Global Accelerator (GA) access control filters traffic at the listener level based on client IP addresses. Configure access control lists (ACLs) with whitelist or blacklist rules to restrict which clients can reach your accelerated services.
Access control lists and modes
An ACL is a named set of IP addresses or CIDR blocks. After you create an ACL, associate it with one or more listeners to enforce IP-based filtering on incoming requests.
An access control policy has two parts:
-
ACL -- the list of IP addresses or CIDR blocks.
-
Access control mode -- how the listener uses the ACL: whitelist or blacklist.
GA supports two access control modes:
| Mode | Behavior | Use when |
|---|---|---|
| Whitelist | Only requests from IP addresses or CIDR blocks in the ACL are forwarded. All other requests are denied. | You want to allow access from specific IP addresses only. |
| Blacklist | Requests from IP addresses or CIDR blocks in the ACL are denied. All other requests are forwarded. | You want to block access from specific IP addresses. |
Improperly configured whitelists may affect service availability.
-
Whitelist with an empty ACL: The listener forwards all requests. Add the IP addresses or CIDR blocks that require access before you enable whitelist mode.
-
Blacklist with an empty ACL: The listener forwards all requests. The blacklist has no effect until you add entries.
How access control works
-
Create an ACL -- Define a named access control list.
-
Add IP entries -- Add individual IP addresses or CIDR blocks to the ACL.
-
Associate the ACL with a listener -- Bind the ACL to a listener on your standard GA instance.
-
Select the access control mode -- Choose whitelist or blacklist mode for that listener.
After configuration, the listener evaluates each incoming request against the ACL before forwarding traffic to the endpoint group.
Prerequisites
Before you begin, make sure that you have:
-
A standard GA instance with at least one listener configured
-
The IP addresses or CIDR blocks to include in the ACL
Configure access control
Access control is available for listeners of standard GA instances. Configure it through the GA console or by calling the GA API.
Console
Log on to the GA console and follow the instructions to create an ACL, add IP entries, associate the ACL with a listener, and select the access control mode.
For detailed steps, see Access control.
API
Use the following API operations to manage access control programmatically:
| Operation | Description |
|---|---|
| CreateAcl | Create an ACL. |
| AddEntriesToAcl | Add IP entries to an ACL. |
| AssociateAclsWithListener | Associate an ACL with a listener. |
| DissociateAclsFromListener | Disassociate an ACL from a listener. |
| RemoveEntriesFromAcl | Remove IP entries from an ACL. |
| DeleteAcl | Delete an ACL. |
Typical API workflow:
-
Call
CreateAclto create an ACL. -
Call
AddEntriesToAclto add IP addresses or CIDR blocks. -
Call
AssociateAclsWithListenerto bind the ACL to a listener and specify the access control mode (whitelist or blacklist).
To remove access control, call DissociateAclsFromListener to unbind the ACL, then optionally call RemoveEntriesFromAcl and DeleteAcl to clean up.
Limits
| Item | Limit |
|---|---|
| ACLs per listener | 1 IPv4 ACL and 1 IPv6 ACL |
| Listeners per ACL | Up to 10 |
| IP entries per ACL per listener (Subscription) | Up to 200 |
| Total IP/CIDR entries per GA instance (Pay-as-you-go) | Up to 600 |
| Listener type | Smart routing listeners only |
For the latest quotas, see GA limits.
What's next
-
Access control (console guide) -- Step-by-step instructions for configuring access control in the GA console.
-
GA API reference -- Complete API reference for GA operations.