---
title: Working with ACLs
summary: null
url: >-
  https://www.fastly.com/documentation/guides/security/access-control-lists/working-with-acls
---

Access control lists (ACLs) allow you to store a list of permissions that Fastly will use to grant or restrict access to URLs within [a service](https://www.fastly.com/documentation/guides/getting-started/services/about-services). You can use the Fastly control panel to add, remove, and update [ACLs](https://www.fastly.com/documentation/guides/security/access-control-lists/about-acls).

## Before you begin

Be sure to review the [limitations and considerations](https://www.fastly.com/documentation/guides/security/access-control-lists/about-acls#limitations) applied to access control lists.

## Creating an ACL

ACLs have two parts: an ACL container and the ACL entries within it. Once an ACL is linked to a service, the entries within it are "versionless". This means once your service is activated, any changes to add, edit, or remove ACL entries become effective immediately for all service versions, even the active one, without needing to clone a new service version.

### CDN services

To create an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3.   Click **Edit configuration** and then select the option to clone the active version.

4. Click **Data**.
5. Click **Create an ACL**.
6. In the **Name of ACL** field, enter a descriptive name for the ACL (e.g., `Example ACL`).
7. Click **Add**.
8. From the **Activate** menu, select **Activate on Production**  to deploy your configuration changes to the service version you're editing.

Once your ACL is created, add ACL entries into it:

1. Click **Add address**.
2. In the **Address** field, enter an IP address or subnet mask (a range of IP addresses) to allow or block for this service. To exclude or block an IP address or subnet mask, use an exclamation point (for example, use `!192.0.2.0` or `!192.0.2.0/24`).
3. _(Optional)_ In the **Comment** field, enter a comment that describes the IP address or subnet mask.
4. Click **Add**. The IP address or subnet mask appears in the ACL. This addition will become effective immediately.

### Compute Services

To create an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Resources** > [**Access control lists**](https://manage.fastly.com/resources/acls).
3. Click **Create list**.
4. Enter a name for your ACL, then click **Create**.

Once your ACL is created, add ACL entries into it:

1. Click the name of the ACL you want to add entries to.
2. From the **Items** tab, click **Add item**.
3. In the **Prefix** field, enter an IP address defined in [Classless Inter-Domain Routing (CIDR) format](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation).
4. From the **Action** field, select whether to allow or block the IP address.
5. Click **Save**.

Finally, link your ACL to a service and activate:

1. Click the name of the ACL you want to link to a service.

2. From the **Linked services** tab, click **Link service**.

3. Select the checkbox next to any services you want to link your ACL to.

4. Click **Next**.

5. Decide which version of the service to link to. By default, the system will assume you want to clone the most recently active version of your service. You can choose an existing draft version of the service instead by selecting it specifically from the Version menu.

6. Select one of the following options for linking the store to your service:

   - **Link only:** links the store to the selected service versions but leaves any cloned or draft versions deactivated so you can activate them at a later time.
   - **Link and activate:** links the store to the selected service versions and activates those versions at the same time.

   A success message appears once the ACL is linked to the service.

7. Finally, do one of the following:
   - Click **Activate versions** to activate any cloned or draft versions of services linked to the ACL.
   - Click **Finish** to leave the cloned or draft service versions deactivated so you can make additional configuration changes to them and activate them at a later time.

> **HINT:** Compute ACLs can also be linked from the service configuration. Go to **Service configuration** > **Resources** > **Access control lists** and use the menu to select an ACL to link to the service.

## Viewing and managing ACLs

Once created, ACLs linked to CDN services can be viewed and managed by accessing the appropriate service and going to **Service configuration** > **Data** > **Access control lists**. ACLs linked to Compute services can be viewed and managed from the [Resources tab](https://manage.fastly.com/resources/acls) or by accessing the appropriate service and going to **Service configuration** > **Resources** > **Access control lists**.

### Editing ACLs

You can edit an ACL to change the name or edit the ACL entries within at any time.

### CDN services

To edit the name of an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. Click **Configuration** and then select **View Active**.
4. From the service version menu, select an appropriate service version.
5. Click **Data**.
6. Click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> next to the ACL you want to edit.
7. Change the name, then click **Save**.

To edit entries within an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. Find any ACL associated with your service in which the entry you want to edit appears. Because ACL entries are versionless, the service version you choose doesn't matter. Choose the one that makes the most sense to you.
4. Hover your cursor over an ACL entry, then click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> that appears.
5. Edit the IP address, subnet mask, or comment as necessary.
6. Click **Save**. The changes you make will be immediately applied to your configuration. If your ACL has already been associated with a deployed service version, those changes will happen live.

### Compute Services

To edit the name of an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Resources** > [**Access control lists**](https://manage.fastly.com/resources/acls).
3. Click the name of the ACL you want to edit.

To edit entries within an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Resources** > [**Access control lists**](https://manage.fastly.com/resources/acls).
3. Click the name of the ACL with entries you want to edit.
4. From the **Items** tab, click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to the right of the store you want to rename.
5. Make necessary changes to the entry, then click **Save**.

### Unlinking Compute ACLs from a service

ACLs linked to a Compute service can be unlinked from the service configuration.

To unlink an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. Click **Service configuration**.
4. From the **Resources** options in the on-page navigation, click **Access control lists**.
5. Click **Unlink from service** next to the ACL you want to unlink from your service.
6. Click **Confirm and unlink**. A new, draft version of the service is created.
7. [Activate the service](https://www.fastly.com/documentation/guides/getting-started/services/working-with-compute-services#editing-and-activating-versions-of-services) to finalize unlinking the ACL.

## Deleting an ACL

You can delete an ACL or specific entries within an ACL at any time.

### CDN services

> **HINT:** Deleted ACLs are only removed from the service version you're editing. This allows you to revert your configuration to a previous version in as few steps as possible.

  To delete an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. From the service version menu, select an unlocked version of your service.
4. Click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> in the top right corner of the ACL you want to delete.
5. Click **Confirm and delete**.
6. From the **Activate** menu, select **Activate on Production**  to deploy your configuration changes to the service version you're editing.

To delete ACL entries:

> **WARNING:** ACL entry deletions are permanent and immediate. They cannot be recovered. Deleting an ACL entry immediately impacts all service versions associated with the ACL container holding the deleted entries, including the active service version.

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   From the [**Home**](https://manage.fastly.com/home) page, select the appropriate service. You can use the search box to search by ID, name, or domain.

3. Find any ACL associated with your service in which the entry you want to delete appears. Because ACL entries are versionless, the service version you choose doesn't matter. Choose the one that makes the most sense to you.
4. Hover your cursor over an ACL entry, then click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> that appears.
5. Click **Confirm and delete**.

### Compute Services

To delete an ACL:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Resources** > [**Access control lists**](https://manage.fastly.com/resources/acls).
3. Click the name of the ACL you want to delete.
4. From the **Options menu**, click **Delete list**.
5. Click **Confirm and delete**.

To delete ACL entries:

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2. Go to **Resources** > [**Access control lists**](https://manage.fastly.com/resources/acls).
3. Click the name of the ACL with entries you want to delete.
4. Click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> to the right of the entry you want to delete.
5. Click **Confirm and delete**.

## Related content

- [API documentation for ACLs](https://www.fastly.com/documentation/reference/api/acls/acl/)
- Code example for creating an [ACL-based IP block list](https://www.fastly.com/documentation/solutions/examples/acl-based-ip-block-list)