The system automatically filters IPv6 ACLs that you can select in the Set IPv6 Access Control Policy dialog box. The subsequent operations to configure an IPv6 blacklist or whitelist are the same as the operations that are described in the "2.1 Configure an IPv4 blacklist or whitelist" section of this topic.


You can use only IPv6 ACLs to configure IPv6 access control. You can use only IPv4 ACLs to configure IPv4 access control.

3. FAQ

3.1 After a whitelist is configured, what happens if a client that is not associated with the whitelist sends an access request to API Gateway?

API Gateway rejects the request at the access layer and reports a timeout error to the client.


If you want to use the debugging feature of API Gateway, you must add the IP address of the debugging page to the whitelist. To obtain the IP address, submit a ticket.

3.2 What is the difference between the instance-level access control feature and the IP address access control plug-in?

The IP address access control plug-in controls access to specific APIs. The instance-level access control feature controls access to dedicated instances in API Gateway and does not consider traffic as a billable item.