To precisely control requests from clients, you can enable access control for GA listeners. You can configure a whitelist or blacklist to allow or disallow specific IP addresses to access GA listeners.
Introduction
An access control policy is configured by specifying access control lists (ACLs) and access control modes.
Access control list (ACL): You can add multiple IP addresses or CIDR blocks to an ACL to allow or deny access from them.
Access control modes: You can specify ACLs as whitelists or blacklists for different listeners.
Whitelist: allows specific IP addresses to access GA listeners. Only requests from the IP addresses or CIDR blocks in the whitelist are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access GA listeners.
Blacklist: disallows specific IP addresses to access GA listeners. Requests from the IP addresses or CIDR blocks in the blacklist are blocked. Blacklists apply to scenarios in which you want to limit specific IP addresses from accessing GA listeners.
Risks may occur if a whitelist is improperly configured. After you configure a whitelist for a listener, only the requests from the IP addresses in the whitelist are forwarded by the listener. If access control is enabled and a whitelist is configured for a listener but no IP address is added to the whitelist, the GA listener forwards all requests.
If a blacklist is enabled but no IP addresses are added to the blacklist, the listener forwards all requests.
ACLs support IPv4 and IPv6. When you configure access control for a listener, you can select an ACL that uses the same IP version as the accelerated IP address of the access point.
Limits
You can enable the access control feature only for intelligent routing listeners.
The total number of IP addresses and CIDR blocks in the ACLs that are associated with a listener cannot exceed 200. The IP addresses and CIDR blocks must be unique.
An ACL can be associated with up to 10 listeners.
A listener can be associated with only one IPv4 ACL and one IPv6 ACL.
If a GA instance uses IPv4 or IPv6 accelerated IP addresses and the listener is associated with an IPv4 ACL and an IPv6 ACL, only the ACL that uses the same IP version as the accelerated IP addresses takes effect.
If a GA instance uses dual-stack accelerated IP addresses and the listener is associated with an IPv4 ACL and an IPv6 ACL, both ACLs take effect.
Procedure
Create an ACL
Before you enable access control for a listener, you must create an ACL.
Log on to the GA console.
In the left-side navigation pane, choose .
On the Access Control page, click Create ACL.
In the Create ACL dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
ACL Name
Enter a name for the ACL.
IP Version
Select the IP version of the ACL.
If you select IPv4, the ACL takes effect only in acceleration regions that use accelerated IPv4 addresses.
If you select IPv6, the ACL takes effect only in acceleration regions that use accelerated IPv6 addresses.
Resource Group
Select the resource group to which the ACL belongs.
The resource group is a resource group created by the current Alibaba Cloud account in Resource Management. For more information, see Create a resource group.
Tag
Add tags to the ACL.
Configure Tag Key and Tag Value.
For more information about how to manage ACL tags, see Manage tags.
Add IP addresses or CIDR blocks to the ACL
After the ACL is created, you can add multiple IP addresses or CIDR blocks to the ACL. This way, you can enable a listener to allow or block access from the specified IP addresses or CIDR blocks.
Log on to the GA console.
In the left-side navigation pane, choose .
Find the ACL that you want to manage and click Actions in the Manage ACL column.
On the ACL Details page, you can use the following methods to add IP addresses or CIDR blocks to the ACL:
Add one IP address or CIDR block to the ACL
Click Add Rule. In the Add ACL Entry dialog box, configure the IP Address/CIDR Block and Remark parameters and click OK.
Add multiple IP addresses or CIDR blocks at a time
Click Add Multiple Rules. In the Add Multiple Rules dialog box, enter multiple IP addresses or CIDR blocks by following the prompt and then click OK.
Enable access control for a listener
Before you enable access control, make sure that a listener is created. For more information, see Add and manage intelligent routing listeners.
Log on to the GA console.
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, click the ID of the listener for which you want to enable access control.
In the Listener Details section of the Access Control tab, turn on Access Control.
In the Enable Access Control dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter
Description
Access Control Mode
Select an access control mode. Valid values:
Whitelist: After you associate an ACL with the listener, the listener forwards only requests from IP addresses or CIDR blocks that are added to the ACL.
black: Requests from the IP addresses or CIDR blocks in the blacklist are not forwarded.
WarningRisks may occur if a whitelist is improperly configured. After you configure a whitelist for a listener, only the requests from the IP addresses in the whitelist are forwarded by the listener. If access control is enabled and a whitelist is configured for a listener but no IP address is added to the whitelist, the GA listener forwards all requests.
If a blacklist is enabled but no IP addresses are added to the blacklist, the listener forwards all requests.
Select ACL
Select an ACL.
You can also click + Add ACL and add two ACLs at a time.
Disassociate an ACL from a listener
You can disassociate ACLs that you no longer require from a listener.
After you disassociate all ACLs from a listener, the system disables the access control feature for the listener.
Log on to the GA console.
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, click the ID of the listener from which you want to disassociate ACLs.
In the Access Control section of the Listener Details tab, click the
icon next to Access Control List. In the Modify ACL dialog box, find the ACL that you want to disassociate, click Disassociate in the Actions column, and then click OK.
Disable access control for a listener
If a listener no longer requires access control, you can disable access control for the listener.
Log on to the GA console.
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, click the ID of the listener for which you want to disable access control.
In the Access Control section of the Listener Details tab, turn off Access Control.
In the message that appears, click OK.
Remove IP addresses or CIDR blocks from an ACL
You can remove IP addresses or CIDR blocks from an ACL.
Log on to the GA console.
In the left-side navigation pane, choose .
Find the ACL that you want to manage and click Actions in the Manage ACL column.
Find the IP address or CIDR block that you want to remove from the ACL and click Actions in the Delete column or select multiple IP addresses and click Delete below the IP entry list.
In the message that appears, click OK.
Delete an ACL
You can delete ACLs that you no longer require.
Before you delete an ACL, disassociate the ACL from the listener. For more information, see Disassociate an ACL from a listener.
Log on to the GA console.
In the left-side navigation pane, choose .
Find the ACL that you want to delete and click Actions in the Delete column.
In the message that appears, click OK.
References
CreateAcl: creates an ACL.
AddEntriesToAcl: adds IP entries to an ACL.
AssociateAclsWithListener: associates an ACL with a listener.
DissociateAclsFromListener: disassociates an ACL from a listener.
RemoveEntriesFromAcl: removes IP entries from an ACL.
DeleteAcl: deletes an ACL.