---
title: ACL
summary: null
url: https://www.fastly.com/documentation/reference/vcl/declarations/acl
---


An `acl` declaration creates an [access control list](/reference/glossary#term-acl) in VCL code. An ACL contains a flat list of IP addresses and subnets, and is typically used for making a list of bad clients (a 'blocklist') or explicitly allowed clients (an 'allowlist').

This can also be achieved via an [API call](/reference/api/acls/acl/#create-acl), using the CLI, or using the [web interface](/guides/security/access-control-lists/working-with-acls).

## Syntax

The following example shows the syntax of an ACL:

```vcl
acl office_ip_ranges {
  "192.0.2.0"/24;                           # internal office...
  ! "192.0.2.12";                           # ... except for the vending machine
  "198.51.100.4";                           # remote VPN office
  "2001:db8:ffff:ffff:ffff:ffff:ffff:ffff"; # ipv6 address remote
}
```

ACL entries may not use hostnames, so `"example.com"` is not a valid ACL entry.

Entries may include range specifiers, which follow the end of the IP address string. For example, `"192.0.2.0"/24` will match any address sharing the same first 24 bits as the specified address. Since an IPv4 address is 32 bits long, and each dot-separated number represents 8 bits, `/24` means "match the first three segments of the address".

Entries may be negated by prefixing the [`!` operator](/reference/vcl/operators/#conditional-operators). Negations are processed after all inclusions, and always take precedence, regardless of the order in which they are listed.

## Usage

The following example shows how to block IP addresses and ranges using an ACL:

<Fiddle id='fafb88af' />

Matching or failure to match an ACL is a common reason to trigger a custom error code and generate a synthetic response. See the `error` statement for details.