An access control list (ACL) controls inbound and outbound traffic for Smart Access Gateway (SAG) app instances. If you create a rule in one direction only, the SAG app cannot receive responses, causing connection timeouts. Always configure matching inbound and outbound rules, or enable Auto Generation of Reverse Direction Rule to let the console generate the return rule automatically.
Prerequisites
Before you begin, ensure that you have:
An Alibaba Cloud account with access to the SAG console
An existing SAG app instance to associate the ACL with
Step 1: Create an ACL
Log on to the SAG console.
In the top navigation bar, select the region.
In the left-side navigation pane, click ACL.
On the ACL page, click Create access control.
In the Create access control dialog box, configure the following parameters and click OK.
| Parameter | Description |
|---|---|
| Resource Group | Select the resource group for the ACL. |
| Instance Name | Enter a name for the ACL. |
| Instance Type | Select the type of SAG instance to associate with the ACL. Valid values: SAG Device and SAG App. This example uses SAG App. |
Step 2: Add a rule to the ACL
On the ACL page, find the ACL and click Configure Rules in the Actions column.
On the ACL details page, click the Rules tab, then click Add Rule.
In the Add Rule dialog box, configure the following parameters and click OK.
| Parameter | Description |
|---|---|
| Instance Name | Enter a name for the rule. |
| Rule Direction | Select the direction the rule applies to: Outbound (traffic leaving the SAG app) or Inbound (traffic arriving at the SAG app). |
| Policy | Select Allow to permit traffic, or Block to reject it. |
| Protocol | Select a protocol. The protocols listed in the console are authoritative. |
| Source CIDR Block | The source IP range, determined by rule direction. For Outbound rules, enter the CIDR block of the SAG app that initiates requests. For Inbound rules, enter the CIDR block of the external service sending requests. |
| Source Port Range | Enter the source port range. The available range depends on the selected protocol. For All (All Protocols Supported), the range is fixed at -1/-1. For HTTP, the default is 1/65535 and can be modified. |
| Destination CIDR Block | The destination IP range, determined by rule direction. For Outbound rules, enter the CIDR block of the external service receiving requests. For Inbound rules, enter the CIDR block of the SAG app receiving requests. |
| Destination Port Range | Enter the destination port range. The available range depends on the selected protocol. For All (All Protocols Supported), the range is fixed at -1/-1. For TELNET, the default is 23/23 and can be modified. |
| Priority | Enter a priority value from 1 to 100. Lower values indicate higher priority. |
| Auto Generation of Reverse Direction Rule | Select this option to automatically create a matching rule in the opposite direction. For example, if you create an inbound rule, the console generates a corresponding outbound rule. Enable this option to avoid response timeouts. Important If the protocol is not TCP or UDP, the automatically generated reverse rule uses TCP by default. |
Port range formats:
| Format | Meaning |
|---|---|
1/200 | Ports 1 through 200 |
80/80 | Port 80 only |
-1/-1 | All ports |
Step 3: Associate the ACL with the SAG app instance
On the ACL details page, click the Associated Instances tab.
Click Associate with Instance.
In the Associate with Instance dialog box, select one or more SAG app instances and click OK.
To find a specific instance, filter by resource group, instance name, or instance ID.
More operations
| Operation | Steps |
|---|---|
| Clone an ACL | On the ACL page, find the ACL and choose  > Clone in the Actions column. In the Clone ACL message, confirm the information and click OK. The cloned ACL includes all existing rules. |
| Modify an ACL rule | On the ACL details page, click the Rules tab and find the rule. Click Modify in the Actions column. Update the settings in the Edit Rule dialog box and click OK. |
| Delete an ACL rule | On the ACL details page, click the Rules tab and find the rule. Click Delete in the Actions column. In the Delete Rule message, click OK. |
| Disassociate an ACL from an SAG app instance | On the ACL details page, click the Associated Instances tab. Find the instance and click Disassociate in the Actions column. Confirm the instance information in the Disassociate Instance message and click OK. |
| Delete an ACL | On the ACL page, find the ACL and choose  > Delete in the Actions column. In the Delete ACL message, confirm the information and click OK. |
API reference
| API | Description |
|---|---|
| CreateACL | Creates an ACL. |
| ModifyACL | Renames an ACL. |
| DeleteACL | Deletes an ACL. |
| AssociateACL | Associates an ACL with an SAG instance. |
| DisassociateACL | Disassociates an ACL from an SAG instance. |
| AddACLRule | Adds a rule to an ACL. |
| ModifyACLRule | Modifies an ACL rule. |
| DeleteACLRule | Deletes an ACL rule. |
| DescribeACLAttribute | Queries a specified ACL. |
| DescribeACLs | Queries ACLs in a specified region. |