Configure instance-level access control
API Gateway supports instance-level access control. You can configure IPv4 or IPv6 access control lists (ACLs) for dedicated instances. The ACLs take effect only for access requests that are sent to dedicated instances over the Internet.
1. Create an ACL
You can create a maximum of five access control lists in each region.
You can bind only one ACL to a dedicated instance.
You can add up to 50 entries in bulk.
If no entry is added to an ACL, the blacklist and whitelist that are associated with the ACL do not take effect.
In the navigation pane of the API Gateway console, go to the Instances page and click the Access Control List tab. Then, click Create Access Control List and enter a name for the list. Select IPv4 for IPv4 addresses or IPv6 for IPv6 addresses.
After you create the access control list, click Manage ACL to add entries. You can add a single entry or add entries in bulk.
2. Configure a blacklist or whitelist for a dedicated instance
2.1 Configure an IPv4 blacklist or whitelist
In the navigation pane of the API Gateway console, click Instances. Find the target dedicated instance and click Set Blacklist/Whitelist. Select either Blacklist or Whitelist, and then select your configured access control list. Read the on-screen precautions and click Confirm. The access control policy takes effect immediately.
After the blacklist or whitelist is configured, the ACL takes effect for all API groups that belong to the instance. Proceed with caution.
2.2 Configure an IPv6 blacklist or whitelist
Before you configure an IPv6 blacklist or whitelist for an instance, ensure that IPv6 ingress is enabled for your dedicated instance on the Instances page.
After you enable IPv6 ingress, navigate to the details page of your dedicated instance. In the IPv6 Access Control section, click Set Blacklist/Whitelist. The interface automatically displays only IPv6-type access control lists. The remaining steps are the same as those for configuring an IPv4 blacklist or whitelist.
You can use only IPv6 ACLs to configure IPv6 access control. You can use only IPv4 ACLs to configure IPv4 access control.
FAQ
What happens if a client not on the whitelist tries to access API Gateway?
API Gateway denies the request at the access layer, and a timeout error is reported on the client.
ImportantTo use the debugging feature, you must add the IP address displayed on the API Gateway debugging page to the whitelists for both instance-level access control and the IP address-based access control plug-in.
What is the difference between instance-level access control and the IP address-based access control plug-in?
The IP address-based access control plug-in operates at the API level, whereas instance-level access control applies to an entire API Gateway dedicated instance and does not incur traffic fees.