All Products
Search
Document Center

Smart Access Gateway:Create an ACL for an SAG app instance

Last Updated:Apr 01, 2026

An access control list (ACL) controls inbound and outbound traffic for Smart Access Gateway (SAG) app instances. If you create a rule in one direction only, the SAG app cannot receive responses, causing connection timeouts. Always configure matching inbound and outbound rules, or enable Auto Generation of Reverse Direction Rule to let the console generate the return rule automatically.

Prerequisites

Before you begin, ensure that you have:

  • An Alibaba Cloud account with access to the SAG console

  • An existing SAG app instance to associate the ACL with

Step 1: Create an ACL

  1. Log on to the SAG console.

  2. In the top navigation bar, select the region.

  3. In the left-side navigation pane, click ACL.

  4. On the ACL page, click Create access control.

  5. In the Create access control dialog box, configure the following parameters and click OK.

ParameterDescription
Resource GroupSelect the resource group for the ACL.
Instance NameEnter a name for the ACL.
Instance TypeSelect the type of SAG instance to associate with the ACL. Valid values: SAG Device and SAG App. This example uses SAG App.

Step 2: Add a rule to the ACL

  1. On the ACL page, find the ACL and click Configure Rules in the Actions column.

  2. On the ACL details page, click the Rules tab, then click Add Rule.

  3. In the Add Rule dialog box, configure the following parameters and click OK.

ParameterDescription
Instance NameEnter a name for the rule.
Rule DirectionSelect the direction the rule applies to: Outbound (traffic leaving the SAG app) or Inbound (traffic arriving at the SAG app).
PolicySelect Allow to permit traffic, or Block to reject it.
ProtocolSelect a protocol. The protocols listed in the console are authoritative.
Source CIDR BlockThe source IP range, determined by rule direction. For Outbound rules, enter the CIDR block of the SAG app that initiates requests. For Inbound rules, enter the CIDR block of the external service sending requests.
Source Port RangeEnter the source port range. The available range depends on the selected protocol. For All (All Protocols Supported), the range is fixed at -1/-1. For HTTP, the default is 1/65535 and can be modified.
Destination CIDR BlockThe destination IP range, determined by rule direction. For Outbound rules, enter the CIDR block of the external service receiving requests. For Inbound rules, enter the CIDR block of the SAG app receiving requests.
Destination Port RangeEnter the destination port range. The available range depends on the selected protocol. For All (All Protocols Supported), the range is fixed at -1/-1. For TELNET, the default is 23/23 and can be modified.
PriorityEnter a priority value from 1 to 100. Lower values indicate higher priority.
Auto Generation of Reverse Direction RuleSelect this option to automatically create a matching rule in the opposite direction. For example, if you create an inbound rule, the console generates a corresponding outbound rule. Enable this option to avoid response timeouts.
Important

If the protocol is not TCP or UDP, the automatically generated reverse rule uses TCP by default.

Port range formats:

FormatMeaning
1/200Ports 1 through 200
80/80Port 80 only
-1/-1All ports

Step 3: Associate the ACL with the SAG app instance

  1. On the ACL details page, click the Associated Instances tab.

  2. Click Associate with Instance.

  3. In the Associate with Instance dialog box, select one or more SAG app instances and click OK.

To find a specific instance, filter by resource group, instance name, or instance ID.

More operations

OperationSteps
Clone an ACLOn the ACL page, find the ACL and choose ![Related operations](https://help-static-aliyun-doc.aliyuncs.com/assets/img/en-US/3400449261/p103337.png) > Clone in the Actions column. In the Clone ACL message, confirm the information and click OK. The cloned ACL includes all existing rules.
Modify an ACL ruleOn the ACL details page, click the Rules tab and find the rule. Click Modify in the Actions column. Update the settings in the Edit Rule dialog box and click OK.
Delete an ACL ruleOn the ACL details page, click the Rules tab and find the rule. Click Delete in the Actions column. In the Delete Rule message, click OK.
Disassociate an ACL from an SAG app instanceOn the ACL details page, click the Associated Instances tab. Find the instance and click Disassociate in the Actions column. Confirm the instance information in the Disassociate Instance message and click OK.
Delete an ACLOn the ACL page, find the ACL and choose ![Related operations](https://help-static-aliyun-doc.aliyuncs.com/assets/img/en-US/3400449261/p103337.png) > Delete in the Actions column. In the Delete ACL message, confirm the information and click OK.

API reference

APIDescription
CreateACLCreates an ACL.
ModifyACLRenames an ACL.
DeleteACLDeletes an ACL.
AssociateACLAssociates an ACL with an SAG instance.
DisassociateACLDisassociates an ACL from an SAG instance.
AddACLRuleAdds a rule to an ACL.
ModifyACLRuleModifies an ACL rule.
DeleteACLRuleDeletes an ACL rule.
DescribeACLAttributeQueries a specified ACL.
DescribeACLsQueries ACLs in a specified region.