All Products
Search

This Product

    Virtual Private Cloud:Create and manage a network ACL

    Document Center

    Virtual Private Cloud:Create and manage a network ACL

    Last Updated:Nov 18, 2024

    You can create a network access control list (ACL) in a virtual private cloud (VPC) and add inbound and outbound rules to the network ACL. After you create a network ACL, you can associate the network ACL with a vSwitch to enable access control for the vSwitch.

    Prerequisites

    Usage notes

    You can add at most 20 IPv4 rules and 20 IPv6 rules. To increase the quota, go to the Quota Center.

    Create a network ACL

    You can create a network ACL and associate it with a vSwitch to manage the inbound and outbound traffic of the vSwitch.

    1. Log on to the VPC console.

    2. In the left-side navigation pane, choose ACL > Network ACL.

    3. In the top navigation bar, select the region where you want to create a network ACL.

    4. On the Network ACL page, click Create Network ACL.

    5. In the Create Network ACL dialog box, set the following parameters. Keep parameters that are not covered in the table as default values or modify them as needed.

      Parameter

      Description

      VPC

      Select the VPC for which you want to create the network ACL.

      Note

      • The VPC and network ACL must be deployed in the same region.

    Add rules to the network ACL

    After you create a network ACL, you can add inbound rules to the network ACL. You can use inbound rules to control whether ECS instances in a vSwitch can be accessed over the Internet or private networks. You can also add outbound rules to the network ACL. You can use outbound rules to control whether ECS instances in a vSwitch can access the Internet or private networks.

    Important

    Network ACLs are stateless. If you configure an inbound rule that allows traffic, you must also configure a corresponding outbound rule. Otherwise, the system may fail to respond to requests.

    1. On the Network ACL page, find the network ACL that you want to manage and click its ID.

    2. In the Basic Information section, you can configure inbound or outbound rules.

      • Create an inbound rule

        1. Click the Inbound Rule tab, and then click Manage Inbound Rule.

        2. Set the following parameters and click OK.

          Parameter

          Description

          Priority

          The priority of the inbound rule.

          A smaller value indicates a higher priority. You can create at most 20 rules.

          Type

          After you create an IPv6 network ACL, the following types are supported:

          • Cloud Service: By default, the system creates three allow rules with the highest priority. You cannot modify or delete the rules.

          • Custom: By default, the system creates two allow rules. You can modify or delete the rules.

          • System: By default, the system creates two deny rules with the lowest priority. You cannot modify or delete the rules.

          After you create a network ACL that supports only IPv4, the system creates a custom allow rule of the IPv4 type by default.

          Note

          You can create only inbound IPv4 or IPv6 rules of the Custom type.

          Action

          Select an action for the inbound rule. Valid values:

          • Allow: accepts network traffic that is destined for the ECS instances connected to the vSwitch.

          • Deny: drops network traffic that is destined for the ECS instances connected to the vSwitch.

          Protocol Type

          Select a protocol. Valid values:

          • ALL

          • ICMP

          • GRE

          • TCP

          • UDP

          • ICMPv6 You can select only IPv6.

          IP Version

          Select an IP version. Valid values:

          • IPv4

          • IPv6

          Source IP Addresses

          Specify the source CIDR block from which data is transmitted.

          Default value: 0.0.0.0/0.

          Destination Port Range

          Enter the destination port range of the inbound rule.

          Valid values: 1 to 65535. Separate the start port from the end port with a forward slash (/). Valid formats: 1/200 and 80/80. A value of -1/-1 specifies all ports. Therefore, do not set the value to -1/-1.

          If you select ALL, ICMP, or GRE, the port range is set to -1/-1. If you select TCP or UDP, the port range is 1 to 65535. Valid formats: 1/200 and 80/80. Do not set the value to -1/-1.

        3. Optional. On the Inbound Rules tab, click Add IPv4 Rule or Add IPv6 Rule to add an inbound IPv4 or IPv6 rule.

      • Create an outbound rule

        1. Click the Outbound Rule tab, and then click Manage Outbound Rule.

        2. Set the following parameters and click OK.

          Parameter

          Description

          Priority

          Set the priority of the outbound rule.

          A smaller value indicates a higher priority. You can create at most 20 rules.

          Type

          After you create an IPv6 network ACL, the following types are supported:

          • Cloud Service: By default, the system creates three allow rules with the highest priority. You cannot modify or delete the rules.

          • Custom: By default, the system creates two allow rules. You can modify or delete the rules.

          • System: By default, the system creates two deny rules with the lowest priority. You cannot modify or delete the rules.

          After you create a network ACL that supports only IPv4, the system creates a custom allow rule of the IPv4 type by default.

          Note

          You can create only custom outbound rules of the IPv4 or IPv6 type.

          Action

          Select an action for the outbound rule. Valid values:

          • Allow: allows ECS instances connected to the vSwitch to access the Internet or other private networks.

          • Deny: forbids ECS instances connected to the vSwitch from accessing the Internet or other private networks.

          Protocol

          Select a protocol. Valid values:

          • ALL

          • ICMP

          • GRE

          • TCP

          • UDP

          • ICMPv6 You can select only IPv6.

          IP Version

          Select an IP version. Valid values:

          • IPv4

          • IPv6

          Destination IP Address

          Specify the destination CIDR block of traffic.

          Default value: 0.0.0.0/0.

          Destination Port Range

          Enter the destination port range of the outbound rule.

          Valid values: 1 to 65535. Separate the start port from the end port with a forward slash (/). Valid formats: 1/200 and 80/80. A value of -1/-1 specifies all ports. Therefore, do not set the value to -1/-1.

        3. Optional. On the Outbound Rules tab, click Add IPv4 Rule or Add IPv6 Rule to add an inbound IPv4 or IPv6 rule.

    Use the Quick Add feature

    If you need to manage access control for multiple CIDR blocks, you can use the Quick Add feature to quickly add network ACL rules.

    1. On the Network ACL page, find the network ACL that you want to manage and click its ID.

    2. In the Basic Information section, you can add inbound or outbound rules for multiple CIDR blocks.

      • Quickly add inbound rules

        1. Click the Inbound Rules tab, and then click Manage Inbound Rule.

        2. In the lower part of the tab, click Quick Add. In the Quick Add dialog box, set the following parameters and click OK.

          Parameter

          Description

          Policy

          Select an action for the inbound rule. Valid values:

          • Accept: accepts network traffic that is destined for the ECS instances connected to the vSwitch.

          • Drop: drops network traffic that is destined for the ECS instances connected to the vSwitch.

          IP Address

          Enter one or more source IPv4 CIDR blocks of the data flow.

          Destination Port Range

          Select the destination port range of the inbound rule. Valid values: 1 to 65535. For more information about the ports, see Common scenarios.

          Valid values: 1 to 65535. Separate the start port from the end port with a forward slash (/). Valid formats: 1/200 and 80/80. A value of -1/-1 specifies all ports. Therefore, do not set the value to -1/-1.

          Priority

          Specify a priority for the rule. For more information about priorities, see Overview.

          For example, to add a rule after the rule whose priority is 1, Specify Add 1 Entries After.

        3. Specify the rule name and protocol (TCP by default), and click OK.

      • Quickly add outbound rules

        1. Click the Outbound Rules tab, and then click Manage Outbound Rule.

        2. In the lower part of the tab, click Quick Add. In the Quick Add dialog box, set the following parameters and click OK.

          Parameter

          Description

          Policy

          Select an action for the outbound rule. Valid values:

          • Accept: allows ECS instances connected to the vSwitch to access the Internet or other private networks.

          • Drop: forbids ECS instances connected to the vSwitch to access the Internet or other private networks.

          IP Address

          Enter one or more destination IPv4 CIDR blocks.

          Destination Port Range

          Select the destination port range of the outbound rule. Valid values: 1 to 65535. For more information about the ports, see Common scenarios.

          Valid values: 1 to 65535. Separate the start port from the end port with a forward slash (/). Valid formats: 1/200 and 80/80. A value of -1/-1 specifies all ports. Therefore, do not set the value to -1/-1.

          Priority

          Specify a priority for the rule. For more information about priorities, see Overview.

          For example, to add a rule after the rule whose priority is 1, Specify Add 1 Entries After.

        3. Specify the rule name and protocol (TCP by default), and click OK.

    Import and export rules

    By importing or exporting network ACL rules in batch, you can ensure data consistency and enhance configuration efficiency.

    • Quick setup: Import a rule file into an existing network ACL for quick application.

    • Rules backup: Export the network ACL rules in batch for local backup.

    Import rules in batch

    Note

    • Currently, you can only import rules in the same format as the template (CSV file) available in the Inbound Rules section.

    • All parameters in the template must be filled out. Rules with missing parameters cannot be imported.

    • If the IPv6 feature is not enabled for network ACL, rules with IPv6 cannot be imported.

    • Imported rules are added sequentially to the existing rules and do not overwrite them.

    1. On the Network ACL page, find the target network ACL and click the ID.

    2. Click the Inbound Rules or Outbound Rules tab, then click Import Rule.

    3. Download Template and fill in the network ACL rules you want to import according to the template.

    4. In the Import Rule dialog box, select or drag the file into the box to upload it.

    Export rules in batch

    Click Export Rule to download the CSV file and save it locally.

    What to do next

    1. Log on to the VPC console.

    2. In the left-side navigation pane, choose ACL > Network ACL.

    3. In the top navigation bar, select the region to which the network ACL that you want to manage belongs.

    4. On the Network ACL page, you can perform the following operations as needed:

      Parameter

      Description

      Change the priorities of network ACL rules

      Network ACL rules take effect in descending order of priority. A smaller value indicates a higher priority. You can prioritize network ACL rules based on your business requirements.

      1. Click the ID of the network ACL.

      2. On the Basic Information page, you can change the priorities of inbound and outbound rules.

        • Change the priority of an inbound rule

          1. Click the Inbound Rules tab, and then click Manage Inbound Rule.

          2. Drag and drop an inbound rule upwards or downwards, and then click OK.

        • Change the priority of an outbound rule

          1. Click the Outbound Rule tab, and then click Manage Outbound Rule.

          2. Drag and drop an inbound rule upwards or downwards, and then click OK.

      Associate a network ACL with a vSwitch

      Before you associate a network ACL with a vSwitch, make sure that the following requirements are met:

      • A network ACL is created and network ACL rules are added to it.

      • The vSwitch and the network ACL must belong to the same VPC.

      1. Find the network ACL and click Associate vSwitch in the Actions column.

      2. On the Associated Resources tab, click Associate vSwitch.

      3. In the Associate vSwitch dialog box, select the vSwitch that you want to associate and click OK.

        The network ACL and vSwitch must belong to the same VPC. A vSwitch can be associated only with one network ACL.

      Disassociate a network ACL from a vSwitch

      You can disassociate a network ACL from a vSwitch. After the network ACL is disassociated from the vSwitch, the network ACL no longer controls traffic that flows through the ECS instances connected to the vSwitch.

      1. Find the network ACL and click Associate vSwitch in the Actions column.

      2. On the Associated Resources tab, find the vSwitch and click Unbind in the Actions column.

      3. In the Disassociate Network ACL message, click OK.

      Delete a network ACL

      Before you delete a network ACL, you must disassociate the network ACL from the vSwitch.

      1. Find the network ACL and click Delete in the Actions column.

      2. In the Delete Network ACL message, click OK.

    References