This topic describes how to add an inbound rule to a network access control list (ACL). You can associate a network ACL with a VSwitch and then use inbound rules to allow or deny network traffic sent from a public or internal network to the ECS instances connected to the VSwitch.


You have created a network ACL. For more information, see Create a network ACL.


  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region of the network ACL.
  4. On the Network ACL page, find the target network ACL, and then click Inbound Rule in the Actions column.
  5. On the Inbound Rule tab, click Create Inbound Rule.
  6. On the Create Inbound Rule page, configure the inbound rule according to the following information, and then click OK.
    Parameter Description
    Name Enter a name for the inbound rule to be created.

    The name must be 2 to 128 characters in length and can contain letters, numbers, underscores (_), and hyphens (-). The name must start with a letter or Chinese character and cannot start with http:// or https://.

    Effective order The order in which the inbound rule is evaluated.

    Valid values: 1 to 20. A smaller number indicates a higher priority. For more information, see Rule evaluation order.

    Action Select an action for the inbound rule. Valid values:
    • Accept
    • Drop
    Protocol Select the transport layer protocol. Valid values:
    • all: All protocols are supported.
    • ICMP
    • GRE
    • TCP
    • UDP
    Source IP Addresses Enter the range of source IP addresses.

    Default value:

    Destination Port Range Enter the destination port range.

    Valid values: 1 to 65535. Separate the first port and last port with a forward slash (/), for example, 1/200 or 80/80. You cannot set the port range to -1/-1, which indicates that all ports are allowed.