Backend ACLs

ACLs (Access Control Lists) allow your HTTP and SSL ADCs to route traffic to multiple Backends based on several selectable rules. This allows you to do things like sending different hostnames to different backends.

ACL Groups are available under the ADC Addons menu item.


When you select multiple backends you must then change the "When" column to one of the predefined match types. Attach a match type to each selected backend in order to tell them how to route traffic.

If you get an HTTP 503 error afterwards it means it could not select a valid route for your traffic, e.g. no ACLs matched.

Test Your Regex

To test patterns for regex type rules, you can make use of a tool like Regexropen in new window.

ACL Groups

You may create ACL groups which contain many values (right-hand side) for ACL matching under the ADC addons menu. This typically applies to multiple hostnames going to one backend, but can be regex, IP addresses, or anything matching.

Rule Types

You are given a choice of 6 rule types when matching HTTP/SSL content for routing. These are detailed below:

HostnameThe exact hostname sent in the HTTP Host Header. E.g.
Hostname RegexA regular expression match of the HTTP Host Header. E.g. .*
Exact PathThe exact path with no trailing content. E.g. /full/path.html
Path BeginningThe start of the path with any trailing content. E.g. /images/
Path RegexA regular expression based on the path. E.g. .*.(jpg)$
SNI HostThe SSL SNI host name that was presented for use with Layer 4
SNI L7 HostThe SSL SNI host name that was presented for use with Layer 7 (terminated SSL)
Hostname and Path BeginningThe hostname and start of the path. E.g.
Hostname and Exact PathThe hostname and exact path. E.g.
Source IP(s)Route matching source IP addresses to this backend, e.g. "".

Interface Example



We have several examples to assist with creating the most common types of content routing.

Hostnameexample.comMatch exactly
Hostname Regex^dev.*Match anything starting with dev - e.g.
Exact Path/loginMatch /login exactly - e.g.
Path Beginning/imagesMatch anything in the /images path - e.g.
Path Regex^/api/v(.*)/cars$Match /api/v*/cars as a wildcard - e.g.
SNI Hostexample.comMatch exactly, as requested by a browser or API tool
SNI L7 Hostexample.comMatch exactly, as requested by a browser or API tool
Source IP(s) any traffic from to this backend. Can use ACL Group for multiple.

HTTPS Passthrough

Typically, only HTTP-based ADCs (such as SSL, HTTP, API, Agent, etc) can use ACLs. However, you can use Source IPs and Layer 4 SNI to route HTTPS traffic to a backend in the layer 4 mode HTTPS pass-through ADC.

We're Here To Help

For assistance with writing Backend ACLs, submit a support ticketopen in new window and the Snapt team will happily assist.