A network access control list (ACL) is a feature provided by Virtual Private Cloud (VPC). It allows you to manage network access permissions. You can customize the rules of a network ACL and associate the network ACL with a VSwitch. This allows you to manage inbound and outbound network traffic of Elastic Compute Service (ECS) instances that are connected to the VSwitch.
- A network ACL is used to filter inbound and outbound network traffic of ECS instances
that are connected to a VSwitch in a VPC network. The network traffic forwarded to
ECS instances by Server Load Balancer (SLB) instances is also filtered.
Note The inbound and outbound network traffic of the ECS instances will not be filtered by network ACLs. This applies if an ECS instance is associated with a secondary Elastic Network Interface (ENI) and the ENI is assigned an Elastic IP address in the cut-through mode.
- Network ACLs are stateless. You must set outbound rules for allowed inbound network traffic. Otherwise, responses may not be returned.
- All inbound and outbound traffic is denied until you add rules to network ACLs.
- A network ACL does not filter the traffic forwarded between ECS instances that are connected to the same VSwitch.
Network ACL rules
You can add rules to or delete rules from a network ACL. Changes to the rules are automatically synchronized to the associated VSwitch. An inbound rule and an outbound rule are created for a new network ACL. These rules allow all inbound and outbound network traffic transmitted through the associated VSwitches. You can delete the default rules. The following table lists the settings of the default inbound and outbound rules.
- Default inbound rule
Effective order Protocol Source IP addresses Destination port range Action Type 1 all 0.0.0.0/0 -1/-1 Accept Custom
- Default outbound rule
Effective order Protocol Destination IP addresses Destination port range Action Type 1 all 0.0.0.0/0 -1/-1 Accept Custom
- Effective order: Rules take effect in the order of their priority. A smaller number
indicates a higher priority. Network traffic is matched against rules in descending
order of priorities starting from rule number 1. The system runs only one rule and
ignores the remaining rules for each request.
For example, the following rules are added and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In the following table, the requests match Rules 2 and 3. Rule 2 has a higher priority than Rule 3. Therefore, the system runs Rule 2. Based on the action of Rule 2, the matched requests are denied.
Effective order Protocol Destination IP addresses Destination port range Action Type 1 all 10.0.0.0/8 -1/-1 Accept Custom 2 all 172.16.0.0/12 -1/-1 Drop Custom 3 all 172.16.0.0/12 -1/-1 Accept Custom
- Action: indicates whether to allow or deny specific traffic.
- Protocol: the protocol type. Available options include All, ICMP, GRE, TCP, and UDP.
- Source IP addresses: the source IP addresses from which inbound traffic is transmitted.
- Destination IP addresses: the destination IP addresses to which outbound traffic is transmitted.
- Destination port range: the range of destination ports to which the inbound rule applies.
- Destination port range: the range of destination ports to which the outbound rule applies.
Comparison between network ACLs and security groups
Network ACLs control the inbound and outbound traffic transmitted through the bound VSwitches. Security groups control the traffic transmitted to and from ECS instances. The following table lists the differences between network ACLs and security groups.
|Network ACL||Security group|
|Applied to VSwitches.||Applied to instances.|
|Stateless: Returned traffic must be allowed by rules.||Stateful: Returned traffic is automatically allowed, and not controlled by any rules.|
|Rules are prioritized and matched against traffic in descending order. Only one rule applies to each request.||All rules are evaluated before the rules are matched.|
|Each VSwitch can be associated with only one network ACL.||Each ECS instance can be added to multiple security groups.|
The following figure shows the layers of protection provided by network ACLs and security groups:
Before you use network ACLs, you must understand the following limits:
|Item||Limit||Quota increase supported|
|The maximum number of network ACLs that can be created for a VPC network||200||Not supported.|
|The maximum number of rules that can be added to a network ACL||
||Submit a ticket.|
|The maximum number of network ACLs that can be associated with a VSwitch||1||Not supported.|
|Regions that support network ACLs||China (Qingdao), China (Beijing), China (Hohhot), China (Chengdu), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Hong Kong), UK (London), US (Silicon Valley), Singapore, Germany (Frankfurt), and Indian (Mumbai)||Not supported.|
|VPCs that do not support network ACLs||VPCs that contain an instance that belongs to one of the following instance families:
ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.
For more information, see VPC advanced features overview.
Upgrade or release an Elastic Compute Service (ECS) instance that does not support advanced network features.
Note If your VPC network contains ECS instances of the preceding instance families and uses a network ACL, you must upgrade or release the instance. Otherwise, the network ACL may not work as expected.
The following flowchart shows how to configure a network ACL.