Network ACLs

Network ACLs enable fine-grained control per client IP address. Leveraging Network ACLs you can create lists to block offending IP addresses or allow certain IP addresses in a protected domain or URL.

Use cases

• Offices that restrict access to administrative domains

• Blocking bad actors directly on the edge

• Preventing web scrapping from certain IP addresses

• Bypass Transparent Edge WAF or Bot Mitigation for secure addresses

Create and manage Network ACLs

Login into the dashboard and look for the "IP Lists" button section in the left side panel.

This sections allows you to create, delete and modify network ACL lists.

How to use a Network ACL

First, take note of the name of the Network ACL, for example acl_c4_mylist.

Now, create a new VCL configuration cloning the last one.

Modify and adapt one of the below examples for your use case.

Deny list example

# Deny list example
sub vcl_recv {
    if (req.http.host == "www.mydomain.com") { # any required condition to trigger the ACL check
        if (aclplus.match(client.ip, network_acl.get("acl_c4_mydenylist", "none"))) {
            # Any action is allowed here, for this example we block the request
            call deny_request;
        }
    }
}

Use the following conditional to combine multiple deny lists together:

if (aclplus.match(client.ip, network_acl.get("acl_c4_deny1", "none"))
        || aclplus.match(client.ip, network_acl.get("acl_c4_deny2", "none"))
   ) {
    # Block the request if the IP is present in any ACL
    call deny_request;
}

Allow list example

Here we just inverted the condition to transform this into an allow list (only the IPs present in the ACL will be accepted)

# Allow list example (we just inverted the condition, notice the '!')
sub vcl_recv {
    if (req.http.host == "www.mydomain.com") { # any required condition to trigger the ACL check
        if (!aclplus.match(client.ip, network_acl.get("acl_c4_myallowlist", "none"))) {
            # Any action is allowed here, for this example we block the request (if the IP doesn't match the ACL)
            call deny_request;
        }
    }
}

Use the following conditional to combine multiple allow lists together:

if (!aclplus.match(client.ip, network_acl.get("acl_c4_allow1", "none"))
        && !aclplus.match(client.ip, network_acl.get("acl_c4_allow2", "none"))
   ) {
    # Block the request if the IP is not present in any of the ACLs
    call deny_request;
}

Manage lists via API

Lists can also be managed using our API.

Please check our API docs for the details of the endpoints.

Query lists

• GET /v1/companies/<COMPANY_ID>/lists

• GET /v1/companies/<COMPANY_ID>/lists/<LIST_ID>

Create a list

• POST /v1/companies/<COMPANY_ID>/lists

Example payload, always use the service id 5, as that is the service for auto-provision:

{
  "addresses": [],
  "description": "my deny list",
  "name": "my_list",
  "services": [
    {
      "id": 5
    }
  ]
}

Update a list

Add IPs

• POST /v1/companies/<COMPANY_ID>/lists/<LIST_ID>/<IP>/<PREFIX>

  • Example: /v1/companies/4/lists/25/1.1.1.1/32

Delete IPs

• DELETE /v1/companies/<COMPANY_ID>/lists/<LIST_ID>/<IP>/<PREFIX>