Create Access Control Lists

Learn how to protect your upstream TCP application servers by denying/allowing access from certain client IP addresses or CIDR blocks.


In NGINX Management Suite API Connectivity Manager (ACM), you can apply global policies to API Gateway and Developer Portal clusters to ensure your organization’s security requirements are enforced. When you add policies at the environment level, they will apply to all proxies hosted within that environment.

Before You Begin

Complete the following prerequisites before proceeding with this guide:

How to Access the User Interface

This guide contains instructions for completing tasks by using the NGINX Management Suite API Connectivity Manager user interface (UI).

To access the UI, navigate to the FQDN for your NGINX Management Suite host and log in. Then, select “API Connectivity Manager” on the Launchpad menu.

How to Access the REST API

You can use tools such as curl or Postman to interact with the NGINX Management Suite API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION>.

When making API calls by using curl, Postman, or any other tool, you need to provide your authentication information with each call. Refer to the API Overview for more information about authentication options.

Create ACL-IP Policy

Take the steps in this section if you would like to deny or allow access to your API Gateways or Developer Portals to specific IP addresses or CIDR blocks with ACL lists.

  1. In the ACM user interface, go to Services > <your workspace>, where “your workspace” is the workspace that contains the API Gateway or Dev Portal.
  2. Select Edit Advanced Config from the Actions menu for the desired API Gateway or Dev Portal.
  3. On the Policies tab, select Add Policy from the Actions menu.
  4. Provide the desired Allowed IP Addresses and/or Denied IP Addresses. Valid values include IPv4, IPv6, and CIDR blocks. To allow or deny all, use the * symbol.

"policies": {
            "acl-ip": [
                    "action": {
                        "deny": ["*"], // Polulate this array with your denied IP addresses 
                        "allow": [""]
  • If you only set an allow list, then the deny list will default to deny all and vice versa.
  • If IP addresses are not explicitly denied they will be allowed. To deny IP addresses as default, include the * symbol in the deny list.
  • The most specific rule applied will be used to allow or deny traffic. For example, IP addresses take priority over CIDR blocks. Smaller CIDR blocks take priority over larger ones.


  1. Attempt to contact the API Gateway or Developer Portal from a denied IP address. The host should return the default 403 Forbidden return code or the custom return code you have set.
  2. Contact the IP address from an allowed IP address. The traffic should not be denied.