This topic describes how to enable access control for a listener of a Global Accelerator (GA) instance. You can configure whitelists and blacklists to implement fine-grained access control on client requests.

Introduction

The access control feature consists of access control lists (ACLs) and access control modes.
  • ACLs: You can add multiple IP addresses or CIDR blocks to each ACL.
  • Access control modes: You can specify ACLs as whitelists or blacklists for different listeners.
    • Whitelist: Only the requests from the IP addresses or CIDR blocks in the specified ACL are forwarded. If you want to allow access from specific IP addresses, you can configure a whitelist.
    • Blacklist: All requests from the IP addresses or CIDR blocks in the specified ACL are denied. If you want to block access from specific IP addresses, you can configure a blacklist.
Notice
  • Your service may be adversely affected if the whitelist is not properly configured. After you configure a whitelist for a listener, only requests from the IP addresses that are added to the whitelist are forwarded by the listener. If the whitelist is enabled but no IP addresses are added to the ACL, the listener denies all requests.
  • If the blacklist is enabled but no IP addresses are added to the ACL, the listener forwards all requests.

When you create an ACL, you can select IPv4 or IPv6 as the supported IP version. When you configure access control for a listener, you can select an ACL that uses the same IP version as the accelerated IP address of the access point.

Access Control

Limits

  • The total number of IP addresses and CIDR blocks in the ACLs that are associated with a listener cannot exceed 200. The IP addresses and CIDR blocks must be unique.
  • An ACL can be associated with up to 10 listeners.
  • A listener can be associated only with one IPv4 ACL and one IPv6 ACL. If you associate an IPv4 ACL and an IPv6 ACL with a listener, only the ACL that matches the IP version of the accelerated IP address takes effect.

Procedure

Procedure

Create an ACL

Before you enable access control for a listener, you must create an ACL.

  1. Log on to the Global Accelerator console.
  2. In the left-side navigation pane, choose Standard Instance > Access Control.
  3. On the Access Control page, click Create ACL.
  4. On the Create ACL dialog box, set the ACL Name and IP Version parameters and click OK.
    • If you select IPv4, the ACL is applied only in acceleration regions that use accelerated IPv4 addresses.
    • If you select IPv6, the ACL is applied only in acceleration regions that use accelerated IPv6 addresses.

Add IP addresses or CIDR blocks to the ACL

After the ACL is created, you can add multiple IP addresses or CIDR blocks to the ACL. This way, you can enable a listener to allow or block access from the specified IP addresses or CIDR blocks.

  1. Log on to the Global Accelerator console.
  2. In the left-side navigation pane, choose Standard Instance > Access Control.
  3. Find the ACL that you want to manage and click Manage ACL in the Actions column.
  4. On the ACL Details page, you can use one of the following methods to add IP addresses or CIDR blocks to the ACL:
    • Add one IP address or CIDR block to the ACL

      Click Add Rule. In the Add ACL Rule dialog box, set the IP Address/CIDR Block and Remark parameters and click OK.

    • Add multiple IP addresses or CIDR blocks at a time

      Click Add Multiple Rules. In the Add ACL Rule dialog box, enter multiple IP addresses or CIDR blocks by following the prompt and then click OK.

Enable access control for a listener.

Before you enable access control, make sure that a listener is created. For more information, see Add and manage listeners

  1. Log on to the Global Accelerator console.
  2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
  3. On the Listeners tab, click the ID of the listener for which you want to enable access control.
  4. In the Access Control section of the Listener Details tab, turn on Access Control.
  5. In the Enable Access Control dialog box, set the following parameters and click OK.
    Parameter Description
    Access Control Mode Select an access control mode. Valid values:
    • Whitelist: After you associate an ACL with the listener, the listener forwards only requests from IP addresses or CIDR blocks that are added to the ACL.
    • Blacklist: After you associate an ACL with the listener, the listener denies requests from IP addresses or CIDR blocks that are added to the ACL.
    Notice
    • Your service may be adversely affected if the whitelist is not properly configured. After you configure a whitelist for a listener, only requests from the IP addresses that are added to the whitelist are forwarded by the listener. If the whitelist is enabled but no IP addresses are added to the ACL, the listener denies all requests.
    • If the blacklist is enabled but no IP addresses are added to the ACL, the listener forwards all requests.
    Select ACL Select an ACL.

    You can also click + Add ACL and add two ACLs at a time.

Disassociate an ACL from a listener

You can disassociate ACLs that you no longer need from a listener.

After you disassociate all ACLs from a listener, the system disables the access control feature for the listener.

  1. Log on to the Global Accelerator console.
  2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
  3. On the Listeners tab, click the ID of the listener from which you want to disassociate ACLs.
  4. In the Access Control section of the Listener Details tab, click the Edit icon icon next to Access Control List.
  5. In the Modify ACL dialog box, find the ACL that you want to disassociate, click Disassociate in the Actions column, and then click OK.

Disable access control for a listener

If a listener no longer requires access control, you can disable access control for the listener.

  1. Log on to the Global Accelerator console.
  2. On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
  3. On the Listeners tab, click the ID of the listener for which you want to disable access control.
  4. In the Access Control section of the Listener Details tab, turn off Access Control.
  5. In the message that appears, click OK.

Remove IP addresses or CIDR blocks from the ACL

You can remove IP addresses or CIDR blocks from the ACL.

  1. Log on to the Global Accelerator console.
  2. In the left-side navigation pane, choose Standard Instance > Access Control.
  3. Find the ACL that you want to manage and click Manage ACL in the Actions column.
  4. Find the IP address or CIDR block that you want to remove from the ACL and click Delete in the Actions column. To remove multiple IP addresses or CIDR blocks at a time, select the IP addresses or CIDR blocks that you want to remove and click Delete below the list.
  5. In the message that appears, click OK.

Delete an ACL

You can delete ACLs that are no longer needed.

Before you delete an ACL, disassociate the ACL from the listener. For more information, see Disassociate an ACL from a listener.

  1. Log on to the Global Accelerator console.
  2. In the left-side navigation pane, choose Standard Instance > Access Control.
  3. Find the ACL that you want to delete and click Delete in the Actions column.
  4. In the message that appears, click OK.

References