All Products
Search
Document Center

Virtual Private Cloud:Manage communication among ECS instances in different vSwitches

Last Updated:Dec 27, 2024

This topic explains how to manage communication among Elastic Compute Service (ECS) instances across different vSwitches using network access control lists (ACLs).

Scenario

A company has created a VPC and two vSwitches (vSwitch1 and vSwitch2). An ECS instance, ECS1 (192.168.1.206) has been created in vSwitch1, and two ECS instances, ECS2 (192.168.0.229) and ECS3 (192.168.0.230) have been created in vSwitch2. The company now has the following requirements:

  • ECS1, ECS2, and ECS3 cannot communicate with the Internet.

  • ECS1 cannot communicate with ECS3.

  • ECS1 can communicate with ECS2.

image

You can configure network ACL rules and associate the network ACL with vSwitches to control ECS traffic.

Prerequisites

Step 1: Create a network ACL

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACL that you want to manage belongs.

  4. On the Network ACL page, click Create Network ACL.

  5. In the Create Network ACL dialog box, specify the following parameters and click OK:

    • VPC: Select the VPC for which you want to create the network ACL.

    • Name: Enter a name for the network ACL.

    • Description: Enter a description for the network ACL.

Step 2: Associate the network ACL with vSwitches

Associate the network ACL with vSwitch 1 and vSwitch 2.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACL that you want to manage belongs.

  4. On the Network ACL page, find the network ACL that you want to manage and click its ID.

  5. On the Associated Resources tab and click Associate vSwitch.

  6. In the Associate vSwitch dialog box, select both vSwitch 1 and vSwitch 2, and then click Confirm to Associate.

Step 3: Add rules to the network ACL

Add inbound and outbound rules to the network ACL.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACL that you want to manage belongs.

  4. On the Network ACL page, find the network ACL that you want to configure, and click Create Inbound Rule under the Actions column.

  5. On the Inbound Rule tab and click Manage Inbound Rule.

  6. Specify the following parameters and then click OK:

    Priority

    Rule Name

    Policy

    Protocol

    Source IP Address

    Port Range

    1

    Allow-traffic-from-ECS2

    Allow

    ALL

    192.168.0.229/32

    -1/-1

    2

    Allow-traffic-from-ECS1

    Allow

    ALL

    192.168.1.206/32

    -1/-1

    3

    Block-traffic-from-all-IP-addresses

    Reject

    ALL

    0.0.0.0/0

    -1/-1

  7. Click the Outbound Rules tab, then click Manage Outbound Rule.

  8. Specify the following parameters and click OK:

    Priority

    Rule Name

    Policy

    Protocol

    Destination IP Address

    Port Range

    1

    Allow-traffic-destined-for-ECS2

    Allow

    ALL

    192.168.0.229/32

    -1/-1

    2

    Allow-traffic-destined-for-ECS1

    Allow

    ALL

    192.168.1.206/32

    -1/-1

    3

    Block-traffic-destined-for-all-IP-addresses

    Reject

    ALL

    0.0.0.0/0

    -1/-1

Step 4: Test the network connectivity

Verify the connectivity among the ECS instances and between the ECS instances and the Internet.

  1. Log on to ECS1. For more details, refer to ECS connection methods.

    Note

    If you cannot log on to ECS1, see FAQs about connections for potential solutions.

  2. Run the ping commands to ping ECS2, ECS3, and a public IP address.

    The results indicate that ECS1 can access ECS2, but cannot acess ECS3 or the Internet.

    Figure 1. ECS1 can access ECS2ECS1 instance accessing ECS2 instance

    Figure 2. ECS1 cannot access ECS3ECS1 instance cannot access ECS3 instance

    Figure 3. ECS1 cannot access the InternetECS1 instance unable to access the Internet