Skip to main content

Access Control List

Overview#

Arbitrium's Access Control List (ACL) increases the security of your servers. With this feature applicable on each of your application versions, you will be able to allow lists of CIDR or IPs to reach your deployment.

How to Create an ACL entry#

If you always want to allow specific IPs, like a monitoring service, your workplace IP, or a CIDR block, you can do it in the details of your application or create an app version. That way, you will inject the ACL in every deployment or session request for a given application version.

Small tip: When developing your server in debugging mode, you can permanently disable this feature to make your life easier or add your workplace IP to the ACL.

Go to your application version details page or create a new version. Make sure that the Activate ACL button is activated. At the end of the page, click on Add new ACL entry button fill up the form with:

  • Label: Identifies your ACL entry e.g. MyWorkPlaceCIDR, TheServerThatCallMyServer, AWebCrawler
  • CIDR: CIDR Notation or single IP
  • Active: Activates or deactivates this CIDR from the list

img

Deployment and Sessions ACL#

When you send Arbitrium's API a deployment or a session request, you send an ip_list or a geo_ip_list with the request. If the application version of the deployment have ACL activated, we will only allow those list to reach your deployment:

  • IP addresses provided with the deployment/session request
  • Arbitrium's deployment monitoring CIDRs
  • The app version's default ACL

If the option is deactivated, ACL will automatically allow everybody to reach your deployment. In the case of a webserver or a public server, we recommend you to deactivate ACL since you'd probably want anybody to connect to your server or create an app Session based.

Arbitrium ACL feature supports both IPv4 and IPv6. However, To support IPv6 on your deployments you need to make sure that your players are only using IPv6. Since the devices will always prefer IPv4 over IPv6. If your player have both IPs, the device networking will send the IPv4 address first.

Example#

I have default ACL on my app version v1 of application example : img

I send a deployment request:

{
"app_name": "example",
"version_name": "v1",
"ip_list": ["1.1.1.1", "1.1.1.2", "1.1.1.3", "1.1.1.4"]
}

The list of IPS that are allowed to reach my deployment would be:

1.1.1.1/32
1.1.1.2/32
1.1.1.3/32
1.1.1.4/32
1.2.3.4/32
8.8.8.8/32
10.10.10.1 to 10.10.10.254 for 254

Everything else will be blocked.