This topic explains how to manage communication among Elastic Compute Service (ECS) instances across different vSwitches using network access control lists (ACLs).
Scenario
A company has created a VPC and two vSwitches (vSwitch1 and vSwitch2). An ECS instance, ECS1 (192.168.1.206) has been created in vSwitch1, and two ECS instances, ECS2 (192.168.0.229) and ECS3 (192.168.0.230) have been created in vSwitch2. The company now has the following requirements:
ECS1, ECS2, and ECS3 cannot communicate with the Internet.
ECS1 cannot communicate with ECS3.
ECS1 can communicate with ECS2.
You can configure network ACL rules and associate the network ACL with vSwitches to control ECS traffic.
Prerequisites
A VPC and vSwitches have been created. For more information, see Create and manage a VPC and Create and manage a vSwitch.
ECS instances have been created in the vSwitches. For more details, see Create an instance on the Custom Launch tab.
Step 1: Create a network ACL
Log on to the VPC console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region to which the network ACL that you want to manage belongs.
On the Network ACL page, click Create Network ACL.
In the Create Network ACL dialog box, specify the following parameters and click OK:
VPC: Select the VPC for which you want to create the network ACL.
Name: Enter a name for the network ACL.
Description: Enter a description for the network ACL.
Step 2: Associate the network ACL with vSwitches
Associate the network ACL with vSwitch 1 and vSwitch 2.
Log on to the VPC console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region to which the network ACL that you want to manage belongs.
On the Network ACL page, find the network ACL that you want to manage and click its ID.
On the Associated Resources tab and click Associate vSwitch.
In the Associate vSwitch dialog box, select both vSwitch 1 and vSwitch 2, and then click Confirm to Associate.
Step 3: Add rules to the network ACL
Add inbound and outbound rules to the network ACL.
Log on to the VPC console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region to which the network ACL that you want to manage belongs.
On the Network ACL page, find the network ACL that you want to configure, and click Create Inbound Rule under the Actions column.
On the Inbound Rule tab and click Manage Inbound Rule.
Specify the following parameters and then click OK:
Priority
Rule Name
Policy
Protocol
Source IP Address
Port Range
1
Allow-traffic-from-ECS2
Allow
ALL
192.168.0.229/32
-1/-1
2
Allow-traffic-from-ECS1
Allow
ALL
192.168.1.206/32
-1/-1
3
Block-traffic-from-all-IP-addresses
Reject
ALL
0.0.0.0/0
-1/-1
Click the Outbound Rules tab, then click Manage Outbound Rule.
Specify the following parameters and click OK:
Priority
Rule Name
Policy
Protocol
Destination IP Address
Port Range
1
Allow-traffic-destined-for-ECS2
Allow
ALL
192.168.0.229/32
-1/-1
2
Allow-traffic-destined-for-ECS1
Allow
ALL
192.168.1.206/32
-1/-1
3
Block-traffic-destined-for-all-IP-addresses
Reject
ALL
0.0.0.0/0
-1/-1
Step 4: Test the network connectivity
Verify the connectivity among the ECS instances and between the ECS instances and the Internet.
Log on to ECS1. For more details, refer to ECS connection methods.
NoteIf you cannot log on to ECS1, see FAQs about connections for potential solutions.
Run the
ping
commands toping
ECS2, ECS3, and a public IP address.The results indicate that ECS1 can access ECS2, but cannot acess ECS3 or the Internet.
Figure 1. ECS1 can access ECS2
Figure 2. ECS1 cannot access ECS3
Figure 3. ECS1 cannot access the Internet