A network access control list (ACL) is a feature provided by Virtual Private Cloud (VPC). It allows you to manage network access permissions. You can customize the rules of a network ACL and associate the network ACL with a VSwitch. This allows you to manage inbound and outbound network traffic of Elastic Compute Service (ECS) instances that are connected to the VSwitch.

Note To use the network ACL feature, submit a ticket.
Network ACL overview

Features

Network ACLs have the following characteristics:
  • A network ACL is used to filter inbound and outbound network traffic of ECS instances that are connected to a VSwitch in a VPC network. The network traffic forwarded to ECS instances by Server Load Balancer (SLB) instances is also filtered.
    Note The inbound and outbound network traffic of the ECS instances will not be filtered by network ACLs. This applies if an ECS instance is associated with a secondary Elastic Network Interface (ENI) and the ENI is assigned an Elastic IP address in the cut-through mode.
  • Network ACLs are stateless. You must set outbound rules for allowed inbound network traffic. Otherwise, responses may not be returned.
  • All inbound and outbound traffic is denied until you add rules to network ACLs.
  • A network ACL does not filter the traffic forwarded between ECS instances that are connected to the same VSwitch.

Network ACL rules

You can add rules to or delete rules from a network ACL. Changes to the rules are automatically synchronized to the associated VSwitch. An inbound rule and an outbound rule are created for a new network ACL. These rules allow all inbound and outbound network traffic transmitted through the associated VSwitches. You can delete the default rules. The following table lists the settings of the default inbound and outbound rules.

  • Default inbound rule
    Effective order Protocol Source IP addresses Destination port range Action Type
    1 all 0.0.0.0/0 -1/-1 Accept Custom
  • Default outbound rule
    Effective order Protocol Destination IP addresses Destination port range Action Type
    1 all 0.0.0.0/0 -1/-1 Accept Custom
The following parameters of network ACLs are described:
  • Effective order: Rules take effect in the order of their priority. A smaller number indicates a higher priority. Network traffic is matched against rules in descending order of priorities starting from rule number 1. The system runs only one rule and ignores the remaining rules for each request.

    For example, the following rules are added and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In the following table, the requests match Rules 2 and 3. Rule 2 has a higher priority than Rule 3. Therefore, the system runs Rule 2. Based on the action of Rule 2, the matched requests are denied.

    Effective order Protocol Destination IP addresses Destination port range Action Type
    1 all 10.0.0.0/8 -1/-1 Accept Custom
    2 all 172.16.0.0/12 -1/-1 Drop Custom
    3 all 172.16.0.0/12 -1/-1 Accept Custom
  • Action: indicates whether to allow or deny specific traffic.
  • Protocol: the protocol type. Available options include All, ICMP, GRE, TCP, and UDP.
  • Source IP addresses: the source IP addresses from which inbound traffic is transmitted.
  • Destination IP addresses: the destination IP addresses to which outbound traffic is transmitted.
  • Destination port range: the range of destination ports to which the inbound rule applies.
  • Destination port range: the range of destination ports to which the outbound rule applies.

Comparison between network ACLs and security groups

Network ACLs control the inbound and outbound traffic transmitted through the bound VSwitches. Security groups control the traffic transmitted to and from ECS instances. The following table lists the differences between network ACLs and security groups.

Network ACL Security group
Applied to VSwitches. Applied to instances.
Stateless: Returned traffic must be allowed by rules. Stateful: Returned traffic is automatically allowed, and not controlled by any rules.
Rules are prioritized and matched against traffic in descending order. Only one rule applies to each request. All rules are evaluated before the rules are matched.
Each VSwitch can be associated with only one network ACL. Each ECS instance can be added to multiple security groups.

The following figure shows the layers of protection provided by network ACLs and security groups:

Protection layers provided by network ACLs and security groups

Limits

Before you use network ACLs, you must understand the following limits:

Item Limit Quota increase supported
The maximum number of network ACLs that can be created for a VPC network 200 Not supported.
The maximum number of rules that can be added to a network ACL
  • Inbound rules: 20
  • Outbound rules: 20
Submit a ticket.
The maximum number of network ACLs that can be associated with a VSwitch 1 Not supported.
Regions that support network ACLs China (Qingdao), China (Beijing), China (Hohhot), China (Chengdu), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Hong Kong), UK (London), US (Silicon Valley), Singapore, Germany (Frankfurt), and Indian (Mumbai) Not supported.
VPCs that do not support network ACLs VPCs that contain an instance that belongs to one of the following instance families:

ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

For more information, see VPC advanced features overview.

Upgrade or release an Elastic Compute Service (ECS) instance that does not support advanced network features.
Note If your VPC network contains ECS instances of the preceding instance families and uses a network ACL, you must upgrade or release the instance. Otherwise, the network ACL may not work as expected.

Procedure

The following flowchart shows how to configure a network ACL.

Network ACL configuration procedure