About ACLs

  Last updated September 12, 2018

Malicious actors can present themselves in a variety of ways on the internet. Automated tools can scrape information from your website, bots can probe your application for vulnerabilities, and hackers can exploit them. Using access control lists (ACLs) at the edge can help prevent the offending IP addresses they use from ever accessing your information resources.

When ACLs can be useful

Access control lists at the edge might be useful for:

How ACLs work

ACLs have two parts: an ACL container and the ACL entries within it. In combination, containers and entries allow you to store a list of permissions that Varnish will use to grant or restrict access to URLs within your services.

Once you attach an ACL container to a version of your service and that service is activated, the data in the container (the ACL entries) becomes "versionless." This means that once your service is activated, any further changes to the data within, such as the addition of ACL entries, will become effective immediately.

How to create ACLs

To create an ACL at the edge and use it within your service, start by creating an empty ACL container and then add its entries in a working version of a service that's unlocked and not yet activated. You can create ACLs in several ways:

How to use ACLs

After you've used the Fastly API to create an ACL and add ACL entries, the VCL for the ACLs and ACL entries will be automatically generated, as shown below. For example, this VCL shows an ACL called office_ip_ranges has been created:

# This VCL is automatically generated when you create an ACL container and entries
# using the Fastly API. In this example, the ACL name is office_ip_ranges.
acl office_ip_ranges {
  ""/24;                              # internal office
  "";                              # remote VPN office
  "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff";    # ipv6 address remote

Once created, you can add logic to interact with your ACL at the edge by uploading custom VCL. You could use the office_ip_ranges ACL as an allow list by uploading the following custom VCL:

sub vcl_recv {
  # block all requests to Admin pages from IP addresses not in office_ip_ranges
  if (req.url ~ "^/admin" && ! (client.ip ~ office_ip_ranges)) {
    error 403 "Forbidden";

With this VCL, access to /admin is denied for everyone by default, but the IP addresses listed in the ACL are allowed to access /admin without restriction.


When working with ACL containers and entries specifically, remember the following:

When creating and manipulating ACLs at the edge, keep the following limitations in mind as you develop your service configurations:

Back to Top