You can check more about how to configure a Network ACL here
How to use a Network ACL in Auto Provisioning
First, take note of the name of the Network ACL, for example acl_c4_mylist.
Now, create a new VCL configuration cloning the last one.
Modify and adapt one of the below examples for your use case.
Deny list example
# Deny list example
sub vcl_recv {
if (req.http.host == "www.mydomain.com") { # any required condition to trigger the ACL check
if (aclplus.match(client.ip, network_acl.get("acl_c4_mydenylist", "none"))) {
# Any action is allowed here, for this example we block the request
call deny_request;
}
}
}
Use the following conditional to combine multiple deny lists together:
if (aclplus.match(client.ip, network_acl.get("acl_c4_deny1", "none"))
|| aclplus.match(client.ip, network_acl.get("acl_c4_deny2", "none"))
) {
# Block the request if the IP is present in any ACL
call deny_request;
}
Allow list example
Here we just inverted the condition to transform this into an allow list (only the IPs present in the ACL will be accepted)
# Allow list example (we just inverted the condition, notice the '!')
sub vcl_recv {
if (req.http.host == "www.mydomain.com") { # any required condition to trigger the ACL check
if (!aclplus.match(client.ip, network_acl.get("acl_c4_myallowlist", "none"))) {
# Any action is allowed here, for this example we block the request (if the IP doesn't match the ACL)
call deny_request;
}
}
}
Use the following conditional to combine multiple allow lists together:
if (!aclplus.match(client.ip, network_acl.get("acl_c4_allow1", "none"))
&& !aclplus.match(client.ip, network_acl.get("acl_c4_allow2", "none"))
) {
# Block the request if the IP is not present in any of the ACLs
call deny_request;
}