All Products
Search
Document Center

Smart Access Gateway:ACL overview

Last Updated:Apr 01, 2026

Access control lists (ACLs) in Smart Access Gateway (SAG) let you filter inbound and outbound traffic on your gateway instances by defining rules that allow or deny traffic based on IP addresses, protocols, and ports. ACLs improve network security by controlling which traffic can reach your resources.

Note

Only SAG app and SAG CPE instances support ACLs. ACLs are disabled for SAG app instances by default — contact your account manager to enable them.

How it works

Each ACL contains one or more rules. When traffic arrives at an SAG instance, the instance evaluates the traffic against each rule in priority order and applies the first matching rule.

An ACL rule has two parts:

  • Match conditions — criteria that identify which traffic the rule applies to

  • Action — what to do with matching traffic: Allow or Deny

Match conditions

Each rule can specify the following match conditions:

FieldDescriptionExample
DirectionWhether the rule applies to inbound or outbound trafficInbound
ProtocolThe network protocolTCP, UDP, ICMP
Source CIDR blockThe source IP address range192.168.1.0/24
Source portThe source port or port range80, 1024–65535
Destination CIDR blockThe destination IP address range10.0.0.0/8
Destination portThe destination port or port range443, 8080

SAG CPE instances and SAG app instances support different match conditions. For the full list of supported fields per instance type, see Create an ACL for an SAG app instance or Create an ACL for an SAG CPE instance.

Rule evaluation order

Rules are evaluated in ascending order of priority value — a lower priority value means a higher priority. Evaluation stops as soon as a match is found.

If traffic matches multiple rules simultaneously, the following tie-breaking order applies:

  1. Action — a Deny rule takes precedence over an Allow rule at the same priority.

  2. CIDR match — if two rules share the same priority and action, the rule with matching source and destination CIDR blocks is applied first.

  3. Creation time — if rules still tie after the above checks, the rule created earliest is applied first.

If no rule matches, the traffic is allowed by default.

Limitations

LimitationDetails
Supported instance typesACLs are supported only on SAG app and SAG CPE instances
SAG app instancesACLs are disabled by default; contact your account manager to enable
Application-aware ACLsSupported only on SAG CPE instances
ACL typeCannot be changed after the ACL is created

The following table lists the resource quotas. All quotas are fixed and cannot be increased.

ResourceDefault quota
ACLs per SAG CPE instance1
ACLs per SAG app instance1
ACL rules per SAG CPE instance50
ACL rules per SAG app instance50
ACLs per Alibaba Cloud account10

Get started

To configure ACLs for your SAG instance, follow the procedure for your instance type: