Network ACLs

This topic describes how to enable access control for the listeners of an Application Load Balancer (ALB) instance. You can configure network access control lists (ACLs) to allow or deny access from specified IP addresses or CIDR blocks. This allows you to implement fine-grained access control on client requests.

You can configure whitelists or blacklists for different listeners:

Whitelist: allows specific IP addresses to access an ALB instance. Only requests from the IP addresses or CIDR blocks in the whitelist are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access an application.
Your service may be adversely affected if the whitelist is not properly configured. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If you enable a whitelist but do not add an IP address to the whitelist, the listener forwards all requests.
Blacklist: forbids specific IP addresses to access an ALB instance. Requests from the IP addresses or CIDR blocks in the blacklist are denied. Blacklists apply to scenarios in which you want to deny access from specific IP addresses.
If a blacklist is configured for a listener but no IP address is added to the blacklist, the listener forwards all requests.

Prerequisites

An ALB instance is created and a listener is added to the ALB instance. For more information, see Use an ALB instance to provide IPv4 services.
The network ACL and the ALB instance are deployed in the same region.

Procedure

Create a network ACL

Before you enable access control, you must create a network ACL.

Log on to the ALB console.
In the top navigation bar, select the region where you want to implement access control.
In the left-side navigation pane, choose Application Load Balancer > Overview .
On the Overview page, click Create Access Control List.
In the Create Access Control List dialog box, set the following parameters and click OK.
Parameter Description
ACL Name Enter a name for the network ACL.
Resource Group Select a resource group.

Parameter	Description
ACL Name	Enter a name for the network ACL.
Resource Group	Select a resource group.

Add IP entries

After you create a network ACL, you can add IP entries to the network ACL. IP entries in a network ACL specify the source IP addresses of requests that are sent to an ALB instance. You can specify multiple IP addresses or CIDR blocks in each network ACL.

Log on to the ALB console.
In the left-side navigation pane, choose Application Load Balancer > Overview .
On the Overview page, find the network ACL that you want to manage and click its ID or click Manage in the Operations column.
On the Entry tab of the details page, you can use one of the following methods to add an IP address or a CIDR block:
- Add one IP address or CIDR block to the network ACL
  Click Add Entry. In the Add ACL Entry dialog box, set the IP Address/CIDR Block and Remarks parameters and click Add.
- Add multiple IP addresses or CIDR blocks at a time
  Click Add ACL Entries. In the Add ACL Entry dialog box, add multiple IP addresses or CIDR blocks and the descriptions, and then click Add.
  Note When you add multiple IP entries, take note of the following items:
  Enter one entry per line. Press the Enter key to start a new line.
  Use a vertical bar (|) to separate an IP address or a CIDR block from a description within an entry. For example, you can enter 192.168.1.0/24|Description.
  You can add at most 20 entries at a time.
- You can view the IP addresses or CIDR blocks that you added on the Entry tab.
- To delete an IP entry, find the IP entry that you want to delete and click Delete in the Actions column. You can also select an IP entry and click Delete below the list.
- To export all entries, click in the upper-right corner of the entry list. You can also select the specific entries that you want to export and click .

Enable access control

You can configure whitelists or blacklists for listeners. Before you enable access control, make sure that a listener is created for the ALB instance.

Log on to the ALB console.
In the top navigation bar, select the region where you want to implement access control.
On the Instances page, click the ID of the ALB instance.
Click the Listener tab and use one of the following methods to enable access control:
- Find the listener that you want to manage and click Enable in the Access Control column.
- Find the listener that you want to manage and click the listener ID or click View Details in the Actions column. On the Listener Details tab, turn on Access Control in the Access Control section.

In the Enable Access Control dialog box, set the following parameters and click Save.


Parameter	Description
Access Control Mode	Select an access control mode. Valid values: Whitelist: allows access from specified IP addresses or CIDR blocks. Blacklist: denies access from specified IP addresses or CIDR blocks.
Select ACL	Select a network ACL. After you select a network ACL, you can click View Selected Entries to view the entries of the selected network ACL.

Disable access control

If a listener no longer requires access control, you can disable access control for the listener.

Log on to the ALB console.
On the Instances page, click the ID of the ALB instance.
On the Listener tab, find the listener that you want to manage and click its ID or click View Details in the Actions column.
On the Instance Details tab, turn off Access Control in the Access Control section.
In the message that appears, click OK.

References

CreateAcl: creates a network ACL.
AddEntriesToAcl: adds IP entries to a network ACL.
RemoveEntriesFromAcl: removes IP entries from a network ACL.
AssociateAclsWithListener: associates a network ACL with a listener.
DissociateAclsFromListener: disassociates a network ACL from a listener.