Access control
ALB access control provides fine-grained filtering for client requests using IP whitelists and blacklists on listeners. You can create an access control list (ACL), add IP entries, and associate the ACL with a listener to allow or deny traffic from specific sources.
ACLs vs. security groups
ALB offers two access control methods: access control lists (ACLs) and security groups.
|
Item |
ACL |
ALB security group |
|
Control granularity |
Based on source IP. Applies to individual listeners. |
Based on source IP, protocol, and port. Applies to the entire ALB instance. |
|
IPv6 support |
Not supported. You can add only IPv4 entries. |
Supports both IPv4 and IPv6 addresses. |
|
Default behavior |
In whitelist mode, requests from IP addresses not in the ACL are denied. In blacklist mode, requests from IP addresses not in the ACL are allowed. |
Allows all traffic by default. You must explicitly add a deny rule for 0.0.0.0/0 to restrict access. |
|
Use cases |
Use for simple IP whitelists and blacklists. This method is easy to configure and does not require an understanding of rule priority. |
Scenarios that require port-level control, IPv6 support, or ICMP control. |
Prerequisites
You have created an ALB instance and configured a listener.
Create an ACL
An access control list (ACL) is a collection of IP entries. After you create an ACL and add entries, you can associate it with a listener to implement whitelist or blacklist access control.
Console
-
Go to the Access Control page in the ALB console. In the top navigation bar, select the region where the target instance is deployed, then click Create ACL.
-
In the Create ACL dialog box, enter a name for the ACL, and then click OK.
-
After the ACL is created, on the Access Control page, click the ID of the target ACL to open its details page. On the Entry tab, add IP entries in one of the following ways:
-
Add a single entry: Click Add Entry. In the dialog box, enter an IP/CIDR Block and Remarks, and then click Add.
-
Add entries in batches: Click Add ACL Entries. Enter the entries in the following format:
-
Enter one entry per line.
-
Use a vertical bar (|) to separate the IP address or CIDR block from its remarks, such as 192.168.1.0/24|test-remark.
-
You can add up to 20 entries at a time.
-
If the batch contains an entry that already exists in the ACL, the batch add operation fails. Remove the duplicate entries and submit the batch again.
-
-
After you add entries, you can delete or export them from the entry list.
API
-
Call CreateAcl to create an ACL.
-
Call AddEntriesToAcl to add IP entries.
-
Call RemoveEntriesFromAcl to remove IP entries.
Enable or disable access control
You can configure a whitelist or a blacklist for a listener:
-
Whitelist: Allows access only from IP addresses in the ACL and denies all other requests.
-
Blacklist: Denies access from IP addresses in the ACL and allows all other requests.
Whether you configure a whitelist or a blacklist, if the associated ACL contains no IP entries, access control has no effect, and the listener forwards all requests. Before you configure a whitelist, ensure that the ACL contains the IP addresses that you want to allow to prevent service disruptions.
Console
-
Go to the Instances page in the ALB console. In the top navigation bar, select the region where the target instance is deployed, and then click the instance ID.
-
On the Listener tab, find the target listener. In the Access Control column, click Enable or Close.
-
Enable: In the dialog box, select an Access Control Mode (Whitelist or Blacklist) and an ACL, and then click Save.
-
Close: In the confirmation dialog box, click OK.
-
You can also enable or disable access control in the Access Control section of the listener details page.
API
-
Call AssociateAclsWithListener to associate an ACL with a listener.
-
Call DissociateAclsFromListener to disassociate an ACL from a listener.
FAQ
Whitelist has no effect
Cause: The ACL is not associated with the listener, or the ACL has no IP entries. An empty ACL allows all traffic.
Solution: On the Listener tab of the ALB instance, confirm that the Access Control column for the target listener shows Enabled. Also, confirm that the associated ACL contains IP entries.
Cannot add 0.0.0.0/0 to the whitelist
Cause: ACLs do not support adding the 0.0.0.0/0 entry. The console will report a format error.
Solution: The correct method is to disable access control and then re-enable it when needed.
Blacklist has no effect
Cause: Requests are forwarded to ALB through a CDN or WAF. The source IP visible to ALB is the source IP of the CDN or WAF, not the real client IP address.
Solution: ALB access control operates at Layer 4 and matches the source IP address in the request packet. When requests are forwarded by a proxy like a CDN or WAF, the source IP is the proxy's source IP. Therefore, an ALB blacklist cannot block the client IP address. Configure the blacklist at the WAF or CDN layer.
Blacklist cannot block the X-Forwarded-For IP
Cause: ALB access control operates at Layer 4 and matches only the source IP address in the request packet. It does not parse the Layer 7 X-Forwarded-For HTTP header.
Solution: You can implement this by using a custom rule in WAF. Set Match Field to X-Forwarded-For, Logical Operator to Contains, Match Content to the target IP address, and Rule Action to Block. For more information, see Configure match conditions for a custom rule.
Backend NGINX allow/deny rules have no effect
Cause: After traffic is proxied through ALB, the backend server receives the ALB instance's local IP (a private IP address assigned from the vSwitch where the ALB instance resides) as the source IP. NGINX's allow/deny rules are based on this source IP and therefore cannot match the client's IP address.
Solutions:
-
(Recommended) Use the ALB access control feature to configure an IP whitelist or blacklist directly at the ALB layer.
-
In NGINX, obtain the real client IP address from the
X-Forwarded-Forrequest header, then configure allow/deny rules based on the real IP address.
Restricting access by domain or path
Description: ACLs operate at the listener level and cannot differentiate by domain name or path. When enabled, an ACL affects all domains associated with the listener.
Alternative solution: For Standard or WAF-enabled ALB instances, you can use forwarding rules. In the forwarding condition, configure Domain Name/Path and SourceIp conditions to Return Fixed Responses (such as 403) for matching requests. A single forwarding rule's SourceIp condition supports up to five IP addresses or CIDR blocks and does not support the 0.0.0.0/x format. If you have a large number of IP addresses or use a Basic ALB instance, we recommend that you use WAF. You can create a custom rule in WAF to combine host/path and IP conditions for access control.
Blocking IP addresses from foreign countries
Description: ALB access control does not provide a geo-blocking feature and cannot automatically identify the country of an IP address.
Alternative solution: You can manually add known foreign IP ranges to a blacklist, but this method is not automatically updated and is subject to entry limits. We recommend that you use the geo-blocking feature of WAF.
Access control in multi-layer proxy scenarios
When a Layer 7 proxy is deployed in front of an ALB instance, the ALB access control feature, which operates at Layer 4, can only see the source IP address of the previous hop proxy and cannot identify the real client IP address. Therefore, you must configure access control at the correct layer. Take a scenario where WAF is connected by using a CNAME record (Client → CDN → WAF → ALB → ECS) as an example. The source IP address and access control recommendations for each layer are as follows.
WAF-enabled ALB instances use an SDK for protection. WAF does not participate in traffic forwarding, so there is no WAF source IP hop. If no Layer 7 proxy such as a CDN is deployed in front of the ALB instance, the issue described in this section does not apply.
|
Layer |
Visible source IP |
Access control recommendation |
|
WAF |
|
Configure IP whitelists and blacklists at this layer. When correctly configured, WAF blocks requests based on the real client IP address and also supports geo-blocking. |
|
ALB |
The source IP of WAF. |
Configure a whitelist on the ALB instance to allow access only from the WAF source IP ranges. This prevents attackers from bypassing WAF and directly accessing the ALB instance's public IP address. You can view the WAF source IP ranges on the Access Management page in the WAF console. |
|
Backend ECS |
The local IP address of the ALB instance (a private IP address assigned from the vSwitch where the ALB instance resides). |
Ensure that the local IP CIDR block of the ALB instance is not blocked by iptables or other third-party security software on the backend ECS instances. Otherwise, both health checks and request forwarding will fail. |
Billing
The access control feature is free of charge. For more information about the billing of ALB instances, see ALB billing.
Quotas
|
Item |
Edition |
Quota |
|
Number of listeners that can be associated with an ACL |
Basic/Standard/WAF-enabled |
50 |
|
Number of ACLs that can be associated with a listener |
Basic/Standard/WAF-enabled |
3 |
|
Number of ACLs that can be created in a region |
Basic/Standard/WAF-enabled |
1000 |
|
Number of entries that can be added to an ACL |
Basic/Standard/WAF-enabled |
500 |
|
Number of ACL entries that can be associated with an ALB instance |
Basic/Standard/WAF-enabled |
800 |
|
Number of ACL entries that can be associated with a listener |
Basic |
300 |
|
Standard/WAF-enabled |
500 |
These quotas are hard limits and cannot be increased. For more information, see ALB quotas and limits.