Access control

Updated at:
Copy as MD

ALB access control provides fine-grained filtering for client requests using IP whitelists and blacklists on listeners. You can create an access control list (ACL), add IP entries, and associate the ACL with a listener to allow or deny traffic from specific sources.

ACLs vs. security groups

ALB offers two access control methods: access control lists (ACLs) and security groups.

Item

ACL

ALB security group

Control granularity

Based on source IP. Applies to individual listeners.

Based on source IP, protocol, and port. Applies to the entire ALB instance.

IPv6 support

Not supported. You can add only IPv4 entries.

Supports both IPv4 and IPv6 addresses.

Default behavior

In whitelist mode, requests from IP addresses not in the ACL are denied. In blacklist mode, requests from IP addresses not in the ACL are allowed.

Allows all traffic by default. You must explicitly add a deny rule for 0.0.0.0/0 to restrict access.

Use cases

Use for simple IP whitelists and blacklists. This method is easy to configure and does not require an understanding of rule priority.

Scenarios that require port-level control, IPv6 support, or ICMP control.

Prerequisites

You have created an ALB instance and configured a listener.

Create an ACL

An access control list (ACL) is a collection of IP entries. After you create an ACL and add entries, you can associate it with a listener to implement whitelist or blacklist access control.

Console

  1. Go to the Access Control page in the ALB console. In the top navigation bar, select the region where the target instance is deployed, then click Create ACL.

  2. In the Create ACL dialog box, enter a name for the ACL, and then click OK.

  3. After the ACL is created, on the Access Control page, click the ID of the target ACL to open its details page. On the Entry tab, add IP entries in one of the following ways:

    • Add a single entry: Click Add Entry. In the dialog box, enter an IP/CIDR Block and Remarks, and then click Add.

    • Add entries in batches: Click Add ACL Entries. Enter the entries in the following format:

      • Enter one entry per line.

      • Use a vertical bar (|) to separate the IP address or CIDR block from its remarks, such as 192.168.1.0/24|test-remark.

      • You can add up to 20 entries at a time.

      • If the batch contains an entry that already exists in the ACL, the batch add operation fails. Remove the duplicate entries and submit the batch again.

After you add entries, you can delete or export them from the entry list.

API

Enable or disable access control

You can configure a whitelist or a blacklist for a listener:

  • Whitelist: Allows access only from IP addresses in the ACL and denies all other requests.

  • Blacklist: Denies access from IP addresses in the ACL and allows all other requests.

Important

Whether you configure a whitelist or a blacklist, if the associated ACL contains no IP entries, access control has no effect, and the listener forwards all requests. Before you configure a whitelist, ensure that the ACL contains the IP addresses that you want to allow to prevent service disruptions.

Console

  1. Go to the Instances page in the ALB console. In the top navigation bar, select the region where the target instance is deployed, and then click the instance ID.

  2. On the Listener tab, find the target listener. In the Access Control column, click Enable or Close.

    • Enable: In the dialog box, select an Access Control Mode (Whitelist or Blacklist) and an ACL, and then click Save.

    • Close: In the confirmation dialog box, click OK.

You can also enable or disable access control in the Access Control section of the listener details page.

API

FAQ

Whitelist has no effect

Cause: The ACL is not associated with the listener, or the ACL has no IP entries. An empty ACL allows all traffic.

Solution: On the Listener tab of the ALB instance, confirm that the Access Control column for the target listener shows Enabled. Also, confirm that the associated ACL contains IP entries.

Cannot add 0.0.0.0/0 to the whitelist

Cause: ACLs do not support adding the 0.0.0.0/0 entry. The console will report a format error.

Solution: The correct method is to disable access control and then re-enable it when needed.

Blacklist has no effect

Cause: Requests are forwarded to ALB through a CDN or WAF. The source IP visible to ALB is the source IP of the CDN or WAF, not the real client IP address.

Solution: ALB access control operates at Layer 4 and matches the source IP address in the request packet. When requests are forwarded by a proxy like a CDN or WAF, the source IP is the proxy's source IP. Therefore, an ALB blacklist cannot block the client IP address. Configure the blacklist at the WAF or CDN layer.

Blacklist cannot block the X-Forwarded-For IP

Cause: ALB access control operates at Layer 4 and matches only the source IP address in the request packet. It does not parse the Layer 7 X-Forwarded-For HTTP header.

Solution: You can implement this by using a custom rule in WAF. Set Match Field to X-Forwarded-For, Logical Operator to Contains, Match Content to the target IP address, and Rule Action to Block. For more information, see Configure match conditions for a custom rule.

Backend NGINX allow/deny rules have no effect

Cause: After traffic is proxied through ALB, the backend server receives the ALB instance's local IP (a private IP address assigned from the vSwitch where the ALB instance resides) as the source IP. NGINX's allow/deny rules are based on this source IP and therefore cannot match the client's IP address.

Solutions:

  • (Recommended) Use the ALB access control feature to configure an IP whitelist or blacklist directly at the ALB layer.

  • In NGINX, obtain the real client IP address from the X-Forwarded-For request header, then configure allow/deny rules based on the real IP address.

Restricting access by domain or path

Description: ACLs operate at the listener level and cannot differentiate by domain name or path. When enabled, an ACL affects all domains associated with the listener.

Alternative solution: For Standard or WAF-enabled ALB instances, you can use forwarding rules. In the forwarding condition, configure Domain Name/Path and SourceIp conditions to Return Fixed Responses (such as 403) for matching requests. A single forwarding rule's SourceIp condition supports up to five IP addresses or CIDR blocks and does not support the 0.0.0.0/x format. If you have a large number of IP addresses or use a Basic ALB instance, we recommend that you use WAF. You can create a custom rule in WAF to combine host/path and IP conditions for access control.

Blocking IP addresses from foreign countries

Description: ALB access control does not provide a geo-blocking feature and cannot automatically identify the country of an IP address.

Alternative solution: You can manually add known foreign IP ranges to a blacklist, but this method is not automatically updated and is subject to entry limits. We recommend that you use the geo-blocking feature of WAF.

Access control in multi-layer proxy scenarios

When a Layer 7 proxy is deployed in front of an ALB instance, the ALB access control feature, which operates at Layer 4, can only see the source IP address of the previous hop proxy and cannot identify the real client IP address. Therefore, you must configure access control at the correct layer. Take a scenario where WAF is connected by using a CNAME record (Client → CDN → WAF → ALB → ECS) as an example. The source IP address and access control recommendations for each layer are as follows.

WAF-enabled ALB instances use an SDK for protection. WAF does not participate in traffic forwarding, so there is no WAF source IP hop. If no Layer 7 proxy such as a CDN is deployed in front of the ALB instance, the issue described in this section does not apply.

Layer

Visible source IP

Access control recommendation

WAF

  • Without a CDN, it is the real client IP address.

  • With a CDN, it is the CDN source IP. You need to configure the Client IP determination method in WAF to obtain the real client IP address.

Configure IP whitelists and blacklists at this layer. When correctly configured, WAF blocks requests based on the real client IP address and also supports geo-blocking.

ALB

The source IP of WAF.

Configure a whitelist on the ALB instance to allow access only from the WAF source IP ranges. This prevents attackers from bypassing WAF and directly accessing the ALB instance's public IP address. You can view the WAF source IP ranges on the Access Management page in the WAF console.

Backend ECS

The local IP address of the ALB instance (a private IP address assigned from the vSwitch where the ALB instance resides).

Ensure that the local IP CIDR block of the ALB instance is not blocked by iptables or other third-party security software on the backend ECS instances. Otherwise, both health checks and request forwarding will fail.

Billing

The access control feature is free of charge. For more information about the billing of ALB instances, see ALB billing.

Quotas

Item

Edition

Quota

Number of listeners that can be associated with an ACL

Basic/Standard/WAF-enabled

50

Number of ACLs that can be associated with a listener

Basic/Standard/WAF-enabled

3

Number of ACLs that can be created in a region

Basic/Standard/WAF-enabled

1000

Number of entries that can be added to an ACL

Basic/Standard/WAF-enabled

500

Number of ACL entries that can be associated with an ALB instance

Basic/Standard/WAF-enabled

800

Number of ACL entries that can be associated with a listener

Basic

300

Standard/WAF-enabled

500

These quotas are hard limits and cannot be increased. For more information, see ALB quotas and limits.