How to create and manage ACLs

Access Control Lists (ACLs) allow you to control traffic arriving at your Load Balancer's frontend, and set conditions to allow traffic to pass to the backend, deny traffic from passing to the backend, or redirect traffic. Conditions can be set based on the traffic's source IP address and/or HTTP path and header, or you can choose to carry out unconditional actions. ACLs allow you to build extra security into your Load Balancer, as well as letting you redirect traffic, for example from HTTP to HTTPS.

Before you start

To complete the actions presented below, you must have:

• A Scaleway account logged into the console
• Owner status or IAM permissions allowing you to perform actions in the intended Organization
• Created a Load Balancer

How to create ACLs

ACLs are created and managed at the frontend(s) of your Load Balancer.

1. Click Load Balancers in the Network section of the Scaleway console side menu.

2. Click the Load Balancer you want to create ACLs for.

3. Click the Frontends tab.

4. Click the name of the frontend you want to create ACLs for.

   The Overview tab for the frontend displays.

5. Click the ACLs tab.

   

6. Click Create ACL or the «Plus Icon» button. The ACL creation wizard displays.

   

   The first part of the wizard asks you to set a name and optional description for the ACL.

7. Enter the following information:

   • ACL name: a name for your ACL.
   • Priority: a priority number for your ACL. ACLs are applied in order of priority, starting from the lowest numbered rule.
   • Description: an optional description for your ACL.

   The second part of the wizard asks you to define the action for the ACL, and the conditions under which the action should be applied.

8. Select an action from the following options:

   • Allow: Allow traffic to pass to the Load Balancer’s backend.
   • Deny: Deny traffic from passing to the Load Balancer’s backend.
   • Redirect: Redirect traffic to an alternative URI.
     • Select a redirection code. The default value is 302. Other options are 301, 303, 307 or 308.
     • Select a redirection URI option, from:
       • Keep original: Redirect to the original URI.
         • Select a scheme (HTTP or HTTPS) and port for the redirect.
       • Define custom: Define a custom URI to direct to, in the format https://{{host}}/{{path}}?{{query}}. Note that the only valid placeholder values are {{host}}, {{path}} and {{query}}, and there must be no spaces between the curly braces and the string. You may use any, all or none of these placeholder values in your redirect URI.
       Tip

       For more information about using ACLs to set up redirections, see our reference documentation

9. Use the Enable condition toggle to choose whether to set a condition for the action.

   • If you do not enable a condition, the action will be applied uniformly to all traffic arriving at the Load Balancer’s frontend.
   • If you enable a condition, the action will be applied only to traffic meeting the condition you set below.
   

10. Set the condition type for your action, if you enabled a condition in the previous step. Choose from:

    • IF MATCH: The action will be applied to all traffic that matches the filters (defined in the next step).
    • IF NO MATCH: The action will be applied to all traffic that does not match the filters (defined in the next step).

11. Add filters, if you enabled a condition at step 8. Traffic must match (or not match, in the case of the IF NOT condition) the filters in order for the action to be applied. You can select one type of filter per ACL, or combine one IP filter and one HTTP header filter with an AND statement.

    • Click + Add IP filters to add an IP filter. Enter an IPv4 or IPv6 address (or IP block) in the box that displays, and click Add filter. You can repeat this step to add as many IP addresses as you like. Any traffic from the source IP addresses specified here will be considered to match the filter.
    • Click + Add HTTP filter(s) to add HTTP filters. Only frontends attached to an HTTP backend can add HTTP filters. You can select one of the following filter types per ACL:

      • Path begins with: Enter a value to filter on, for example /admin and click Add filter. Repeat this step to add multiple values to filter for, if required. Any traffic which has any of the specified values at the beginning of its HTTP request path will be considered to match the filter.

      • Path ends with: Enter a value to filter on, for example /blog and click Add filter. Repeat this step to add multiple values to filter for, if required. Any traffic which has any of the specified values at the end of its HTTP request path will be considered to match the filter.

      • Path regex: Enter a regular expression to specify a pattern to search for in the HTTP request path, and click Add filter. Repeat this step to add multiple regex patterns to filter for, if required. Any traffic whose HTTP request path fits this regex will be considered to match the filter.

      • Header: Enter the name of the HTTP header field to use for the filter, and the value to filter for in this header, then click Add filter. For example, enter Referer followed by exampledomain to filter for occurrences of exampledomain in the Referer header. You can add multiple values to filter for if required, but in only one header. Any traffic who has any of the specified values in the specified header field will be considered to match the filter.

        Tip

        For more information about setting up conditions and filters for ACLs, see our reference documentation

        

12. Click Create ACL to finish. Your ACL is created, and you are redirected to the ACLs tab, where your new ACL now appears.

13. Repeat steps 5 to 11 to create new ACLs as required. Remember that they will be applied in order, according to the priority number you give each ACL.

    Tip

    • Traffic filters through ACLs in order of priority, where the ACL with priority 1 (or the lowest given number) comes first, followed by the next highest number etc.
    • If traffic matches an ACL’s filter for an Allow, Deny or Redirect action (or if the action is applied unconditionally by that ACL), the action is applied immediately. The traffic is not subject to any further filtering or any further actions by any ACLs that follow.
    • Traffic that does not match criteria for the ACL’s action will pass to the next ACL in the list, based on the order of priority.
    • If traffic reaches the end of the list of ACLs without having matched any filters to be explicitly allowed, denied or redirected, this traffic will be allowed to pass to the backend.
    • See our reference documentation for more information on how ACLs work and how you can configure them for different use cases.

How to edit ACLs

1. Click Load Balancers in the Network section of the Scaleway console side menu.
2. Click the Load Balancer you want to edit ACLs for.
3. Click the Frontends tab.
4. Click the name of the frontend whose ACL(s) you want to edit. You are taken to the Overview tab for that frontend.
5. Click the ACLs tab. The list of your ACLs displays.
6. Click the «See more Icon» icon next to the ACL you wish to edit, and select Edit.
7. Edit the ACL as required, and click Update ACL to finish.

How to delete ACLs

1. Click Load Balancers in the Network section of the Scaleway console side menu.
2. Click the Load Balancer you want to delete ACLs for.
3. Click the Frontends tab.
4. Click the name of the frontend whose ACL(s) you want to edit. You are taken to the Overview tab for that frontend.
5. Click the ACLs tab. The list of your ACLs displays.
6. Click the «See more Icon» icon next to the ACL you wish to delete, and select Delete.
7. Confirm the action by clicking Delete ACL.