This topic describes how to enable access control for the listeners of an Application Load Balancer (ALB) instance. You can configure network access control lists (ACLs) to allow or deny access from specified IP addresses or CIDR blocks. This allows you to implement fine-grained access control on client requests.

Network ACLs

You can configure whitelists or blacklists on different listeners:
  • Whitelist: allows access from specific IP addresses. Only requests from the IP addresses or CIDR blocks specified in the network ACL are forwarded. Whitelists apply to scenarios in which you want to allow access only from specific IP addresses.

    Your service may be adversely affected if the whitelist is not properly configured. If an whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If an whitelist is configured but no IP address is added to the whitelist, the listener forwards all requests.

  • Blacklist: denies access from specific IP addresses. Requests from the IP addresses or CIDR blocks specified in the network ACL are denied. Blacklists apply to scenarios in which you want to deny access from specific IP addresses.

    If a blacklist is configured for a listener but no IP address is added to the blacklist, the listener forwards all requests.

Prerequisites

  • An ALB instance is created and a listener is added to the ALB instance. For more information, see Create an ALB instance.
  • The ALB instance is deployed in the region where you want to implement access control.

Procedure

Procedure

Create a network ACL

Before you enable access control, you must first create a network ACL.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to implement access control.
  3. In the left-side navigation pane, choose Application Load Balancer > Overview .
  4. On the Overview page, click Create Access Control List.
  5. In the Create Access Control List dialog box, set the following parameters and click OK.
    Parameter Description
    Name Enter a name for the network ACL.
    Resource Group Select a resource group.

Add IP entries

After you create a network ACL, you can add IP entries to the network ACL. IP entries in a network ACL specify the source IP addresses of requests that are sent to an ALB instance. You can specify multiple IP addresses or CIDR blocks in each network ACL.

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose Application Load Balancer > Overview .
  3. On the Overview page, find the network ACL that you want to manage and click Manage in the Operations column.
  4. On the Entry tab of the details page, click Add Entry or Add Multiple Entries.
  5. In the Add ACL Entry dialog box, enter an IP address or CIDR block and a description. Then, click Add.
    You can view the IP addresses or CIDR blocks that you added on the Entry tab. To delete an IP entry, click Delete in the Actions column.
    Note When you add multiple IP entries, take note of the following items:
    • Enter one entry per line. Press the Enter key to start a new line.
    • Use a vertical bar (|) to separate an IP address or a CIDR block from a description within an entry. For example, you can enter 192.168.1.0/24|Description.

Enable access control

You can configure whitelists or blacklists on different listeners.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where you want to implement access control.
  3. On the Instances page, click the ID of the ALB instance.
  4. Click the Listener tab and use one of the following methods to enable access control:
    • Find the listener that you want to manage and click Enable in the Access Control List column.
    • Find the listener that you want to manage and click View Details in the Actions column.
  5. Click the Listener Details tab. In the Access Control section, turn on Access Control. In the Enable Access Control dialog box, set the following parameters and click OK.
    Parameter Description
    Access Control Mode Select an access control mode. Valid values:
    • Whitelist: allows access from specified IP addresses or CIDR blocks.
    • Blacklist: denies access from specified IP addresses or CIDR blocks.
    Access Control List Select a network ACL.

Disable access control

You can disable access control for a listener to meet your business requirements.

  1. Log on to the ALB console.
  2. On the Instances page, click the ID of the ALB instance.
  3. On the Listener tab, find the listener that you want to manage and click its ID or click View Details in the Actions column.
  4. On the Instance Details tab, turn off Access Control in the Access Control section.
  5. In the message that appears, click OK.

References