Access Control Lists (ACLs) are used for rejecting connecting clients by IP address (or CIDR). This can complement or replace banning address on your backend server.

By default there are no ACLs deployed and any client can connect.

CIDR Format

ACLs are expressed as a list of CIDRs. CIDR format refers to a way of referring to an IP range (or single IP). It allows for maximum flexibility in rules. It appends to the address a slash character and the decimal number of leading bits of the routing prefix, e.g., for IPv4, and 2001:db8::/32 for IPv6. A single IP address is hence /32 for IPv4 and /128 for IPv6.

CIDR examples: - All IP addresses - Just - -

Layer 4 ACLs

ACLs on TCP and UDP ports are expressed as a list of IP addresses to Allow (whitelist mode) or Deny (blacklist mode). More advanced control over connecting clients is also possible through the Layer 4 Rules system.


ACLs on HTTP ports are executed from top down, the first matching rule is the one that takes affect. This is different to ACLs at Layer 4. For example the following example.

1) deny
2) allow
3) allow
4) deny

This configuration specifies that only and (with the exception of are allowed to access the server.

ACLs are independent of mitigation rules. More advanced control over connecting clients and the requests they can make is available through the Layer 7 Rules system.


We have provided lists at the Layer 4 and Layer 7 level for blocking TOR, VPNs and similar. These are executed after and separately to use ACL processing. You can find more information on IP Blocklists on their article page.


  • If an IP address is entered into the form without a CIDR suffix, it will default to /32 (aka just that IP).

  • A Subnet Calculator may help you with calculations

  • A CIDR is sometimes referred to as an IP Network or IP Block