How to add ACL (Access Control) rules to whitelist / block IP addresses

Access Control Lists (ACLs) are used for rejecting connecting clients by IP address (or CIDR). This can complement or replace banning address on your backend server.

By default there are no ACLs deployed and any client can connect to your service.

CIDR Format

ACLs are expressed as a list of CIDRs. CIDR format refers to a way of referring to an IP range (or single IP). It allows for maximum flexibility in rules. It appends to the address a slash character and the decimal number of leading bits of the routing prefix, e.g., 192.168.2.0/24 for IPv4, and 2001:db8::/32 for IPv6. A single IP address is hence /32 for IPv4 and /128 for IPv6.

CIDR examples:

0.0.0.0/0 - All IP addresses
8.8.8.8/32 - Just 8.8.8.8
192.168.2.0/24 - IP's in the range 192.168.2.1 - 192.168.2.255

For more information on CIDRs please see this article on CIDRs.

Layer 4 ACLs

ACLs on TCP and UDP ports are expressed as a list of IP addresses to Allow (whitelist mode) or Deny (blacklist mode). More advanced control over connecting clients is also possible through the Layer 4 Rules system.

HTTP ACLs

ACLs on HTTP ports are executed from top down, the first matching rule is the one that takes affect. This is different to ACLs at Layer 4. For example the following example.

1) deny    192.168.1.1
2) allow   10.1.1.0/16
3) allow   192.168.1.0/24
4) deny    0.0.0.0/0

This configuration specifies that only 10.1.1.0/16 and 192.168.1.0/24 (with the exception of 192.168.1.1) are allowed to access the server.

ACLs are independent of mitigation rules. More advanced control over connecting clients and the requests they can make is available through the Layer 7 Rules system.

Blocklists

We have provided lists at the Layer 4 and Layer 7 level for blocking TOR, VPNs and similar. These are executed after and separately to use ACL processing. You can find more information on IP Blocklists on their article page.

Notes

• If an IP address is entered into the form without a CIDR suffix, it will default to /32 (aka just that IP).

• A Subnet Calculator may help you with calculations

• A CIDR is sometimes referred to as an IP Network or IP Block