All Products
Search
Document Center

Container Service for Kubernetes:Configure ACL-based access control with AlbConfig

Last Updated:Jun 15, 2026

Whitelist or blacklist source IPs by associating ACLs with ALB Ingress listeners in your AlbConfig.

Important

ACLs support only IPv4 addresses.

How it works

An ACL contains a group of CIDR blocks. After you associate an ACL with a listener through AlbConfig, the listener matches incoming source IPs against ACL entries and applies one of these rules:

  • Whitelist: Allows only requests from IP addresses that match ACL entries.

  • Blacklist: Denies requests from IP addresses that match ACL entries.

The following figure shows how ACLs work.

image

Choose a configuration method

Two methods associate a listener with an ACL. Use aclIds to manage ACL entries frequently or reuse existing ACLs.

Item aclIds (recommended) aclEntries
Supported controller version ALB Ingress controller v2.7.0 and later All versions
Associate with an existing ACL Yes — use the ACL ID directly No — v2.7.0 and later cannot associate an existing ACL
How to create an ACL Create manually in the ALB console Defined inline in the AlbConfig
Best for Frequent ACL entry changes; cost-effective ACL maintenance Small number of listeners with few ACL entries
Important

aclIds and aclEntries are mutually exclusive. In ALB Ingress controller v2.7.0 and later, use only aclIds to associate an existing ACL with a listener.

Prerequisites

Before you begin:

  • An AlbConfig with at least one listener is configured.

  • The aclConfig parameter is configured at the listener level inside the AlbConfig.

Use the aclIds parameter (recommended)

Associate an existing ACL with a listener by its ID. Each listener supports up to three ACLs.

Step 1: Create an ACL

  1. Log on to the ALB console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, choose ALB > Access Control.

  4. On the Access Control page, click Create Access Control List.

  5. In the Create ACL dialog box, configure the parameters and click OK.

    Parameter Description
    ACL Name The ACL name.
    Tag Key / Tag Value Tags for filtering ACLs on the Access Control page.
    Resource Group Select a resource group.

Step 2: Add entries to the ACL

ACL entries specify source IP addresses or CIDR blocks to match against incoming requests.

  1. On the Access Control page, find the ACL and click Manage in Actions.

  2. On the Entry tab of the ACL details page, add entries:

    • Single entry: Click Add Entry, configure IP/CIDR Block and Remarks, then click Add.

    • Multiple entries: Click Add ACL Entries, enter CIDR blocks with remarks, then click Add:

      • Enter one entry per line.

      • Use a vertical bar (|) to separate IP/CIDR blocks from remarks. Example: 192.168.1.0/24|Remarks.

      • Add up to 20 entries at a time.

  3. After adding entries:

    • View CIDR blocks in Entry.

    • Delete entries from the Actions column, or select multiple entries and click Delete.

    • Export entries with the download icon in the upper-right corner. To export specific entries, select them and click the download icon.

Step 3: Associate the ACL with a listener

Add spec.listeners.aclConfig to your AlbConfig and specify the ACL ID in aclIds.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
  #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclType: White   # Whitelist mode
        aclIds:
          - acl-wtg***   # Replace with your ACL ID
#...

aclConfig parameters:

Parameter Description
aclType The ACL type. Valid values: Black (blacklist), White (whitelist).
aclIds The ACL ID. Each listener supports up to three ACLs.

Step 4: Verify the access control effect

Access the backend Service from a client whose public IP matches a whitelist entry (or does not match any blacklist entry).

This example uses resources from Get started with ALB Ingress.

If allowed, the client reaches the backend Service.

image

Step 5: (Optional) Disassociate the ACL from the listener

To disassociate an ACL, remove its ID from aclIds or set aclIds to null.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclType: White
        aclIds: null   # Removes the associated ACL
  #...
To delete the ACL itself, use the ALB console . ACLs cannot be deleted from an AlbConfig.

Use the aclEntries parameter

Define ACL entries inline in the AlbConfig. The controller creates and manages the ACL automatically.

Important
  • In ALB Ingress controller v2.7.0 and later, aclName no longer associates an existing ACL. Each aclName update creates and associates a new ACL.

  • In ALB Ingress controller v2.6.0 and earlier, write-back is enabled by default:

  • If aclConfig is empty in the AlbConfig, ACL entries from the associated listener are written back to the AlbConfig.

  • If aclConfig is configured or entries are already written back, the AlbConfig stays unchanged. When Ingress resources change, the controller overwrites console ACL configuration with the AlbConfig — keep both in sync.

Step 1: Configure ACL entries in the AlbConfig

Add or update spec.listeners.aclConfig in the AlbConfig. Specify CIDR blocks in aclEntries and optionally a name in aclName.

If aclName is set, the ACL uses that name. If aclName is not set, the name is auto-generated as acl-{albName}-{port}.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclEntries:
          - 192.168.XX.XX/16
          - 172.10.XX.XX/16
        aclType: White   # Whitelist mode
        aclName: "acl-test"   # Creates an ACL named acl-test
  #...

aclConfig parameters:

Parameter Description
aclEntries The ACL entries. Must be CIDR blocks, for example 127.0.0.1/32.
aclType The ACL type. Valid values: Black (blacklist), White (whitelist).
aclName The ACL name. If not set, auto-generated as acl-{albName}-{port}.

Step 2: Verify the access control effect

Access the backend Service from a client whose public IP matches a whitelist entry (or does not match any blacklist entry).

This example uses resources from Get started with ALB Ingress.

If allowed, the client reaches the backend Service.

image

Step 3: (Optional) Remove ACL entries

Update aclEntries in the AlbConfig. The controller syncs changes to the associated ACL.

This example removes 172.10.XX.XX/16 from acl-test, keeping only 192.168.XX.XX/16. Set aclEntries to an empty list to remove all entries.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
    - port: #...
      protocol: #...
      aclConfig:
        aclEntries:
          - 192.168.XX.XX/16   # 172.10.XX.XX/16 is removed from acl-test
        aclType: White
        aclName: "acl-test"
  #...
To delete the ACL itself, use the ALB console. ACLs cannot be deleted from an AlbConfig.

Next steps