All Products
Search
Document Center

Smart Access Gateway:Create an ACL for an SAG CPE instance

Last Updated:Apr 01, 2026

An access control list (ACL) for a Smart Access Gateway (SAG) CPE instance lets you control network traffic flowing in and out of your on-premises network. This guide walks you through three steps: creating an ACL, adding rules, and associating the ACL with an SAG CPE instance.

Steps overview:

  1. Create an ACL

  2. Add a rule to the ACL

  3. Associate the ACL with an SAG CPE instance

Prerequisites

Before you begin, ensure that you have:

  • An SAG CPE instance

  • (Optional) Deep packet inspection (DPI) enabled on the SAG instance, if you want rules that filter traffic by application or application group. See Enable DPI

Step 1: Create an ACL

  1. Log on to the SAG console.

  2. In the top navigation bar, select the region.

  3. In the left-side navigation pane, click ACL.

  4. On the ACL page, click Create access control.

  5. In the Create access control dialog box, configure the following parameters and click OK.

    ParameterDescription
    Resource groupSelect a resource group for the ACL.
    Instance nameEnter a name for the ACL.
    Instance typeSelect the type of SAG instance to associate with the ACL: SAG Device or SAG App. This example uses SAG Device.

Step 2: Add a rule to the ACL

  1. On the ACL page, find the ACL and click Configure Rules in the Actions column.

  2. On the ACL details page, click the Rules tab and then click Add Rule.

  3. In the Add Rule dialog box, configure the following parameters and click OK.

    ParameterDescription
    Instance nameEnter a name for the rule.
    Network typeSelect the network type the rule applies to: Private Network (private IP addresses) or Public Network (public IP addresses).
    Rule directionSelect the traffic direction: Outbound (traffic from your on-premises network to an external destination) or Inbound (traffic from an external source to your on-premises network).
    PolicySelect Allow to permit traffic, or Block to drop it.
    ProtocolSelect a protocol. The protocols available in the SAG console apply.
    Source CIDR blockEnter the source CIDR block. For Outbound rules, this is the CIDR block of your on-premises network. For Inbound rules, this is the CIDR block of the external service originating the traffic.
    Source port rangeEnter the source port range. The valid range depends on the protocol. For All (All Protocols Supported), the default is -1/-1 and cannot be changed. For HTTP, the default is 1/65535. Valid formats: 1/200 (range), 80/80 (single port), -1/-1 (all ports). The ports available in the SAG console apply.
    Destination CIDR blockEnter the destination CIDR block. For Outbound rules, this is the CIDR block of the external service receiving the traffic. For Inbound rules, this is the CIDR block of your on-premises network receiving the traffic.
    Destination port rangeEnter the destination port range. The valid range depends on the protocol. For All (All Protocols Supported), the default is -1/-1 and cannot be changed. For TELNET, the default is 23/23. Valid formats: 1/200 (range), 80/80 (single port), -1/-1 (all ports). The ports available in the SAG console apply.
    PriorityEnter a priority from 1 to 100. A lower number means higher priority.
    Application group(Optional) Select an application group. The rule applies to all applications in the group. Requires DPI to be enabled. The application groups available in the SAG console apply.
    Application(Optional) Select one or more applications from the specified application group. If you select both Application group and Application, the rule applies to all applications in the group and the specified application. Requires DPI to be enabled. The applications available in the SAG console apply.

Step 3: Associate the ACL with an SAG CPE instance

  1. On the ACL details page, click the Associated Instances tab.

  2. Click Associate with Instance.

  3. In the Associate with Instance dialog box, select one or more SAG CPE instances and click OK. You can search for instances by resource group, instance name, or instance ID.

More operations

OperationSteps
Clone an ACLOn the ACL page, find the ACL and choose Related operations > Clone in the Actions column. In the Clone ACL message, confirm the information and click OK. The clone includes all rules from the original ACL.
Modify a ruleOn the ACL details page, click the Rules tab, find the rule, and click Modify in the Actions column. In the Edit Rule dialog box, update the settings and click OK.
Delete a ruleOn the ACL details page, click the Rules tab, find the rule, and click Delete in the Actions column. In the Delete Rule message, click OK.
Disassociate an ACL from an SAG CPE instanceOn the ACL details page, click the Associated Instances tab, find the instance, and click Disassociate in the Actions column. In the Disassociate Instance message, confirm the information and click OK.
Delete an ACLOn the ACL page, find the ACL and choose Related operations > Delete in the Actions column. In the Delete ACL dialog box, confirm the information and click OK.

API reference

APIDescription
CreateACLCreates an ACL.
ModifyACLRenames an ACL.
DeleteACLDeletes an ACL.
AssociateACLAssociates an ACL with an SAG instance.
DisassociateACLDisassociates an ACL from an SAG instance.
AddACLRuleAdds a rule to an ACL.
ModifyACLRuleModifies an ACL rule.
DeleteACLRuleDeletes an ACL rule.
DescribeACLAttributeQueries a specified ACL.
DescribeACLsQueries ACLs in a specified region.