Network access control lists (ACLs) provided by Virtual Private Cloud (VPC) allow you to manage network access permissions. You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to control inbound and outbound traffic of Elastic Compute Service (ECS) instances that are associated with the vSwitch.

Overview

Features and supported regions

The following table lists the regions that support network ACLs
Area Region
Asia Pacific China (Hohhot), China (Ulanqab), China (Heyuan), China (Guangzhou), China (Chengdu), and Indonesia (Jakarta)
Europe and Americas UK (London)
Middle East and India India (Mumbai)
The following table lists the regions where the network ACL feature is in public preview. To use this feature, you cansubmit a ticket.
Area Region
Asia Pacific China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Hong Kong), Japan (Tokyo), Singapore (Singapore), Australia (Sydney), and Malaysia (Kuala Lumpur)
Europe and Americas US (Silicon Valley) and Germany (Frankfurt)
Middle East and India UAE (Dubai)

Features

Network ACLs have the following features:
  • A network ACL is used to filter inbound and outbound network traffic of ECS instances that are associated with a vSwitch in a VPC. The network traffic forwarded to ECS instances by Server Load Balancer (SLB) instances is also filtered.
    Note The inbound and outbound network traffic of an ECS instance are not filtered by network ACLs in the following scenario: The ECS instance is associated with a secondary elastic network interface (ENI) and the secondary ENI is assigned an elastic IP address (EIP) in cut-through mode. For more information, see Associate an EIP with a secondary ENI in cut-through mode.
  • Network ACLs are stateless. You must set both inbound and outbound rules. Otherwise, the system may fail to respond to requests.
  • If you create a network ACL that does not contain any rule, all inbound and outbound access are denied.
  • If a network ACL is associated with a vSwitch, the network ACL does not filter the traffic forwarded between ECS instances that are associated with the vSwitch.

Network ACL rules

You can add rules to or delete rules from a network ACL. Changes to the rules are automatically synchronized to the associated vSwitch. By default, an inbound and outbound rule are automatically added to a newly created network ACL. These rules allow all inbound and outbound network traffic transmitted through the associated vSwitch. You can delete the default rules. The following table lists the default inbound and outbound rules.

  • Default inbound rule
    Priority Protocol Source CIDR block Destination port range Action Type
    1 all 0.0.0.0/0 -1/-1 Allow Custom
  • Default outbound rule
    Priority Protocol Destination CIDR block Destination port range Action Type
    1 all 0.0.0.0/0 -1/-1 Allow Custom
A network ACL contains the following parameters:
  • Priority: A smaller value indicates a higher priority. The system attempts to match traffic requests with rules in descending order of priority starting from the rule whose priority is 1. If a request meets a rule, the system applies the rule to the request and ignores the other rules.

    For example, the following rules are added and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In the following table, the requests match Rules 2 and 3. Rule 2 has a higher priority than Rule 3. Therefore, the system applies Rule 2. Based on the action of Rule 2, the requests are denied.

    Priority Protocol Destination CIDR block Destination port range Action Type
    1 all 10.0.0.0/8 -1/-1 Allow Custom
    2 all 172.16.0.0/12 -1/-1 Deny Custom
    3 all 172.16.0.0/12 -1/-1 Allow Custom
  • Policy: specifies whether to allow or deny specific traffic.
  • Protocol: the protocol type. Available options include All, ICMP, GRE, TCP, and UDP.
  • Source CIDR block: the source CIDR block from which inbound traffic is transmitted.
  • Destination CIDR block: the destination CIDR block to which outbound traffic is transmitted.
  • Destination port range: the range of destination ports to which the inbound rule applies.
  • Destination port range: the range of destination ports to which the outbound rule applies.

Comparison between network ACLs and security groups

Network ACLs control data transmitted through associated vSwitches while security groups control data transmitted through associated ECS instances. The following table lists the differences between network ACLs and security groups.

Network ACL Security groups
Applied to vSwitches. Applied to instances.
Stateless: Returned traffic must be allowed by inbound rules. Stateful: Returned traffic is automatically allowed and not affected by any rule.
The system attempts to match requests with rules in descending order of priority. Not all rules are matched. The system matches a request against all rules before a rule is applied.
Each vSwitch can be associated with only one network ACL. Each ECS instance can be added to more than one security group.

The following figure shows how network ACLs and security groups are applied to ensure network security.

How network ACLs and security groups are applied

Limits

Before you use network ACLs, take note of the following limits.

Item Limit Adjustable
Number of network ACLs that can be created in each VPC 200 N/A
Number of network ACLs that can be associated with a vSwitch 1
Number of rules that can be added to a network ACL
  • Inbound rules: 20
  • Outbound rules: 20

Go to the Quota Management page to increase the quota. For more information, see Manage service quotas.

VPCs that do not support network ACLs VPCs that contain ECS instances of the following instance families:

ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

For more information, see VPC advanced features.

Upgrade or release an Elastic Compute Service (ECS) instance that does not support advanced network features.
Note If the VPC contains one of the specified ECS instance families and the network ACL feature is enabled, you must upgrade or release the ECS instance for the network ACL to function as expected.

Procedure

The following flowchart shows how to use a network ACL.

Procedure