If you want to implement fine-grained access control for Application Load Balancer (ALB), you can enable the access control feature for ALB listeners and configure inbound rules that allow or deny access. This way, you can manage request forwarding and ensure the security and efficiency of network services.
ACLs
Access control lists (ACLs) can work as whitelists or blacklists. You can configure whitelists or blacklists for different listeners:
A whitelist allows only specified IP addresses or CIDR blocks to access an ALB instance. Only requests from the IP addresses or CIDR blocks in the whitelist are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access ALB.
Risks may occur if a whitelist is improperly configured. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If you enable a whitelist for a listener but no IP addresses are added to the whitelist, the listener forwards all requests.
A blacklist prohibits specified IP addresses or CIDR blocks from accessing an ALB instance. Requests from the IP addresses or CIDR blocks in the blacklist are denied. Blacklists apply to scenarios in which you want to deny access from specific IP addresses.
If you enable a blacklist for a listener but no IP addresses are added to the blacklist, the listener forwards all requests.
Limits
Item | Quota |
ACL |
|
ACL entry |
|
Prerequisites
An ALB instance is created, and a listener is created for the ALB instance. For more information, see Use an ALB instance to provide IPv4 services.
The access control list (ACL) and the ALB instance are created in the same region.
Procedure
Create an ACL
Before you enable access control, you must create an ACL.
- Log on to the ALB console.
In the top navigation bar, select the region in which you want to create the ACL.
In the left-side navigation pane, choose .
On the Access Control page, click Create Access Control List.
In the Create ACL dialog box, configure the following parameters and click OK.
Parameter
Description
ACL Name
Enter a name for the network ACL.
Resource Group
Select a resource group.
Tag
Configure the Tag Key and Tag Value parameters.
After you specify tags, you can filter ACLs by tag on the Access Control page.
Add entries to an ACL
After you create an ACL, you can add entries to the ACL. ACL entries specify the source IP addresses or CIDR blocks from which requests are sent to your ALB instance. You can add multiple entries to each ACL.
- Log on to the ALB console.
In the left-side navigation pane, choose .
On the Access Control page, find the ACL that you want to manage and click Manage in the Operations column.
On the Entry tab of the ACL details page, use one of the following methods to add entries:
Add a single IP address or CIDR block
Click Add Entry. In the Add ACL Entries dialog box, configure the IP/CIDR Block and Remarks parameters. Then, click Add.
Add multiple IP addresses or CIDR blocks at a time
Click Add ACL Entries. In the Add ACL Entries dialog box, add multiple IP addresses or CIDR blocks and the remarks. Then, click Add.
NoteWhen you add multiple entries at a time, take note of the following items:
Enter one entry per line. Press the ENTER key to start a new line.
Use a vertical bar (|) to separate an IP address or a CIDR block from the remarks within an entry. For example, you can enter 192.168.1.0/24|Remarks.
You can add at most 20 entries at a time.
After you add entries, perform the following operations based on your business requirements:
View the IP addresses or CIDR blocks that you added in the Entry column.
Delete entries. To do so, find the entry that you want to delete and click Delete in the Actions column. You can also select the entries that you want to delete and click Delete below the list.
To export entries, click the icon in the upper-right corner of the list to export all entries, or select the entries that you want to export and click the icon.
Enable access control
You can specify an ACL as a whitelist or blacklist for a listener. Before you enable access control, make sure that a listener is created for the ALB instance.
- Log on to the ALB console.
In the top navigation bar, select the region in which you want to create the ACL.
On the Instances page, click the ID of the ALB instance for which you want to enable access control.
Click the Listener tab and use one of the following methods to enable access control:
Find the listener that you want to manage and click Enable in the Access Control column.
Find the listener that you want to manage and click the listener ID or click View Details in the Actions column. On the Listener Details tab, turn on Access Control in the Access Control section.
In the Enable Access Control dialog box, configure the parameters that are described in the following table, and click Save:
Parameter
Description
Access Control Mode
Select an access control mode. Valid values:
Whitelist: allows access from specified IP addresses or CIDR blocks.
Blacklist: denies access from specified IP addresses or CIDR blocks.
Select ACL
Select an ACL.
After you select an ACL, you can click View Selected Entries to view the entries in the selected ACL.
Disable access control
If a listener no longer requires access control, you can disable access control for the listener.
- Log on to the ALB console.
On the Instances page, click the ID of the ALB instance for which you want to disable access control.
On the Listener tab, use one of the following methods to disable access control:
Find the listener for which you want to disable access control, and click Disable in the Access Control column.
Find the listener for which you want to disable access control, and click the listener ID or View Details in the Actions column. In the Access Control section of the Listener Details tab, turn off Access Control.
In the message that appears, click OK.
References
CreateAcl: creates an ACL.
AddEntriesToAcl: adds entries to an ACL.
RemoveEntriesFromAcl: removes entries from an ACL.
AssiocateAclsWithListener: associates an ACL with a listener.
DissociateAclsFromListener: disassociates an ACL from a listener.