A network access control list (ACL) allows you to manage network access in a virtual private cloud (VPC). You can create a network ACL in a VPC and add inbound and outbound rules to the ACL. After you create a network ACL, you can associate it with a vSwitch. This way, you can use the network ACL to manage the traffic of the Elastic Compute Service (ECS) instances in the vSwitch.

Operations

Create a network ACL

A VPC is created. For more information, see Create a VPC.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where you want to create the network ACL.
    For more information about the regions that support network ACLs, see Features and supported regions.
  4. On the Network ACL page, click Create Network ACL.
  5. In the Create Network ACL dialog box, set the following parameters and click OK.
    Parameter Description
    VPC Select the VPC for which you want to create the network ACL.
    Note The VPC and network ACL must be deployed in the same region.

    If the VPC contains an Elastic Compute Service (ECS) instance that belongs to one of the following instance families, you cannot create a network ACL for the VPC.

    ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

    In this case, you must upgrade or release the ECS instances that do not support advanced VPC features. For more information about advanced VPC features, see Overview of VPC advanced features.
    Note If the VPC contains one of the specified ECS instance families and the network ACL feature is enabled, you must upgrade or release the ECS instance for the network ACL to work as expected.
    Name Enter a name for the network ACL.

    The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). It must start with a letter.

    Description Enter a description for the network ACL.

    The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

Add a rule to the network ACL

After you create a network ACL, you can add an inbound rule to it. You can use inbound rules to manage whether ECS instances in a vSwitch can be accessed over the Internet or private networks. You can also add an outbound rule to the network ACL. You can use outbound rules to manage whether ECS instances in a vSwitch can access the Internet or private networks.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where the network ACL is created.
  4. On the Network ACL page, find the network ACL and click its ID.
  5. On the Basic Information page, you can create inbound and outbound rules.
    • Create an inbound rule
      1. On the Inbound Rule tab, click Create Inbound Rule.
      2. Set the following parameters and click OK.
        Parameter Description
        Priority The order in which the inbound rule takes effect.

        A smaller value indicates a higher priority. You can create at most 20 inbound rules. For more information, see Effective order.

        Name Enter a name for the inbound rule.

        The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter and cannot start with http:// or https://.

        Action Select an action for the inbound rule. Valid values:
        • Accept: ECS instances in the vSwitch can be accessed.
        • Drop: ECS instances in the vSwitch cannot be accessed.
        Protocol Select a Layer 4 protocol. Valid values:
        • ALL: all protocols.
        • ICMP: Internet Control Message Protocol (ICMP).
        • GRE: Generic Routing Encapsulation (GRE).
        • TCP: Transmission Control Protocol (TCP).
        • UDP: User Datagram Protocol (UDP).
        Source IP Address The source CIDR block to which data is transmitted.

        Default value: 0.0.0.0/32.

        Source Port Range Enter the source port range.

        Valid values: 1 to 65535. Separate the first port and last port with a forward slash (/), such as 1/200 or 80/80. A value of -1/-1 indicates that all ports are available. Therefore, do not set the value to -1/-1.

    • Create an outbound rule
      1. On the Outbound Rule tab, click Manage Outbound Rule.
      2. Set the following parameters and click OK.
        Parameter Description
        Priority The order in which the outbound rule takes effect.

        A smaller value indicates a higher priority. You can create at most 20 outbound rules. For more information, see Effective order.

        Rule Name Enter a name for the outbound rule.

        The name must be 2 to 128 characters in length, and can contain digits, underscores (_), and hyphens (-). The name must start with a letter and cannot start with http:// or https://.

        Action Select an action for the outbound rule. Valid values:
        • Accept: ECS instances in the vSwitch are allowed to access the Internet or private networks.
        • Drop: ECS instances in the vSwitch are not allowed to access the Internet or private networks.
        Protocol Select a Layer 4 protocol. Valid values:
        • ALL: all protocols.
        • ICMP: Internet Control Message Protocol (ICMP).
        • GRE: Generic Routing Encapsulation (GRE).
        • TCP: Transmission Control Protocol (TCP).
        • UDP: User Datagram Protocol (UDP).
        Destination IP Addresses The destination CIDR block to which data is transmitted.

        Default value: 0.0.0.0/32.

        Destination Port Range Enter the destination port range.

        Valid values: 1 to 65535. Separate the first port and last port with a forward slash (/), such as 1/200 or 80/80. A value of -1/-1 indicates that all ports are available. Therefore, do not set the value to -1/-1.

Prioritize a network ACL rule

ACL rules take effect in descending order of priority. A smaller value indicates a higher priority. You can prioritize network ACL rules based on your business requirements.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where the network ACL is created.
  4. On the Network ACL page, find the network ACL and click its ID.
  5. On the Basic Information page, you can prioritize an inbound or an outbound rule.
    • Prioritize an inbound rule
      1. On the Inbound Rule tab, click Create Inbound Rule.
      2. Drag an inbound rule up or down, and click OK.
    • Adjust the priority of an outbound rule
      1. On the Outbound Rule tab, click Manage Outbound Rule.
      2. Drag an outbound rule up or down, and click OK.

Associates a network ACL with a vSwitch.

Before you associate a network ACL with a vSwitch, make sure that the following requirements are met:
  • A network ACL is created and network ACL rules are added to it.
  • A vSwitch is created. The vSwitch and network ACL belong to the same virtual private cloud (VPC). For more information, see Work with vSwitches.
  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where the network ACL is created.
  4. On the Network ACL page, find the network ACL and click Associate vSwitch in the Actions column.
  5. On the Resources tab, click Associate vSwitch.
  6. In the Associate vSwitch dialog box, select the vSwitch and click OK.
    The network ACL and vSwitch must belong to the same VPC. A vSwitch can be associated with only one network ACL.

Disassociate a network ACL from a vSwitch

You can disassociate a network ACL from a vSwitch. After the network ACL is disassociated from the vSwitch, the network ACL no longer controls traffic of ECS instances in the vSwitch.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where the network ACL is created.
  4. On the Network ACL page, find the network ACL and click Associate vSwitch in the Actions column.
  5. On the Associate vSwitch tab, find the vSwitch and click Unbind in the Actions column.
  6. In the Unbind Network ACL message, click OK.

Delete a network ACL

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where the network ACL is created.
  4. On the Network ACL page, find the network ACL and click Delete in the Actions column.
  5. In the Delete Network ACL message, click OK.