Configure IPv4 or IPv6 access control lists (ACLs) for dedicated instances to control access over the Internet.
1. Create an access control policy group
-
You can create a maximum of five access control policy groups in each region.
-
You can bind only one ACL to a dedicated instance.
-
You can add a maximum of 50 entries in a batch operation.
-
If no entry is added to an ACL, the blacklist and whitelist that are associated with the ACL do not take effect.
-
In the navigation pane on the left of the API Gateway console, click Instances. On the Instances page, click the Access Control Policy Groups tab. Click Create Access Control Policy Group and enter a name for the group. Select IPv4 to control access from IPv4 addresses, or select IPv6 to control access from IPv6 addresses.
-
After the access control policy group is created, click Manage in the Actions column to add entries. You can add entries one by one or in batches.
2. Configure a blacklist or whitelist for a dedicated instance
2.1 Configure an IPv4 blacklist or whitelist
In the navigation pane on the left of the API Gateway console, click Instances. Find the dedicated instance that you want to configure and click Set Blacklist/Whitelist. Select Blacklist or Whitelist, and then select the policy group that you configured. Read the notes and click Confirm. The access control policy takes effect.
After the blacklist or whitelist is configured, the ACL takes effect for all API groups that belong to the instance. Proceed with caution.
2.2 Configure an IPv6 blacklist or whitelist
Before you set an IPv6 blacklist or whitelist, make sure that IPv6 inbound is enabled for your dedicated instance. You can enable this feature on the Instances page, as shown in the following figure.
After IPv6 inbound is enabled, go to the details page of the dedicated instance. In the IPv6 Access Control section, click Set Blacklist/Whitelist. Only IPv6 access control policy groups are displayed. The remaining steps are the same as those for setting an IPv4 blacklist or whitelist.
You can use only IPv6 ACLs to configure IPv6 access control. You can use only IPv4 ACLs to configure IPv4 access control.
FAQ
-
If a whitelist is configured, what happens when a client that is not on the whitelist tries to access API Gateway?
API Gateway denies the request at the access layer, and a timeout error is reported on the client.
ImportantThe API Gateway debug page displays its IP address. To use the debug feature, you must add this IP address to the instance whitelist and the allowlist of the IP access control plug-in.
-
What is the difference between instance-level access control and the IP access control plug-in?
The IP access control plug-in controls access at the API level. Instance-level access control applies to an entire dedicated API Gateway instance and does not incur traffic fees.