About Edge ACLs

  Last updated April 24, 2018

Edge ACLs allow you to attach an access control list (ACL) to a service with versionless ACL entries that are stored separately from your VCL configuration. You can use the Fastly API to programmatically add, remove, and update ACLs and their entries.

How Edge ACLs work

Like Edge Dictionaries, Edge ACLs have two major components: The ACL itself, and the ACL entries within it. ACLs are containers for ACL entries, which store IP addresses that can be used to whitelist or blacklist access to resources. Every ACL is attached to a version of a service, but ACL entries are versionless and any changes will become effective immediately.

When ACLs might be useful

Getting started

To create an ACL and use it within your service, you'll need to perform the following steps:

  1. Create an empty ACL in a working version of a service that's unlocked and not yet activated.
  2. Activate the new version of the service you associated with the empty ACL.
  3. Add ACL entries to the newly created ACL.

Once the ACL is created, properly associated, and filled with ACL entries, it can be called in your service.

Putting Edge ACLs to work

After you've used the Fastly API to create an ACL and add ACL entries, the VCL for the ACLs and ACL entries will be automatically generated, as shown below. In this example, the name of the ACL is office_ip_ranges.

# This VCL is automatically generated when you add an Edge ACL and entries with the Fastly API
# In this example, the ACL name is "office_ip_ranges"
acl office_ip_ranges {
  ""/16;                               # internal office
  "";                              # remote VPN office
  "FE80:0000:0000:0000:0202:B3FF:FE1E:8329";   # ipv6 address remote

You can upload custom VCL to add logic to interact with ACLs. In this example, the office_ip_ranges ACL is used as a whitelist. All access to /admin is denied by default, but IP addresses in the office_ip_ranges ACL are allowed to access /admin without restriction.

sub vcl_recv {
  # block all requests to Admin pages from IP addresses not in office_ip_ranges
  if (req.url ~ "^/admin" && ! (client.ip ~ office_ip_ranges)) {
    error 403 "Forbidden";

ACL entries have a boolean option for negation which allows you to specify whether or not the IP address is whitelisted or blacklisted. You can set the option to true (1) to blacklist (deny), or false (0) to whitelist (allow). We do not recommend mixing both negated and non-negated entries in the same ACL. Doing so might have the opposite effect depending on the condition you specify in the VCL.


When creating Edge ACLs, keep the following limitations in mind as you develop your service configurations:

Back to Top