Working with ACLs

  Last updated 2025-04-02

Access control lists (ACLs) allow you to store a list of permissions that Fastly will use to grant or restrict access to URLs within a service. You can use the Fastly control panel to add, remove, and update ACLs.

Before you begin

Be sure to review the limitations and considerations applied to access control lists.

Creating an ACL

ACLs have two parts: an ACL container and the ACL entries within it. Once an ACL is linked to a service, the entries within it are "versionless". This means once your service is activated, any changes to add, edit, or remove ACL entries become effective immediately for all service versions, even the active one, without needing to clone a new service version.

  1. CDN services
  2. Compute services

To create an ACL:

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
  3. Click Edit configuration and then select the option to clone the active version.
  4. Click Data.
  5. Click Create an ACL.
  6. In the Name of ACL field, enter a descriptive name for the ACL (e.g., Example ACL).
  7. Click Add.
  8. Click Activate to deploy your configuration changes to the service version you're editing.

Once your ACL is created, add ACL entries into it:

  1. Click Add address.
  2. In the Address field, enter an IP address or subnet mask (a range of IP addresses) to allow or block for this service. To exclude or block an IP address or subnet mask, use an exclamation point (for example, use !192.0.2.0 or !192.0.2.0/24).
  3. (Optional) In the Comment field, enter a comment that describes the IP address or subnet mask.
  4. Click Add. The IP address or subnet mask appears in the ACL. This addition will become effective immediately.

Viewing and managing ACLs

Once created, ACLs linked to CDN services can be viewed and managed by accessing the appropriate service and going to Service configuration > Data > Access control lists. ACLs linked to Compute services can be viewed and managed from the Resources tab or by accessing the appropriate service and going to Service configuration > Resources > Access control lists.

Editing ACLs

You can edit an ACL to change the name or edit the ACL entries within at any time.

  1. CDN services
  2. Compute services

To edit the name of an ACL:

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
  3. Click Configuration and then select View Active.
  4. From the service version menu, select an appropriate service version.
  5. Click Data.
  6. Click the pencil Pencil icon next to the ACL you want to edit.
  7. Change the name, then click Save.

To edit entries within an ACL:

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
  3. Find any ACL associated with your service in which the entry you want to edit appears. Because ACL entries are versionless, the service version you choose doesn't matter. Choose the one that makes the most sense to you.
  4. Hover your cursor over an ACL entry, then click the pencil Pencil icon that appears.
  5. Edit the IP address, subnet mask, or comment as necessary.
  6. Click Save. The changes you make will be immediately applied to your configuration. If your ACL has already been associated with a deployed service version, those changes will happen live.

Unlinking Compute ACLs from a service

ACLs linked to a Compute service can be unlinked from the service configuration.

To unlink an ACL:

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
  3. Click Service configuration.
  4. From the Resources options in the on-page navigation, click Access control lists.
  5. Click Unlink from service next to the ACL you want to unlink from your service.
  6. Click Confirm and unlink. A new, draft version of the service is created.
  7. Activate the service to finalize unlinking the ACL.

Deleting an ACL

You can delete an ACL or specific entries within an ACL at any time.

  1. CDN services
  2. Compute services
TIP

Deleted ACLs are only removed from the service version you're editing. This allows you to revert your configuration to a previous version in as few steps as possible.

To delete an ACL:

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
  3. From the service version menu, select an unlocked version of your service.
  4. Click the trash Trash icon in the top right corner of the ACL you want to delete.
  5. Click Confirm and delete.
  6. Click Activate to deploy your configuration changes to the service version you're editing.

To delete ACL entries:

WARNING

ACL entry deletions are permanent and immediate. They cannot be recovered. Deleting an ACL entry immediately impacts all service versions associated with the ACL container holding the deleted entries, including the active service version.

  1. Log in to the Fastly control panel.
  2. From the Home page, select the appropriate service. You can use the search box to search by ID, name, or domain.
  3. Find any ACL associated with your service in which the entry you want to delete appears. Because ACL entries are versionless, the service version you choose doesn't matter. Choose the one that makes the most sense to you.
  4. Hover your cursor over an ACL entry, then click the trash Trash icon that appears.
  5. Click Confirm and delete.
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Fastly
© Fastly 2025