All Products
Search
Document Center

Virtual Private Cloud:Overview of network ACLs

Last Updated:Sep 29, 2024

Network access control lists (ACLs) are a network access control feature in virtual private clouds (VPCs). You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to manage inbound and outbound traffic of Elastic Compute Service (ECS) instances that are attached to the vSwitch.

image

Features and supported regions

Regions that support network ACLs

Area

Region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Nanjing-Local Region), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), China (Fuzhou - Local Region), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney) Closing Down, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

Europe & Americas

Germany (Frankfurt), United Kingdom (London), US (Silicon Valley), and US (Virginia)

Middle East

UAE (Dubai) and SAU (Riyadh)

Important

The SAU (Riyadh - Partner Region) region is operated by a partner.

Regions that support IPv6 network ACLs

Area

Region

Asia Pacific

China (Hangzhou), China (Shanghai), China (Qingdao), China (Beijing), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Malaysia (Kuala Lumper), Indonesdia (Jakarta), Philliphines (Manila), and Thailand (Bangkok)

Europe & Americas

Germany (Frankfurt), US (Silicon Valley), US (Virginia)

Middle East

UAE (Dubai) and SAU (Riyadh)

Important

The SAU (Riyadh - Partner Region) region is operated by a partner.

Features

  • Network ACL rules only apply to inbound and outbound traffic of ECS instances in the associated vSwitches. The traffic forwarded by server load balancer (SLB) instances to ECS instances is also filtered.

    Note

    If an ECS instance is associated to a secondary elastic network interface (ENI) that is bound to an elastic IP address (EIP) in the cut-through mode, the network ACL does not filter the traffic of the ECS instance. For more information, see Set the cut-through mode.

  • Network ACL rules are stateless. After configuring an accept rule for inbound traffic, it is essential to set a corresponding outbound rule. Failure to do so may result in unresponsive requests.

  • Network ACLs deny all inbound and outbound traffic if no rules are configured.

  • The traffic between ECS instances in a vSwitch is not filtered by the network ACL linked to that vSwitch.

  • Network ACLs allow the DNS servers at 100.100.2.128/28 and 100.100.2.112/28, and the Metaserver at 100.100.100.200/32.

Descriptions

Parameters

A network ACL rule contains the following parameters:

  • Priority: A smaller value specifies a higher priority. The system matches requests against rules in descending order of priority, applies the first matching rule, and disregards the rest.

    For example, the following rules are added to a network ACL and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In this case, the requests match Rules 2 and 3. As Rule 2 has higher priority than Rule 3, the system applies Rule 2 and denies the requests based on the policy of Rule 2.

    Priority

    Protocol

    Destination IP Address

    Destination Port Range

    Policy

    Type

    1

    ALL

    10.0.0.0/8

    -1/-1

    Allow

    Custom

    2

    ALL

    172.16.0.0/12

    -1/-1

    Deny

    Custom

    3

    ALL

    172.16.0.0/12

    -1/-1

    Allow

    Custom

  • Policy: Allow or deny specific traffic.

  • Protocol: the protocol of traffic. Valid values are as follows.

    • ALL: All protocols. If you select ALL, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

    • ICMP: Internet Control Message Protocol. Upon selecting ICMP, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

    • GRE: Generic Routing Encapsulation. If you select GRE, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

    • TCP: Transmission Control Protocol. When you select this protocol, the port range is 1 to 65535. Valid formats are 1/200 or 80/80. Do not set the value to -1/-1.

    • UDP: User Datagram Protocol. The valid port range is 1 to 65535. Valid formats are 1/200 or 80/80. Do not set the value to -1/-1.

    • ICMPv6: Internet Control Message Protocol for the IPv6. If you select ALL, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.

  • Source IP Address (for inbound rules): The source IP addresses from which inbound traffic is transmitted.

  • Destination IP Address (for outbound rules): The destination IP addresses to which outbound traffic is transmitted.

  • Destination Port Range (for inbound rules): The range of destination ports to which the inbound rule applies.

  • Destination Port Range (for outbound rules): The range of destination ports to which the outbound rule applies.

Outbound and inbound rules

Before you create outbound and inbound rules, take note of the following rules:

  • When you add or delete rules in a network ACL, the changes are automatically applied to the associated vSwitches.

  • When you add IPv6 outbound and inbound rules in a network ACL, you need to assign an IPv6 CIDR block to the VPC where the network ACL resides.

  • When you configure a DHCP options set, ensure that you permit the DNS server IP addresses in outbound and inbound rules of the network ACL. Failure to add rules may cause operational issues for the DHCP options set.

Default outbound and inbound rules vary based on the selected region.

  • In regions that do not support IPv6 network ACLs, one inbound rule and one outbound rule are created by default.

    Click to view outbound and inbound rules

    • Inbound rules

      Priority

      Protocol

      Source IP Address

      Destination Port Range

      Policy

      Type

      1

      ALL

      0.0.0.0/0

      -1/-1

      Allow

      Custom

    • Outbound rules

      Priority

      Protocol

      Destination IP Address

      Destination Port Range

      Policy

      Type

      1

      ALL

      0.0.0.0/0

      -1/-1

      Allow

      Custom

  • Other regions:

    • If the VPC to which the network ACL belongs does not have IPv6 enabled, five inbound and five outbound rules are created by default. The cloud service routes are the addresses of the DNS servers and Metaserver (metadata server) allowed by the network ACL.

    • Click to view outbound and inbound rules

      • Inbound rules

        Priority

        Protocol

        Source IP Address

        Destination Port Range

        Policy

        Type

        *

        ALL

        100.100.2.128/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.2.112/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.100.200/32

        0:65535

        Allow

        Cloud service

        1

        ALL

        0.0.0.0/0

        -1/-1

        Allow

        Custom

        *

        ALL

        0.0.0.0/0

        0:65535

        Deny

        System

      • Outbound rules

        Priority

        Protocol

        Destination IP Address

        Destination Port Range

        Policy

        Type

        *

        ALL

        100.100.2.128/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.2.112/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.100.200/32

        0:65535

        Allow

        Cloud service

        1

        ALL

        0.0.0.0/0

        -1/-1

        Allow

        Custom

        *

        ALL

        0.0.0.0/0

        0:65535

        Deny

        System

    • If the VPC to which the ACL belongs has IPv6 enabled, one system default deny rule and one custom allow-all rule are added for both inbound and outbound traffic, resulting in a total of seven rules created by default.

      Click to view outbound and inbound rules

      • Inbound rules

        Priority

        Protocol

        Source IP Address

        Destination Port Range

        Policy

        Type

        *

        ALL

        100.100.2.128/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.2.112/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.100.200/32

        0:65535

        Allow

        Cloud service

        1

        ALL

        0.0.0.0/0

        -1/-1

        Allow

        Custom

        2

        ALL

        ::/0

        -1/-1

        Allow

        Custom

        *

        ALL

        0.0.0.0/0

        0:65535

        Deny

        System

        *

        ALL

        ::/0

        0:65535

        Deny

        System

      • Outbound rules

        Priority

        Protocol

        Destination IP Address

        Destination Port Range

        Policy

        Type

        *

        ALL

        100.100.2.128/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.2.112/28

        0:65535

        Allow

        Cloud service

        *

        ALL

        100.100.100.200/32

        0:65535

        Allow

        Cloud service

        1

        ALL

        0.0.0.0/0

        -1/-1

        Allow

        Custom

        2

        ALL

        ::/0

        -1/-1

        Allow

        Custom

        *

        ALL

        0.0.0.0/0

        0:65535

        Deny

        System

        *

        ALL

        ::/0

        0:65535

        Deny

        System

Network ACLs and security groups

Network ACLs control data transmitted through associated vSwitches, while security groups filter data transmitted through associated ECS instances. The following table compares network ACLs and security groups.

Item

Network ACL

Security Group

Application scope

vSwitch

ECS instance

Status of response traffic

Stateless: Returned traffic must be allowed by rules.

Stateful: Returned traffic is automatically allowed and not affected by rules.

Whether rules are evaluated

The system matches a request against rules in descending order of priority. Not all rules are matched.

The system matches a request against all rules before a rule is applied.

Association with ECS instances

The vSwitch to which an ECS instance belongs can be associated with only one network ACL.

Each ECS instance can be added to more than one security group.

The following figure shows how network ACLs and security groups are applied to ensure network security.

image

Limits

Name/ID

Description

Default value

Adjustable

vpc_quota_nacl_ingress_entry

Maximum number of inbound rules that can be added to a network ACL

20

You can increase the quota by performing the following operations:

vpc_quota_nacl_egress_entry

Maximum number of outbound rules that can be added to a network ACL

20

nacl_quota_vpc_create_count

Maximum number of network ACLs that can be created in each VPC

20

Procedure

image

For more information, see Create and manage a network ACL.