You can configure access control for each listener of a Classic Load Balancer (CLB) instance either during its creation or afterward.
ACLs
An access control list (ACL) can work as either a whitelist or a blacklist. You can configure ACLs for each listener:
As a whitelist: Only requests from the IP addresses or CIDR blocks in the ACL are forwarded.
Applicable scenarios: Allow requests only from specific IP addresses.
Improperly configured whitelists may affect service availability as the allowed source IP addresses are limited.
As a blacklist: All requests from the IP addresses or CIDR blocks in the ACL are denied.
Applicable scenarios: Block all requests from specific IP addresses.
No matter as a whitelist or blacklist, if an ACL contains no IP entries, the listener under its control forwards all incoming requests.
Limitations
By default, a CLB listener can be associated with at most three ACLs. Listener ACLs are supported in all CLB-available regions.
IPv6 instances can be associated only with IPv6 ACLs. IPv4 instances can be associated only with IPv4 ACLs.
For a single listener, the total number of IP entries added to ACLs associated with the listener cannot exceed 1,000.
An ACL can be associated with up to 50 listeners.
The IP entries in ACLs associated with the same listener cannot duplicate with each other.
Procedure
The following figure shows how to configure an ACL for a listener.
Create an ACL
Before you enable access control for a listener, you must create an ACL.
- Log on to the CLB console.
In the top navigation bar, select the region where the CLB instance is deployed.
In the left-side navigation pane, choose CLB > Access Control.
On the Access Control page, click Create ACL.
In the Create ACL panel, set the parameters and click Create.
(Optional) Add Multiple Addresses/CIDR Blocks and Descriptions: Enter one or more entries as follows:
Enter one entry per line. Press the Enter key to start a new line.
Within an entry, use a vertical bar (|) to separate an IP address or CIDR block from the description. Example:
192.168.1.0/24|Description
You can add up to 50 entries at a time.
Add IP entries
After you create an ACL, add one or more IP entries to the ACL. An entry can be an IP address or a CIDR block.
- Log on to the CLB console.
In the top navigation bar, select the region where the ACL is created.
In the left-side navigation pane, choose CLB > Access Control.
Find the ACL and click Manage in the Actions column.
Add IP entries with the following methods:
Method 1: Click Add Entry. In the Add ACL Entry panel, set IP Address/CIDR Block and Remarks, and click Add.
Method 2: Click Add ACL Entries. In the Add ACL Entries panel, add multiple IP addresses or CIDR blocks and descriptions, and click Add.
Enter one entry per line. Press the Enter key to start a new line.
Use a vertical bar (|) to separate an IP address or CIDR block and a description within an entry. Example: 192.168.1.0/24|Description
Check the IP entries you added in the entry list.
Click Delete in the Actions column to delete an entry, or select several entries and click Delete below the list to batch delete them.
Enable access control
Enable whitelists or blacklists for a listener to control network access to it.
- Log on to the CLB console.
Select the region where the CLB instance is deployed.
Click the ID of the CLB instance.
Click the Listener tab. Find the listener and choose
in the Actions column.In the Configure Access Control panel, configure the parameters and click OK.
Access Control: Click to enable access control.
ACL Type: Select Whitelist: Allows Specified IP Addresses to Access the SLB Instance.
ACL: Select an ACL.
IPv6 instances can be associated only with IPv6 ACLs. IPv4 instances can be associated only with IPv4 ACLs.
NoteSeparate multiple IP entries with commas (,). You can add up to 300 IP entries to each ACL. IP entries must be unique within each ACL.
Disable access control
If a listener no longer requires access control, you can disable access control for the listener.
- Log on to the CLB console.
Select the region where the CLB instance is deployed.
Click the ID of the CLB instance.
On the instance details page, click the Listener tab.
Find the listener and choose
.In the Configure Access Control panel, click to disable access control and click OK.