Skip to main content

ACL

Overview#

Arbitrium's Access Control List (ACL) increases the security of your servers. With this feature applicable on each of your application versions, you will be able to allow lists of CIDR or IPs to reach your deployment.

How to Create an ACL entry#

If you always want to allow specific IPs, e.g. a monitoring service, your workplace IP or a CIDR block, you can do it in the detail of your application or create an app version. This ACL will be injected in every deployment or sessions requests that the application version has ACL activated.

Small tip: When developing your server in debugging mode, you can permanently disable this feature to make your life easier or add your workplace IP to the ACL.

Go to your application version detail page or create a new version. Make sure that the Activate ACL button is activated. At the end of the page, click on Add new ACL entry button fill up the form with:

  • Label: Identifies your ACL entry e.g. MyWorkPlaceCIDR, TheServerThatCallMyServer, AWebCrawler
  • CIDR: CIDR Notation or single IP
  • Active: If you want to activate or deactivate this CIDR from the list

img

Deployment and Sessions ACL#

When you send Arbitrium's API a deployment or a session request, you send an ip_list or a geo_ip_list with the request. If the application version of the deployment have ACL activated, we will only allow those list to reach your deployment:

  • IP addresses provided with the deployment/session request
  • Arbitrium's deployment monitoring CIDRs
  • The app version's default ACL

If the option is deactivated, ACL will automatically allow everybody to reach your deployment. In the case of a webserver or a public server, we recommend you to deactivate ACL since you'd probably want anybody to connect to your server or create an app Session based.

Arbitrium ACL feature supports both IPv4 and IPv6. However, To support IPv6 on your deployments you need to make sure that your players are only using IPv6. Since the devices will always prefer IPv4 over IPv6. If your player have both IPs, the device networking will send the IPv4 address first.

Example#

I have default ACL on my app version v1 of application example : img

I send a deployment request:

{
"app_name": "example",
"version_name": "v1",
"ip_list": [
"1.1.1.1",
"1.1.1.2",
"1.1.1.3",
"1.1.1.4"
]
}

The list of IPS that are allowed to reach my deployment would be:

1.1.1.1/32
1.1.1.2/32
1.1.1.3/32
1.1.1.4/32
1.2.3.4/32
8.8.8.8/32
10.10.10.1 to 10.10.10.254 for 254

Everything else will be blocked.