All Products
Search

This Product

    Alibaba Cloud Service Mesh:Configure a blacklist or whitelist for an ingress gateway

    Document Center

    Alibaba Cloud Service Mesh:Configure a blacklist or whitelist for an ingress gateway

    Last Updated:Mar 11, 2026

    By default, any client can send requests to applications exposed through an ingress gateway. Service Mesh (ASM) lets you create blacklist or whitelist rules for an ingress gateway to restrict access based on source IP addresses, HTTP request domain names, ports, or remote IP blocks.

    This topic covers two scenarios: blocking traffic from a specific IP with a blacklist, and allowing traffic from only a specific IP with a whitelist.

    Prerequisites

    Before you begin, make sure that you have:

    • An ASM instance with at least one ingress gateway

    • An application deployed in a Container Service for Kubernetes (ACK) cluster that is added to the ASM instance. For more information, see Deploy an application in an ASM instance

    How matching rules work

    A blacklist or whitelist consists of one or more matching rules. The evaluation logic works as follows:

    • OR between rules: A request triggers the policy if it matches any rule in the list.

    • AND within a rule: A request matches a rule only if it satisfies all criteria in that rule.

    • Cleanup on disable: Disabling the blacklist or whitelist feature automatically deletes the underlying AuthorizationPolicy rules.

    Domain name match types

    When a rule includes domain names (HTTP host headers), three match types are available:

    Match typePatternExample
    Exactaliyun.comMatches aliyun.com only
    Prefixaliyun*Matches aliyuncs.com, aliyundoc.com, etc.
    Suffix*aliyun.comMatches docs.aliyun.com, www.alibabacloud.com/help, etc.

    Step 1: Get the client source IP address

    Before you configure access control, identify the source IP address that the ingress gateway sees for the target client.

    For north-south traffic, requests pass through a load balancer before reaching the ingress gateway. This can change the visible client IP. The following procedure uses access logs to identify the IP that ASM evaluates.

    1. Access http://<ingress-gateway-ip>/productpage in a browser to generate access logs. To find the ingress gateway IP, see Obtain the IP address of the ingress gateway.

    2. Run the following command to get the latest ingress gateway access log entry. Use the kubeconfig file of the data plane cluster: Replace <ingress-gateway-pod-name> with the name of the Pod running the ingress gateway. Sample output:

         kubectl -n istio-system logs <ingress-gateway-pod-name> -c istio-proxy | grep "/productpage" | tail -n 1
         {
     "method": "GET",
     "authority": "47.99.XXX.XXX",
     "downstream_local_address": "10.34.0.25:80",
     "downstream_remote_address": "XXXXXXX",
     "x_forwarded_for": "112.124.XXX.XX",
     "upstream_cluster": "outbound|9080||productpage.default.svc.cluster.local",
     "path": "/productpage",
     "response_code": 403
   }

    3. Locate the downstream_remote_address field in the log entry. The IP portion of this value is the source IP address that ASM uses for access control evaluation.

    Step 2: Create a blacklist

    Block requests from a specific client IP address by creating a blacklist on the ingress gateway.

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of your ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. Click the name of the target ingress gateway. In the left-side navigation pane, choose Gateway Security > Black/White List.

    4. In the Black/White List Matching Rules step of the configuration wizard:

      • Turn on Enable Black/White List.

      • Set Match Mode to Black List.

      • Turn on IPBlock and enter the source IP address identified in Step 1.

    5. Click Submit. If the Gateway Black/White List created successfully message appears, the blacklist is active.

      Note

      To block requests from multiple sources, click Add Request Matching Rule to add rules. To inspect the underlying Istio resource, click YAML next to AuthorizationPolicy.

    6. Verify the blacklist: access http://<ingress-gateway-ip>/productpage in your browser. A 403 response with RBAC: access denied confirms that the blacklist is working.

      RBAC access denied - blacklist enforcement

    Step 3: Switch to a whitelist

    Allow only requests from a specific client IP address by switching to whitelist mode. The procedure is the same as the blacklist, except for the match mode.

    1. Navigate to the ingress gateway page. In the left-side navigation pane, choose Gateway Security > Black/White List.

    2. In the Black/White List Matching Rules step, set Match Mode to White list and click Submit.

    3. Verify the whitelist:

      1. From the whitelisted IP, access http://<ingress-gateway-ip>/productpage. The productpage loads normally.

      2. From a different IP, access http://<ingress-gateway-ip>/productpage. A 403 response with RBAC: access denied confirms that the whitelist is active. RBAC access denied - blacklist enforcement

    Related topics