When you use an Application Load Balancer (ALB) Ingress to expose Services, you can configure access control lists (ACLs) to allow or deny requests from clients that use specific IP addresses to access the Services. This topic describes how to use an AlbConfig to create or modify an ACL and associate the ACL with a listener.
How ACLs work
The ACLs of an ALB Ingress are associated with listeners to accept or deny requests from whitelisted or blacklisted IP addresses. An ACL contains a group of CIDR blocks. After you associate an ACL with a listener by using an AlbConfig, the listener uses the entries in the ACL to match the source IP addresses from which requests are sent to access the backend Service. You can use one of the following methods to control the requests:
Configure an ACL to allow only requests from the source IP addresses that match the entries in the ACL.
Configure an ACL to deny the requests from the source IP addresses that match the entries in the ACL.
An ACL supports access control by using only IPv4 addresses.
The following figure shows how ACLs work.
Configuration methods
The following table describes the methods that you can use to associate a listener with an ACL. We recommend that you use the aclIds parameter.
Item | ||
Version of the ALB Ingress controller | This parameter is available for ALB Ingress controllers of 2.7.0 or later. | This parameter is available for all versions of ALB Ingress controllers. |
Association with an existing ACL | You can use the ID of an existing ACL to associate a listener with the ACL. | ALB Ingress controllers of 2.7.0 or later do not allow you to associate a listener with an existing ACL. |
ACL creation method | You must manually create an ACL in the Server Load Balancer (SLB) console before you use the ACL. | You can create an ACL by using an AlbConfig. |
Use scenarios | This method is suitable for scenarios in which you need to frequently change entries in an ACL and want to maintain the ACL in a cost-effective manner. | This method is suitable for scenarios in which you want to enable access control by using a small number of listeners and ACLs that contain a small number of entries. |
The
aclIdsandaclEntriesparameters are mutually exclusive in the ACL configuration. You can use only one of them to configure an ACL for a listener. If you use both parameters at the same time, an error occurs.For ALB Ingress controllers of 2.7.0 or later, you can only use the
aclIdsparameter to associate an existing ACL with a listener.
Prerequisites
An AlbConfig is created, and a listener is configured by using the AlbConfig. The aclConfig parameter is associated with the listener for use.
Use the aclIds parameter to associate an ACL with a listener
Step 1: Create an ACL
Before you enable access control, you must create an ACL.
- Log on to the ALB console.
In the top navigation bar, select the region in which you want to create the ACL.
In the left-side navigation pane, choose ALB > Access Control.
On the Access Control page, click Create Access Control List.
In the Create ACL dialog box, configure the following parameters and click OK.
Parameter
Description
ACL Name
Enter a name for the network ACL.
Resource Group
Select a resource group.
Tag
Configure the Tag Key and Tag Value parameters.
After you specify tags, you can filter ACLs by tag on the Access Control page.
Step 2: Add entries to the ACL
After you create an ACL, you can add entries to the ACL. ACL entries specify the source IP addresses or CIDR blocks from which requests are sent to your ALB instance. You can add multiple entries to each ACL.
On the Access Control page, find the ACL that you want to manage and click Manage in the Actions column.
On the Entry tab of the ACL details page, use one of the following methods to add entries:
Add a single IP address or CIDR block
Click Add Entry. In the Add ACL Entries dialog box, configure the IP/CIDR Block and Remarks parameters. Then, click Add.
Add multiple IP addresses or CIDR blocks at a time
Click Add ACL Entries. In the Add ACL Entries dialog box, add multiple IP addresses or CIDR blocks and the remarks. Then, click Add.
NoteWhen you add multiple entries at a time, take note of the following items:
Enter one entry per line. Press the ENTER key to start a new line.
Use a vertical bar (|) to separate an IP address or a CIDR block from the remarks within an entry. For example, you can enter 192.168.1.0/24|Remarks.
You can add at most 20 entries at a time.
After you add entries, perform the following operations based on your business requirements:
View the IP addresses or CIDR blocks that you added in the Entry column.
Delete entries. To do so, find the entry that you want to delete and click Delete in the Actions column. You can also select the entries that you want to delete and click Delete below the list.
To export entries, click the
icon in the upper-right corner of the list to export all entries, or select the entries that you want to export and click the icon.
Step 3: Associate the ACL with a listener
In the following sample YAML code, the spec.listeners.aclConfig parameter is added to the existing AlbConfig, and the aclIds parameter is set to the ID of the created ACL. In this example, the ID of the created ACL is acl-wtg***.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclType: White # The whitelist mode.
aclIds:
- acl-wtg*** # Add the ID of the existing ACL to the ACL configuration. In this example, the ID of the existing ACL is acl-wtg***.
#...The following table describes the parameters in aclConfig.
Parameter | Description |
| The type of the ACL. Valid values: Black and White. |
| The ID of the ACL to be associated with a listener. Important Each listener can be associated with up to three ACLs. |
Step 4: Verify the access control effect
You can use a client whose public IP address matches an entry in the whitelist or no entry in the blacklist to access the backend Service and verify the effect of the ACL configuration.
In this example, the resources that are created in the Get started with ALB Ingress topic are used.
If the access from the client is allowed, the client can access the backend Service as expected.
Step 5: (Optional) Disassociate the ACL from the listener
In the following YAML code, if you want to disassociate the ACL from the listener, you need to only remove the ID of the ACL from the value of the aclIds parameter or change the value of the aclIds parameter to null.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclType: White
aclIds: null # Remove the ID of the existing ACL from the value of this parameter. In this example, the ID of the existing ACL is acl-wtg***.
#...You cannot delete an ACL from an AlbConfig. To delete the ACL, log on to the SLB console.
Use the aclEntries parameter to create an ACL
For ALB Ingress controllers of 2.7.0 or later, you can no longer use the
aclNameparameter to associate existing ACLs with listeners. Each time you update the parameters inaclName, a new ACL is created and associated with a listener.ALB Ingress controllers of 2.6.0 or earlier support the write-back mechanism. The following section describes how the write-back mechanism works:
If the
aclConfigparameter is left empty in an AlbConfig, the entries of the ACL associated with a listener are written back to the AlbConfig.If the
aclConfigparameter is configured in an AlbConfig or the entries of the ACL associated with a listener are written back to the AlbConfig, the AlbConfig remains unchanged.
If the Ingress resources are changed, the ALB Ingress controller uses the configured AlbConfig to overwrite the ACL configuration in the console. In this case, you need to maintain the configuration consistency.
Step 1: Configure entries in an ACL
In the following sample YAML code, the spec.listeners.aclConfig parameter in the existing AlbConfig is added or modified, and CIDR blocks are specified in the aclEntries parameter. If a value is specified in the aclName parameter, an ACL is created and uses the value as its name. If no value is specified in the aclName parameter, a name is automatically generated in the format of acl-{albName}-{port}.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclEntries:
- 192.168.XX.XX/16
- 172.10.XX.XX/16
aclType: White # The whitelist mode.
aclName: "acl-test" # An ACL named acl-test is created and associated with a listener.
#...The following table describes the parameters in aclConfig.
Parameter | Description |
| The entries of the ACL. The entries must be CIDR blocks, such as 127.0.0.1/32. |
| The type of the ACL. Valid values: Black and White. |
| The name of the ACL. |
Step 2: Verify the access control effect
You can use a client whose public IP address matches an entry in the whitelist or no entry in the blacklist to access the backend Service and verify the effect of the ACL configuration.
In this example, the resources that are created in the Get started with ALB Ingress topic are used.
If the access from the client is allowed, the client can access the backend Service as expected.
Step 3: (Optional) Remove the ACL
You can remove the ACL by updating the AlbConfig. In the following sample code, the ACL of the whitelist type that contains the 172.10.XX.XX/16 CIDR block is removed. The updated aclEntries parameter in the AlbConfig is synchronized to the associated ACL. In this example, the ACL is named acl-test. If the aclEntries parameter is left empty, all entries are removed from the ACL.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: #...
protocol: #...
aclConfig:
aclEntries:
- 192.168.XX.XX/16
aclType: White
aclName: "acl-test" # The 172.10.XX.XX/16 entry in the acl-test ACL is also removed.
#...You cannot delete an ACL from an AlbConfig. To delete the ACL, log on to the SLB console.