All Products
Search
Document Center

Server Load Balancer:Access control

Last Updated:Nov 26, 2024

If you want to implement fine-grained access control for Application Load Balancer (ALB), you can enable the access control feature for ALB listeners and configure inbound rules that allow or deny access. This way, you can manage request forwarding and ensure the security and efficiency of network services.

ACLs

Access control lists (ACLs) can work as whitelists or blacklists. You can configure whitelists or blacklists for different listeners:

  • A whitelist allows only specified IP addresses or CIDR blocks to access an ALB instance. Only requests from the IP addresses or CIDR blocks in the whitelist are forwarded. Whitelists apply to scenarios in which you want to allow only specific IP addresses to access ALB.

    Risks may occur if a whitelist is improperly configured. If a whitelist is configured for a listener, only requests from IP addresses that are added to the whitelist are forwarded by the listener. If you enable a whitelist for a listener but no IP addresses are added to the whitelist, the listener forwards all requests.

  • A blacklist prohibits specified IP addresses or CIDR blocks from accessing an ALB instance. Requests from the IP addresses or CIDR blocks in the blacklist are denied. Blacklists apply to scenarios in which you want to deny access from specific IP addresses.

    If you enable a blacklist for a listener but no IP addresses are added to the blacklist, the listener forwards all requests.

Limits

Item

Quota

ACL

  • Each ACL can be associated with at most 50 listeners. The quota cannot be increased.

  • Each ALB listener can be associated with at most three ACLs. The quota cannot be increased.

  • At most 1000 ACLs can be created in a single region. The quota cannot be increased.

ACL entry

  • ACLs support only IPv4 addresses.

  • Each ACL supports at most 500 entries. The quota cannot be increased.

  • Each ALB instance can be associated with at most 800 ACL entries. The quota cannot be increased.

  • The maximum number of ACL entries that can be associated with a listener varies based on the ALB edition. The quota cannot be increased. The IP address in each ACL entry must be unique.

    • Basic: 300.

    • Standard: 500.

    • WAF-enabled: 500.

Prerequisites

  • An ALB instance is created, and a listener is created for the ALB instance. For more information, see Use an ALB instance to provide IPv4 services.

  • The access control list (ACL) and the ALB instance are created in the same region.

Procedure

配置流程

Create an ACL

Before you enable access control, you must create an ACL.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region in which you want to create the ACL.

  3. In the left-side navigation pane, choose Application Load Balancer > Access Control.

  4. On the Access Control page, click Create Access Control List.

  5. In the Create ACL dialog box, configure the following parameters and click OK.

    Parameter

    Description

    ACL Name

    Enter a name for the network ACL.

    Resource Group

    Select a resource group.

    Tag

    Configure the Tag Key and Tag Value parameters.

    After you specify tags, you can filter ACLs by tag on the Access Control page.

Add entries to an ACL

After you create an ACL, you can add entries to the ACL. ACL entries specify the source IP addresses or CIDR blocks from which requests are sent to your ALB instance. You can add multiple entries to each ACL.

  1. Log on to the ALB console.
  2. In the left-side navigation pane, choose Application Load Balancer > Access Control.

  3. On the Access Control page, find the ACL that you want to manage and click Manage in the Operations column.

  4. On the Entry tab of the ACL details page, use one of the following methods to add entries:

    • Add a single IP address or CIDR block

      Click Add Entry. In the Add ACL Entries dialog box, configure the IP/CIDR Block and Remarks parameters. Then, click Add.

    • Add multiple IP addresses or CIDR blocks at a time

      Click Add ACL Entries. In the Add ACL Entries dialog box, add multiple IP addresses or CIDR blocks and the remarks. Then, click Add.

      Note

      When you add multiple entries at a time, take note of the following items:

      • Enter one entry per line. Press the ENTER key to start a new line.

      • Use a vertical bar (|) to separate an IP address or a CIDR block from the remarks within an entry. For example, you can enter 192.168.1.0/24|Remarks.

      • You can add at most 20 entries at a time.

  5. After you add entries, perform the following operations based on your business requirements:

    • View the IP addresses or CIDR blocks that you added in the Entry column.

    • Delete entries. To do so, find the entry that you want to delete and click Delete in the Actions column. You can also select the entries that you want to delete and click Delete below the list.

    • To export entries, click the 下载 icon in the upper-right corner of the list to export all entries, or select the entries that you want to export and click the 下载 icon.

Enable access control

You can specify an ACL as a whitelist or blacklist for a listener. Before you enable access control, make sure that a listener is created for the ALB instance.

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region in which you want to create the ACL.

  3. On the Instances page, click the ID of the ALB instance for which you want to enable access control.

  4. Click the Listener tab and use one of the following methods to enable access control:

    • Find the listener that you want to manage and click Enable in the Access Control column.

    • Find the listener that you want to manage and click the listener ID or click View Details in the Actions column. On the Listener Details tab, turn on Access Control in the Access Control section.

  5. In the Enable Access Control dialog box, configure the parameters that are described in the following table, and click Save:

    Parameter

    Description

    Access Control Mode

    Select an access control mode. Valid values:

    • Whitelist: allows access from specified IP addresses or CIDR blocks.

    • Blacklist: denies access from specified IP addresses or CIDR blocks.

    Select ACL

    Select an ACL.

    After you select an ACL, you can click View Selected Entries to view the entries in the selected ACL.

Disable access control

If a listener no longer requires access control, you can disable access control for the listener.

  1. Log on to the ALB console.
  2. On the Instances page, click the ID of the ALB instance for which you want to disable access control.

  3. On the Listener tab, use one of the following methods to disable access control:

    • Find the listener for which you want to disable access control, and click Disable in the Access Control column.

    • Find the listener for which you want to disable access control, and click the listener ID or View Details in the Actions column. In the Access Control section of the Listener Details tab, turn off Access Control.

  4. In the message that appears, click OK.

References