An access control list (ACL) for a Smart Access Gateway (SAG) CPE instance lets you control network traffic flowing in and out of your on-premises network. This guide walks you through three steps: creating an ACL, adding rules, and associating the ACL with an SAG CPE instance.
Steps overview:
Prerequisites
Before you begin, ensure that you have:
An SAG CPE instance
(Optional) Deep packet inspection (DPI) enabled on the SAG instance, if you want rules that filter traffic by application or application group. See Enable DPI
Step 1: Create an ACL
Log on to the SAG console.
In the top navigation bar, select the region.
In the left-side navigation pane, click ACL.
On the ACL page, click Create access control.
In the Create access control dialog box, configure the following parameters and click OK.
Parameter Description Resource group Select a resource group for the ACL. Instance name Enter a name for the ACL. Instance type Select the type of SAG instance to associate with the ACL: SAG Device or SAG App. This example uses SAG Device.
Step 2: Add a rule to the ACL
On the ACL page, find the ACL and click Configure Rules in the Actions column.
On the ACL details page, click the Rules tab and then click Add Rule.
In the Add Rule dialog box, configure the following parameters and click OK.
Parameter Description Instance name Enter a name for the rule. Network type Select the network type the rule applies to: Private Network (private IP addresses) or Public Network (public IP addresses). Rule direction Select the traffic direction: Outbound (traffic from your on-premises network to an external destination) or Inbound (traffic from an external source to your on-premises network). Policy Select Allow to permit traffic, or Block to drop it. Protocol Select a protocol. The protocols available in the SAG console apply. Source CIDR block Enter the source CIDR block. For Outbound rules, this is the CIDR block of your on-premises network. For Inbound rules, this is the CIDR block of the external service originating the traffic. Source port range Enter the source port range. The valid range depends on the protocol. For All (All Protocols Supported), the default is -1/-1and cannot be changed. For HTTP, the default is1/65535. Valid formats:1/200(range),80/80(single port),-1/-1(all ports). The ports available in the SAG console apply.Destination CIDR block Enter the destination CIDR block. For Outbound rules, this is the CIDR block of the external service receiving the traffic. For Inbound rules, this is the CIDR block of your on-premises network receiving the traffic. Destination port range Enter the destination port range. The valid range depends on the protocol. For All (All Protocols Supported), the default is -1/-1and cannot be changed. For TELNET, the default is23/23. Valid formats:1/200(range),80/80(single port),-1/-1(all ports). The ports available in the SAG console apply.Priority Enter a priority from 1 to 100. A lower number means higher priority. Application group (Optional) Select an application group. The rule applies to all applications in the group. Requires DPI to be enabled. The application groups available in the SAG console apply. Application (Optional) Select one or more applications from the specified application group. If you select both Application group and Application, the rule applies to all applications in the group and the specified application. Requires DPI to be enabled. The applications available in the SAG console apply.
Step 3: Associate the ACL with an SAG CPE instance
On the ACL details page, click the Associated Instances tab.
Click Associate with Instance.
In the Associate with Instance dialog box, select one or more SAG CPE instances and click OK. You can search for instances by resource group, instance name, or instance ID.
More operations
| Operation | Steps |
|---|---|
| Clone an ACL | On the ACL page, find the ACL and choose |
| Modify a rule | On the ACL details page, click the Rules tab, find the rule, and click Modify in the Actions column. In the Edit Rule dialog box, update the settings and click OK. |
| Delete a rule | On the ACL details page, click the Rules tab, find the rule, and click Delete in the Actions column. In the Delete Rule message, click OK. |
| Disassociate an ACL from an SAG CPE instance | On the ACL details page, click the Associated Instances tab, find the instance, and click Disassociate in the Actions column. In the Disassociate Instance message, confirm the information and click OK. |
| Delete an ACL | On the ACL page, find the ACL and choose |
API reference
| API | Description |
|---|---|
| CreateACL | Creates an ACL. |
| ModifyACL | Renames an ACL. |
| DeleteACL | Deletes an ACL. |
| AssociateACL | Associates an ACL with an SAG instance. |
| DisassociateACL | Disassociates an ACL from an SAG instance. |
| AddACLRule | Adds a rule to an ACL. |
| ModifyACLRule | Modifies an ACL rule. |
| DeleteACLRule | Deletes an ACL rule. |
| DescribeACLAttribute | Queries a specified ACL. |
| DescribeACLs | Queries ACLs in a specified region. |