All Products
Search

This Product

    Container Compute Service:Configure an ACL by using an AlbConfig to enable access control

    Document Center

    Container Compute Service:Configure an ACL by using an AlbConfig to enable access control

    Last Updated:Feb 27, 2026

    Access control lists (ACLs) filter incoming traffic at the Application Load Balancer (ALB) listener level. Each ACL contains a set of IPv4 CIDR blocks and operates in one of two modes:

    • Whitelist: Allow only requests from IP addresses that match an ACL entry.

    • Blacklist: Deny requests from IP addresses that match an ACL entry.

    Important

    ACLs support IPv4 addresses only.

    image

    Choose a configuration method

    Two methods are available to associate an ACL with a listener. Select the method that fits your use case.

    aclIds (recommended)aclEntries
    Controller version2.7.0 or laterAll versions
    ACL sourceReference an existing ACL by ID. Create the ACL in the SLB console first.Define CIDR entries directly in the AlbConfig. The controller creates the ACL automatically.
    Best forFrequently updated ACLs shared across listenersSmall ACLs with a limited number of entries and listeners
    Important

    • aclIds and aclEntries are mutually exclusive. Using both in the same listener configuration causes an error.

    • For ALB Ingress controllers 2.7.0 or later, use aclIds to associate an existing ACL with a listener.

    Associate an existing ACL by using aclIds

    Before you begin, make sure that an AlbConfig is created with a configured listener and the aclConfig parameter is associated with the listener.

    Step 1: Create an ACL

    1. Log on to the ALB console.

    2. In the top navigation bar, select the region in which to create the ACL.

    3. In the left-side navigation pane, choose ALB > Access Control.

    4. On the Access Control page, click Create ACL.

    5. In the Create ACL dialog box, configure the following parameters and click OK.

      ParameterDescription
      ACL NameEnter a name for the network ACL.
      Resource GroupSelect a resource group.
      TagConfigure the Tag Key and Tag Value parameters. Tags let you filter ACLs on the Access Control page.

    Step 2: Add entries to the ACL

    ACL entries specify the source IP addresses or CIDR blocks to match against incoming requests.

    1. On the Access Control page, find the ACL and click Manage in the Actions column.

    2. On the Entry tab of the ACL details page, add entries by using one of the following methods:

      • Add a single entry: Click Add Entry. In the Add ACL Entries dialog box, configure the IP/CIDR Block and Remarks parameters, then click Add.

      • Add multiple entries: Click Add ACL Entries. In the Add ACL Entries dialog box, add multiple IP addresses or CIDR blocks and the remarks, then click Add.

    When you add multiple entries at a time:

    • Enter one entry per line. Press the ENTER key to start a new line.

    • Use a vertical bar (|) to separate an IP address or a CIDR block from the remarks. For example: 192.168.1.0/24|Remarks.

    • A maximum of 20 entries can be added at a time.

    1. After adding entries, manage them as needed:

      • View the IP addresses or CIDR blocks in the Entry column.

      • Delete entries by clicking Delete in the Actions column. To delete multiple entries, select them and click Delete below the list.

      • Export entries by clicking the 下载 icon in the upper-right corner of the list. To export specific entries, select them first and then click the 下载 icon.

    Step 3: Associate the ACL with a listener

    Add the aclConfig section to the listener in your AlbConfig and set aclIds to the ID of the ACL you created. The following example uses acl-wtg*** as the ACL ID.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
  #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclType: White # The whitelist mode.
        aclIds:
          - acl-wtg***	# Add the ID of the existing ACL to the ACL configuration. In this example, the ID of the existing ACL is acl-wtg***.
	#...

    aclConfig parameters

    ParameterDescription
    aclTypeThe type of the ACL. Valid values: Black and White.
    aclIdsThe ID of the ACL to associate with the listener. Each listener supports up to three ACLs.

    Step 4: Verify access control

    Use a client whose public IP address matches a whitelist entry (or does not match a blacklist entry) to access the backend Service. This example uses the resources created in Get started with ALB Ingress.

    If the client is allowed, the backend Service responds as expected.

    image

    Step 5: (Optional) Disassociate the ACL from the listener

    To disassociate the ACL, remove the ACL ID from the aclIds list or set aclIds to null.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclType: White
        aclIds: null  # Remove the ID of the existing ACL from the value of this parameter. In this example, the ID of the existing ACL is acl-wtg***.
  #...
    ACLs cannot be deleted through an AlbConfig. To delete an ACL, log on to the SLB console.

    Define ACL entries inline by using aclEntries

    Before you begin, make sure that an AlbConfig is created with a configured listener and the aclConfig parameter is associated with the listener.

    Important

    • For ALB Ingress controllers 2.7.0 or later, the aclName parameter no longer associates existing ACLs with listeners. Each parameter update creates a new ACL.

    • ALB Ingress controllers 2.6.0 or earlier support a write-back mechanism:

    • If aclConfig is empty in an AlbConfig, the ACL entries associated with a listener are written back to the AlbConfig.

    • If aclConfig is already configured or the ACL entries have been written back, the AlbConfig remains unchanged. When Ingress resources change, the ALB Ingress controller uses the configured AlbConfig to overwrite the ACL configuration in the console. Maintain configuration consistency between the AlbConfig and the console.

    Step 1: Define ACL entries

    Add or modify the aclConfig section in your AlbConfig and specify CIDR blocks in the aclEntries parameter. If aclName is set, the controller creates an ACL with that name. If aclName is omitted, the name is auto-generated in the format acl-{albName}-{port}.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclEntries:
          - 192.168.XX.XX/16
          - 172.10.XX.XX/16
        aclType: White # The whitelist mode.
        aclName: "acl-test" # An ACL named acl-test is created and associated with a listener.
  #...

    aclConfig parameters

    ParameterDescription
    aclEntriesCIDR blocks for the ACL entries, such as 127.0.0.1/32.
    aclTypeThe type of the ACL. Valid values: Black and White.
    aclNameThe name of the ACL. If omitted, the name is auto-generated as acl-{albName}-{port}.

    Step 2: Verify access control

    Use a client whose public IP address matches a whitelist entry (or does not match a blacklist entry) to access the backend Service. This example uses the resources created in Get started with ALB Ingress.

    If the client is allowed, the backend Service responds as expected.

    image

    Step 3: (Optional) Remove ACL entries

    Update the aclEntries parameter in the AlbConfig to remove entries. The following example removes the 172.10.XX.XX/16 entry. Changes to aclEntries are synchronized to the associated ACL (in this example, acl-test). If aclEntries is left empty, all entries are removed from the ACL.

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclEntries:
          - 192.168.XX.XX/16
        aclType: White
        aclName: "acl-test" # The 172.10.XX.XX/16 entry in the acl-test ACL is also removed.
  #...
    ACLs cannot be deleted through an AlbConfig. To delete an ACL, log on to the SLB console.