DocsICP FilingConsole
官方文档
首页

Access control

更新时间:
复制 MD 格式
产品详情
我的收藏

Enable access control for a listener to allow only specific IP addresses (whitelist) or block specific IP addresses (blacklist).

How it works

Access control consists of access control lists (ACLs) and an access control mode.

  • ACL: Add multiple IP addresses or CIDR blocks to centrally manage addresses with the same security requirements.

  • Access control mode: Configure a whitelist or blacklist for each listener.

    • Whitelist: Allows specific IP addresses to access a GA listener. Only requests from IP addresses or CIDR blocks in the selected ACL are forwarded.

    • Blacklist: Blocks specific IP addresses from accessing a GA listener. Requests from IP addresses or CIDR blocks in the selected ACL are not forwarded.

Warning

  • Configuring a whitelist carries risks. After a whitelist is configured, only whitelisted IP addresses can access the listener. If the whitelist is enabled but the ACL is empty, the listener forwards all requests.

  • If you enable a blacklist for a listener but do not add any IP address to the associated ACL, the listener forwards all requests.

When you create an ACL, specify its IP version as IPv4 or IPv6. Apply the ACL to a listener with an accelerated IP of the same version.

Limitations

Pay-as-you-go

  • Only smart routing listeners support access control.

  • A single Global Accelerator instance supports a maximum of 600 IP addresses or CIDR blocks across all ACL entries for all of its listeners.

    For a single listener, the maximum number of IP addresses or CIDR blocks in the associated ACLs is calculated as follows:

    • Total number of ports for the listener (a port range is counted as one port) × Number of ACL entries

    • If the listener protocol is HTTP/3: Total number of ports for the listener (a port range is counted as one port) × Number of ACL entries × 2

  • An ACL can be associated with a maximum of 10 listeners.

  • A listener can be associated with at most one IPv4 ACL and one IPv6 ACL.

    • If the accelerated IP uses IPv4 or IPv6 and the listener has both an IPv4 ACL and an IPv6 ACL, only the ACL matching the accelerated IP version takes effect.

    • If the accelerated IP uses dual-stack and the listener has both an IPv4 ACL and an IPv6 ACL, both ACLs take effect.

Subscription

  • Only smart routing listeners support access control.

  • An ACL associated with a listener can contain a maximum of 200 unique IP addresses or CIDR blocks.

  • An ACL can be associated with a maximum of 10 listeners.

  • A listener can be associated with at most one IPv4 ACL and one IPv6 ACL.

    If the accelerated IP uses IPv4 or IPv6 and the listener has both an IPv4 ACL and an IPv6 ACL, only the ACL matching the accelerated IP version takes effect.

Configuration workflow

Create an ACL

Before you can enable access control, you must create an ACL.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. On the Access Control page, click Create ACL.

  4. In the Create ACL dialog box, configure the parameters and click OK.

    Parameter

    Description

    ACL Name

    Enter a name for the ACL.

    IP Version

    Select the IP version for the ACL.

    • IPv4: Takes effect only for acceleration endpoints that use IPv4 accelerated IPs.

    • IPv6: Takes effect only for acceleration endpoints that use IPv6 accelerated IPs.

    Resource Group

    Select the resource group to which the ACL belongs.

    Create a resource group in Resource Management.

    Tag

    Add a tag to the ACL.

    Select or enter a Key and Value.

    To manage ACL tags, use Tag management.

Add ACL entries

After you create an ACL, add IP address or CIDR block entries to it.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. Find the target ACL and click Manage ACL in the Actions column.

  4. On the ACL details page, add entries in one of the following ways:

    • Add a single entry

      Click Add Rule. In the Add ACL Entry dialog box, enter the IP Address/CIDR Block and a Remark, and then click OK.

    • Add multiple entries

      Click Add Multiple Rules. In the Add Multiple Rules dialog box, add multiple IP addresses or CIDR blocks as prompted, and then click OK.

Enable access control for a listener

Before you enable access control, make sure that you have created a listener. Add and manage smart routing listeners.

  1. Log on to the GA console.

  2. On the Instances page, find the target GA instance, and then click Configure Listener in the Actions column.

  3. On the Listeners tab, click the ID of the listener for which you want to enable access control.

  4. On the Listener Details tab, in the Access Control section, turn on the Access Control switch.

  5. In the Enable Access Control dialog box, configure the following parameters and click OK.

    Parameter

    Description

    ACL Type

    Select an access control mode:

    • Whitelist: Forwards requests from IP addresses or CIDR blocks in the selected ACL.

    • Blacklist: Does not forward requests from IP addresses or CIDR blocks in the selected ACL.

    Warning

    • Configuring a whitelist carries risks. After a whitelist is configured, only whitelisted IP addresses can access the listener. If the whitelist is enabled but the ACL is empty, the listener forwards all requests.

    • If you enable a blacklist for a listener but do not add any IP address to the associated ACL, the listener forwards all requests.

    ACL

    Select an ACL.

    You can also click +Add ACL to add two ACLs at a time.

Dissociate an ACL from a listener

Dissociate unused ACLs from a listener.

Dissociating all ACLs from a listener automatically disables its access control.

  1. Log on to the GA console.

  2. On the Instances page, find the target GA instance, and then click Configure Listener in the Actions column.

  3. On the Listener tab, click the ID of the listener from which you want to dissociate an ACL.

  4. On the Listener Details tab, in the Access Control section, click the Edit icon next to ACL.

  5. In the Modify ACL dialog box, find the ACL that you want to dissociate, click Disassociate in the Actions column, and then click OK.

Disable access control for a listener

Disable access control when you no longer need to restrict listener access.

  1. Log on to the GA console.

  2. On the Instances page, find the target GA instance, and then click Configure Listener in the Actions column.

  3. On the Listener tab, click the ID of the listener for which you want to disable access control.

  4. On the Listener Details tab, in the Access Control section, turn off the Access Control switch.

  5. In the dialog box that appears, click OK.

Delete ACL entries

Delete IP address entries from an ACL.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. Find the target ACL and click Manage ACL in the Actions column.

  4. In the Actions column of the target IP entry, click Delete. Alternatively, select multiple IP entries and click Delete below the entry list.

  5. In the dialog box that appears, click OK.

Delete an ACL

Delete unused ACLs.

Before you delete an ACL, dissociate it from all associated listeners. Dissociate an ACL from a listener.

  1. Log on to the GA console.

  2. In the left-side navigation pane, choose Standard Instance > Access Control.

  3. Find the target ACL and click Delete in the Actions column.

  4. In the dialog box that appears, click OK.

Related API operations

Previous:Configure a CNAMENext:Log management