Access control lists (ACLs) in Smart Access Gateway (SAG) let you filter inbound and outbound traffic on your gateway instances by defining rules that allow or deny traffic based on IP addresses, protocols, and ports. ACLs improve network security by controlling which traffic can reach your resources.
Only SAG app and SAG CPE instances support ACLs. ACLs are disabled for SAG app instances by default — contact your account manager to enable them.
How it works
Each ACL contains one or more rules. When traffic arrives at an SAG instance, the instance evaluates the traffic against each rule in priority order and applies the first matching rule.
An ACL rule has two parts:
Match conditions — criteria that identify which traffic the rule applies to
Action — what to do with matching traffic: Allow or Deny
Match conditions
Each rule can specify the following match conditions:
| Field | Description | Example |
|---|---|---|
| Direction | Whether the rule applies to inbound or outbound traffic | Inbound |
| Protocol | The network protocol | TCP, UDP, ICMP |
| Source CIDR block | The source IP address range | 192.168.1.0/24 |
| Source port | The source port or port range | 80, 1024–65535 |
| Destination CIDR block | The destination IP address range | 10.0.0.0/8 |
| Destination port | The destination port or port range | 443, 8080 |
SAG CPE instances and SAG app instances support different match conditions. For the full list of supported fields per instance type, see Create an ACL for an SAG app instance or Create an ACL for an SAG CPE instance.
Rule evaluation order
Rules are evaluated in ascending order of priority value — a lower priority value means a higher priority. Evaluation stops as soon as a match is found.
If traffic matches multiple rules simultaneously, the following tie-breaking order applies:
Action — a Deny rule takes precedence over an Allow rule at the same priority.
CIDR match — if two rules share the same priority and action, the rule with matching source and destination CIDR blocks is applied first.
Creation time — if rules still tie after the above checks, the rule created earliest is applied first.
If no rule matches, the traffic is allowed by default.
Limitations
| Limitation | Details |
|---|---|
| Supported instance types | ACLs are supported only on SAG app and SAG CPE instances |
| SAG app instances | ACLs are disabled by default; contact your account manager to enable |
| Application-aware ACLs | Supported only on SAG CPE instances |
| ACL type | Cannot be changed after the ACL is created |
The following table lists the resource quotas. All quotas are fixed and cannot be increased.
| Resource | Default quota |
|---|---|
| ACLs per SAG CPE instance | 1 |
| ACLs per SAG app instance | 1 |
| ACL rules per SAG CPE instance | 50 |
| ACL rules per SAG app instance | 50 |
| ACLs per Alibaba Cloud account | 10 |
Get started
To configure ACLs for your SAG instance, follow the procedure for your instance type: