All Products
Search
Document Center

Virtual Private Cloud:Create and manage a network ACL

Last Updated:Feb 22, 2024

You can create a network ACL in a VPC and add inbound and outbound rules to the network ACL. After you create a network ACL, you can associate the network ACL with a vSwitch to enable access control for the vSwitch.

Prerequisites

A VPC and a vSwitch are created. For more information, see Create and manage a VPC and Create and manage a vSwitch.

Create a network ACL

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region where you want to create a network ACL.

    For more information about the regions that support network ACLs, see Feature release and supported regions.

  4. On the Network ACL page, click Create Network ACL.

  5. In the Create Network ACL dialog box, set the following parameters and click OK.

    Parameter

    Description

    VPC

    Select the VPC for which you want to create the network ACL.

    Note

    The VPC and network ACL must be deployed in the same region.

    If the VPC contains an ECS instance that belongs to one of the following instance families, you cannot create a network ACL for the VPC.

    ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

    In this case, you must upgrade or release the ECS instances that do not support advanced VPC features. For more information about advanced VPC features, see Advanced VPC features.

    Note

    If the VPC contains one of the specified ECS instance types and the network ACL feature is enabled, you must upgrade or release the ECS instance for the network ACL to work as expected.

    Name

    Enter a name for the network ACL.

    Description

    Enter a description for the network ACL.

Add rules to the network ACL

After you create a network ACL, you can add inbound rules to the network ACL. You can use inbound rules to control whether ECS instances in a vSwitch can be accessed over the Internet or private networks. You can also add outbound rules to the network ACL. You can use outbound rules to control whether ECS instances in a vSwitch can access the Internet or private networks.

Important

Network ACLs are stateless. If you configure an inbound rule that allows traffic, you must also configure a corresponding outbound rule. Otherwise, the system may fail to respond to requests.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.

  4. On the Network ACL page, find the network ACL that you want to manage and click its ID.

  5. On the Basic Information page, you can create inbound or outbound rules.

    • Create an inbound rule

      1. Click the Inbound Rule tab, and then click Manage Inbound Rule.

      2. Set the following parameters and click OK.

        Parameter

        Description

        Priority

        Specify the priority of the inbound rule.

        A smaller value indicates a higher priority. You can create at most 20 rules. For more information, see Rule priorities.

        Rule Name

        Enter a name for the inbound rule.

        Policy

        Select an action for the inbound rule. Valid values:

        • Allow: accepts network traffic that is destined for the ECS instances connected to the vSwitch.

        • Deny: drops network traffic that is destined for the ECS instances connected to the vSwitch.

        Protocol

        Select a protocol. Valid values:

        • ALL

        • ICMP

        • GRE

        • TCP

        • UDP

        • ICMPv6 You can specify only an IPv6 CIDR block. IPv6 is available only in the Philippines (Manila) region.

        CIDR Block Type

        Select an IP version. Valid values:

        • IPv4

        • IPv6: available only in the Philippines (Manila) region.

        Source IP Address

        Specify the source CIDR block from which data is transmitted.

        Default value: 0.0.0.0/0.

        Destination Port Range

        Enter the destination port range of the inbound rule.

        Valid port numbers: 1 to 65535. Valid port numbers for the Philippines (Manila) region: 0 to 65535. Use a forward slash (/) to separate the start port from the end port. Examples: 1/200 and 80/80. Do not set the value to -1/-1. A value of -1/-1 indicates that all ports are available.

        If you select ALL, ICMP, or GRE, the port range cannot be set and -1/-1 is used. If you select TCP or UDP, valid port numbers are 1 to 65535 for regions except Philippines (Manila) and 0 to 65535 for the Philippines (Manila) region. Examples: 1/200 and 80/80. Do not set the value to -1/-1.

    • Create an outbound rule

      1. Click the Outbound Rule tab, and then click Manage Outbound Rule.

      2. Set the following parameters and click OK.

        Parameter

        Description

        Priority

        Specify a priority for the outbound rule.

        A smaller value indicates a higher priority. You can create at most 20 rules. For more information, see Rule priorities.

        Rule Name

        Enter a name for the outbound rule.

        Policy

        Select an action for the outbound rule. Valid values:

        • Allow: allows ECS instances connected to the vSwitch to access the Internet or other private networks.

        • Deny: forbids ECS instances connected to the vSwitch to access the Internet or other private networks.

        Protocol

        Select a protocol. Valid values:

        • ALL

        • ICMP

        • GRE

        • TCP

        • UDP

        • ICMPv6 You can specify only an IPv6 CIDR block. IPv6 is available only in the Philippines (Manila) region.

        CIDR Block Type

        Select an IP version. Valid values:

        • IPv4

        • IPv6: available only in the Philippines (Manila) region.

        Destination IP Address

        Specify the destination CIDR block of traffic.

        Default value: 0.0.0.0/32.

        Destination Port Range

        Enter the destination port range of the outbound rule.

        Valid port numbers: 1 to 65535. Valid port numbers for the Philippines (Manila) region: 0 to 65535. Use a forward slash (/) to separate the start port from the end port. Examples: 1/200 and 80/80. Do not set the value to -1/-1. A value of -1/-1 indicates that all ports are available.

Change the priorities of network ACL rules

Network ACL rules take effect in descending order of priority. A smaller value indicates a higher priority. You can prioritize network ACL rules based on your business requirements.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.

  4. On the Network ACL page, find the network ACL that you want to manage and click its ID.

  5. On the Basic Information page, you can change the priorities of inbound and outbound rules.

    • Change the priority of an inbound rule

      1. Click the Inbound Rule tab, and then click Manage Inbound Rule.

      2. Drag and drop an inbound rule upwards or downwards, and then click OK.

    • Change the priority of an outbound rule

      1. Click the Outbound Rule tab, and then click Manage Outbound Rule.

      2. Drag and drop an inbound rule upwards or downwards, and then click OK.

Associate a network ACL with a vSwitch

Before you associate a network ACL with a vSwitch, make sure that the following requirements are met:

  • A network ACL is created and network ACL rules are added to it.

  • The vSwitch and the network ACL must belong to the same VPC.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.

  4. On the Network ACL page, find the network ACL that you want to manage and click Associate vSwitch in the Actions column.

  5. On the Associated Resources tab, click Associate vSwitch.

  6. In the Associate vSwitch dialog box, select the vSwitch that you want to associate and click OK.

    The network ACL and vSwitch must belong to the same VPC. A vSwitch can be associated only with one network ACL.

Disassociate a network ACL from a vSwitch

You can disassociate a network ACL from a vSwitch. After the network ACL is disassociated from the vSwitch, the network ACL no longer controls traffic that flows through the ECS instances connected to the vSwitch.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.

  4. On the Network ACL page, find the network ACL that you want to manage and click Associate vSwitch in the Actions column.

  5. On the Associated Resources tab, find the vSwitch and click Unbind in the Actions column.

  6. In the Disassociate Network ACL message, click OK.

Delete a network ACL

Before you delete a network ACL, you must disassociate the network ACL from the vSwitch.

  1. Log on to the VPC console.

  2. In the left-side navigation pane, choose ACL > Network ACL.

  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.

  4. On the Network ACL page, find the network ACL that you want to delete and click Delete in the Actions column.

  5. In the Delete Network ACL message, click OK.

References