ACL Routing Rules (ALB)
Access Control List (ACL) rules let an Application Load Balancer route requests to different backend groups based on request attributes such as the path, host, query parameters, HTTP method, or source IP. This is Layer-7, content-based routing.
ACL rules apply to Application Load Balancers only. A Network Load Balancer forwards TCP traffic and has no ACL tab. The ACL tab is available whenever the ALB is not Creating, Deploying, or Deleting.
What the Tab Shows
The ACL table lists each rule with: Name, Type (path, host, query, method, or source IP), Value (the matching condition), Backend (the target backend group), and a drag handle.
Rules are evaluated in order, top to bottom, and the first match wins. Use the drag handle to reorder rules.
Add, Edit, Reorder, and Save
- Select Add ACL to create a rule, or the edit (pencil) icon on a row to change one.
- Configure the rule in the form (see below).
- To change priority, drag a rule to a new position. The portal prompts you to save: "Click on 'Save Button' to save the changes."
- When there are unsaved changes, a Save and Deploy button appears. Select it to apply; the ALB redeploys with the new rules.
To remove a rule, use the delete (trash) icon and confirm. Editing and deleting are disabled while the load balancer is Powered off. If there are no rules, the tab shows "No ACLs are available."
You cannot add a new rule while a reorder is pending — save the reorder first. Rule names must be unique on the load balancer.
ACL Form
Every rule has an ACL type, a condition (and its value), and a target Backend Group. The type determines which condition options and value fields appear.
| ACL type | Routes by | Value you provide |
|---|---|---|
| Path Based | The URL path (not the query string). | One or more paths, space-separated (for example, /products). |
| Host Based | The hostname in the Host header. | A host or URL (for example, www.example.com). |
| Query Parameters Match | A URL query parameter. | A key and a value (for example, ?id=123). |
| HTTP Request Method | The HTTP method. | One or more methods. |
| Source IP | The client's source IP. | An IPv4 address (for example, 10.101.1.1). |
Path-Based conditions
- exact match — the path equals the value.
- prefix match — the path starts with the value.
- suffix match — the path ends with the value.
- regex match — the path matches the regular expression.
Each has a (Case Sensitive) variant; the default options are case-insensitive. You can enter multiple space-separated paths.
Host-Based conditions
- exact match, prefix match, suffix match, and regex match against the Host header (case-insensitive).
Query Parameters Match conditions
- exact match, prefix match, suffix match, and regex match on a query parameter, each with a case-sensitive variant. Provide both the parameter Key and Value.
HTTP Request Method
Select one or more methods to match: HEAD, OPTIONS, GET, POST, PUT, DELETE, CONNECT, TRACE. For example, route all GET requests to a static-content backend and all POST requests to an application backend.
Source IP
Match a specific IPv4 address and route those requests to a chosen backend group.
Backend Group
Every rule targets a Backend Group from the load balancer's existing backends. Define backend groups first on the Backend Mapping tab.
Related Resources
| Resource | Use it for |
|---|---|
| Backend Mapping | Define the backend groups that ACL rules target. |
| Create an Application Load Balancer | Create an ALB that supports ACLs. |
| Manage Load Balancers | The management hub. |