Network access control lists (ACLs) are a network access control feature in virtual private clouds (VPCs). You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to manage inbound and outbound traffic of Elastic Compute Service (ECS) instances that are attached to the vSwitch.
Features and supported regions
Regions that support network ACLs
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Nanjing-Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), United Kingdom (London), US (Silicon Valley), and US (Virginia) |
Middle East | UAE (Dubai) and SAU (Riyadh) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Regions that support IPv6 network ACLs
Area | Region |
Asia Pacific | China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Malaysia (Kuala Lumper), Indonesdia (Jakarta), Philliphines (Manila), and Thailand (Bangkok) |
Europe & Americas | Germany (Frankfurt), US (Silicon Valley), US (Virginia) |
Middle East | UAE (Dubai) and SAU (Riyadh) Important The SAU (Riyadh - Partner Region) region is operated by a partner. |
Features
Network ACL rules only apply to inbound and outbound traffic of ECS instances in the associated vSwitches. The traffic forwarded by server load balancer (SLB) instances to ECS instances is also filtered.
NoteIf an ECS instance is associated to a secondary elastic network interface (ENI) that is bound to an elastic IP address (EIP) in the cut-through mode, the network ACL does not filter the traffic of the ECS instance. For more information, see Set the cut-through mode.
Network ACL rules are stateless. After configuring an accept rule for inbound traffic, it is essential to set a corresponding outbound rule. Failure to do so may result in unresponsive requests.
Network ACLs deny all inbound and outbound traffic if no rules are configured.
The traffic between ECS instances in a vSwitch is not filtered by the network ACL linked to that vSwitch.
Network ACLs allow the DNS servers at 100.100.2.128/28 and 100.100.2.112/28, and the Metaserver at 100.100.100.200/32.
Descriptions
Parameters
A network ACL rule contains the following parameters:
Priority: A smaller value specifies a higher priority. The system matches requests against rules in descending order of priority, applies the first matching rule, and disregards the rest.
For example, the following rules are added to a network ACL and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In this case, the requests match Rules 2 and 3. As Rule 2 has higher priority than Rule 3, the system applies Rule 2 and denies the requests based on the policy of Rule 2.
Priority
Protocol
Destination IP Address
Destination Port Range
Policy
Type
1
ALL
10.0.0.0/8
-1/-1
Allow
Custom
2
ALL
172.16.0.0/12
-1/-1
Deny
Custom
3
ALL
172.16.0.0/12
-1/-1
Allow
Custom
Policy: Allow or deny specific traffic.
Protocol: the protocol of traffic. Valid values are as follows.
ALL: All protocols. If you select ALL, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.
ICMP: Internet Control Message Protocol. Upon selecting ICMP, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.
GRE: Generic Routing Encapsulation. If you select GRE, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.
TCP: Transmission Control Protocol. When you select this protocol, the port range is 1 to 65535. Valid formats are 1/200 or 80/80. Do not set the value to -1/-1.
UDP: User Datagram Protocol. The valid port range is 1 to 65535. Valid formats are 1/200 or 80/80. Do not set the value to -1/-1.
ICMPv6: Internet Control Message Protocol for the IPv6. If you select ALL, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.
Source IP Address (for inbound rules): The source IP addresses from which inbound traffic is transmitted.
Destination IP Address (for outbound rules): The destination IP addresses to which outbound traffic is transmitted.
Destination Port Range (for inbound rules): The range of destination ports to which the inbound rule applies.
Destination Port Range (for outbound rules): The range of destination ports to which the outbound rule applies.
Outbound and inbound rules
Before you create outbound and inbound rules, take note of the following rules:
When you add or delete rules in a network ACL, the changes are automatically applied to the associated vSwitches.
When you add IPv6 outbound and inbound rules in a network ACL, you need to assign an IPv6 CIDR block to the VPC where the network ACL resides.
When you configure a DHCP options set, ensure that you permit the DNS server IP addresses in outbound and inbound rules of the network ACL. Failure to add rules may cause operational issues for the DHCP options set.
Default outbound and inbound rules vary based on the selected region.
In regions that do not support IPv6 network ACLs, one inbound rule and one outbound rule are created by default.
Other regions:
If the VPC to which the network ACL belongs does not have IPv6 enabled, five inbound and five outbound rules are created by default. The cloud service routes are the addresses of the DNS servers and Metaserver (metadata server) allowed by the network ACL.
If the VPC to which the ACL belongs has IPv6 enabled, one system default deny rule and one custom allow-all rule are added for both inbound and outbound traffic, resulting in a total of seven rules created by default.
Network ACLs and security groups
Network ACLs control data transmitted through associated vSwitches, while security groups filter data transmitted through associated ECS instances. The following table compares network ACLs and security groups.
Item | Network ACL | Security Group |
Application scope | vSwitch | ECS instance |
Status of response traffic | Stateless: Returned traffic must be allowed by rules. | Stateful: Returned traffic is automatically allowed and not affected by rules. |
Whether rules are evaluated | The system matches a request against rules in descending order of priority. Not all rules are matched. | The system matches a request against all rules before a rule is applied. |
Association with ECS instances | The vSwitch to which an ECS instance belongs can be associated with only one network ACL. | Each ECS instance can be added to more than one security group. |
The following figure shows how network ACLs and security groups are applied to ensure network security.
Limits
Name/ID | Description | Default value | Adjustable |
vpc_quota_nacl_ingress_entry | Maximum number of inbound rules that can be added to a network access control list (ACL) | 20 | You can increase the quota by performing the following operations:
|
vpc_quota_nacl_egress_entry | Maximum number of outbound rules that can be added to a network ACL | 20 | |
nacl_quota_vpc_create_count | Maximum number of network ACLs that can be created in each VPC | 20 |
Procedure
For more information, see Create and manage a network ACL.