Access Control¶
Access control allows you to add a whitelist or blacklist to specify IP addresses that are allowed or denied to access a listener. A whitelist allows specified IP addresses to access the listener, while a blacklist denies access from specified IP addresses.
Important
Adding the whitelist or blacklist may cause risks. Once a whitelist is added, only IP addresses in the whitelist can access the listener. After a blacklist is added, IP addresses in the blacklist cannot access the listener.
Whitelists and blacklists do not conflict with inbound security group rules. Whitelists define the IP addresses that are allowed to access the listeners, while blacklists specify IP addresses that are denied to access the listeners. Inbound security group rules control access to backend servers by specifying the protocol, ports, and IP addresses.
Access control does not restrict the ping command. You can still ping backend servers from the restricted IP addresses.
To ping the IP address of a shared load balancer, you need to add a listener and associate a backend server to it.
To ping the IP address of a dedicated load balancer, you only need to add a listener to it.
Access control policies only take effect for new connections, but not for connections that have been established. If a whitelist is configured for a listener but IP addresses that are not in the whitelist can access the backend server associated with the listener, one possible reason is that a persistent connection is established between the client and the backend server. To deny IP addresses that are not in the whitelist from accessing the listener, the persistent connection between the client and the backend server needs to be disconnected.
Configuring Access Control¶
Log in to the management console.
In the upper left corner of the page, click and select the desired region and project.
Click in the upper left corner to display Service List and choose Network > Elastic Load Balancing.
Locate the load balancer and click its name.
You can configure access control for a listener in either of the following ways:
On the Listeners page, locate the listener and click Configure in the Access Control column.
Click the name of the listener. On the Basic Information page, click Configure on the right of Access Control.
In the displayed Configure Access Control dialog box, configure parameters as shown in Table 1.
¶ Parameter
Description
Example Value
Access Control
Specifies how access to the listener is controlled. Three options are available:
All IP addresses: All IP addresses can access the listener.
Whitelist: Only IP addresses in the IP address group can access the listener.
Blacklist: IP addresses in the IP address group are not allowed to access the listener.
Blacklist
IP Address Group
Specifies the IP address group associated with a whitelist or blacklist. If there is no IP address group, create one first. For more information, see IP Address Group Overview.
ipGroup-b2
Access Control
If you have set Access Control to Whitelist or Blacklist, you can enable or disable access control.
Only after you enable access control, the whitelist or blacklist takes effect.
If you disable access control, the whitelist or blacklist does not take effect.
N/A
Click OK.