Access control

Create an ACL

An ACL is a collection of IP entries. Associate an ACL with a listener to enforce whitelist or blacklist filtering.

Console

Navigate to the Access Control page of the CLB console. In the top navigation bar, select the region where the target instance is deployed, and then click Create ACL.
In the Create ACL panel, enter an ACL Name, select an IP Version (IPv4 or IPv6), add IP entries as needed, and then click Create.

IPv4 instances support only IPv4 ACLs; IPv6 instances support only IPv6 ACLs. Match the IP version to your CLB instance.

API

Call CreateAccessControlList to create an ACL.

Add IP entries

Add IP entries to an existing ACL.

Console

Navigate to the Access Control page of the CLB console and click the ID of the target ACL to open its details page. Add IP entries in one of the following ways:

Add a single entry: Click Add Entry. In the dialog box, enter an IP Address/CIDR Block and a Remarks, and then click Add.
Bulk add entries: Click Add ACL Entries and enter the entries in the following format:
- Enter one entry per line. Press the Enter key to start a new line.
- Separate the IP address or CIDR block from its description with a vertical bar (|). For example, 192.168.1.0/24|description.
- You can add up to 50 entries at a time.

You can delete or export entries from the entry list.

API

Call AddAccessControlListEntry to add an IP entry.
Call RemoveAccessControlListEntry to delete an IP entry.

Enable or disable access control

Associate an ACL with a listener to enable access control. Disable it at any time when no longer needed.

Important

Access control does not take effect if the associated ACL is empty — the listener forwards all requests regardless of whitelist or blacklist mode. Before enabling a whitelist, verify that the ACL contains the allowed IP addresses to avoid service disruptions.
If you associate multiple ACLs with a single listener, the IP entries across all ACLs must not overlap.

Console

Navigate to the Instances page of the CLB console. In the top navigation bar, select the region where the target instance is deployed, and then click the instance ID.
Click the Listener tab. Find the target listener, and in the ACL column, click Enable or Close.
- Enable: In the dialog box that appears, select an Access Control Mode (Whitelist: Allows Specified IP Addresses to Access the SLB Instance or Blacklist: Forbids Specified IP Addresses to Access the SLB Instance) and an ACL, and then click Save.
- Close: In the confirmation dialog box, click OK.

You can also enable or disable access control in the Access Control section of the listener details page.

You can also enable access control when you create a listener.

API

When you call an API operation to create or modify a listener, such as CreateLoadBalancerHTTPSListener or SetLoadBalancerHTTPSListenerAttribute, configure access control by using the following parameters:

AclStatus: Specifies whether to enable access control. Valid values: on and off.
AclType: The access control type. Valid values: white (whitelist) and black (blacklist).
AclId: The ID of the associated ACL.

FAQ

Why does my whitelist allow all IPs?

Cause: Access control is disabled on the listener, or the associated ACL is empty (an empty ACL allows all traffic).

Solution: Go to the Listener tab of your CLB instance. Verify that the ACL column for the target listener shows Enabled, and confirm that the associated ACL contains IP entries.

Why does my blacklist fail to block IPs?

Cause: When requests pass through a proxy (CDN or WAF), CLB sees the proxy's back-to-source IP instead of the real client IP, so blacklist rules do not match.

Solution: Configure the blacklist at the proxy layer (CDN or WAF). If clients can bypass the proxy, add a CLB whitelist that allows only the proxy's back-to-source IP ranges.

Why are Nginx allow/deny rules ineffective with a Layer 7 listener?

Cause: CLB Layer 7 listeners forward traffic from private IPs in the 100.64.0.0/10 range. Nginx allow/deny rules match source IP, so they cannot filter by real client IP.

Solution:

(Recommended) Use CLB access control to configure a whitelist or blacklist directly on the instance.
In Nginx, extract the real client IP from the X-Forwarded-For header and configure allow/deny rules accordingly. Obtain the real client IP on a backend server through a CLB Layer 7 listener.

Why can't ECS security groups block CLB traffic?

Cause: CLB uses the 100.64.0.0/10 range to communicate with backend ECS instances. By design, ECS security group inbound rules do not restrict traffic from this range.

Solution: Configure a CLB ACL to block requests by client IP before they reach backend servers.

What happens when a request is blocked?

Description: CLB drops blocked requests without returning a response. The client experiences a connection timeout.

Can whitelists protect against DDoS?

Description: No. DDoS traffic consumes instance bandwidth before reaching the access control layer. A severe attack can trigger blackholing.

Recommendation: Use Anti-DDoS.

Multi-layer proxy scenarios

When a Layer 7 proxy sits in front of CLB, access control sees only the upstream proxy's back-to-source IP, not the real client IP. Configure access control at the correct layer. The following table shows the source IP and recommended configuration at each layer in a CNAME-based WAF integration (Client → CDN → WAF → CLB → ECS).

In transparent proxy mode, traffic routes automatically through WAF for inspection without a separate back-to-source IP range. No extra CLB access control configuration is required.

Layer	Observed source IP	Recommendation
WAF	Without CDN, this is the real client IP. With CDN, this is the CDN back-to-source IP. In the WAF access configuration, set the client IP identification method to obtain the real client IP.	Recommended: Configure access control at this layer. WAF blocks by real client IP and supports region-based blocking.
CLB	The WAF back-to-source IP.	Whitelist only the WAF back-to-source IP ranges on CLB to prevent attackers from bypassing WAF. View the WAF back-to-source IP ranges on the Website Access page in the WAF console.
Backend ECS	The CLB private IP (from the 100.64.0.0/10 CIDR block).	Do not block 100.64.0.0/10 in host firewalls (iptables, firewalld). Blocking this range breaks health checks and request forwarding.

Billing

Access control incurs no extra charges. CLB billing overview.

Quotas

You can request quota increases for the following limits in Quota Center.

Limit	Quota name	Default limit	Increase quota
Number of ACLs that an Alibaba Cloud account can create	slb_quota_acls_num	200	Go to Quota Center
Number of entries that you can add to each ACL	slb_quota_acl_entries_num	300
Number of listeners that can be associated with an ACL	slb_quota_acl_attached_num	50

The following limits are fixed and cannot be increased.

Limit	Maximum
Number of ACLs that can be associated with a listener	3
Total number of IP entries across all ACLs associated with a single listener	1,000