This topic describes how to add an outbound rule to a network access control list (ACL). After creating a network ACL, you can add outbound rules to it to allow or deny the ECS instances in a VSwitch to access the public or private network.


A network ACL is created. For more information, see Create a network ACL.


  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region of the network ACL.
  4. On the Network ACL page, find the target network ACL, and then click Outbound Rule in the Actions column.
  5. On the Outbound Rule tab, click Create Outbound Rule.
  6. In the Create Outbound Rule dialog box, configure the outbound rule according to the following information, and then click OK.
    Configuration Description
    Name Enter a name for the outbound rule to be created.

    The name must be 2 to 128 characters in length and can contain letters, numbers, underscores (_), and hyphens (-). The name must start with a letter and cannot start with http:// or https://.

    Effective order The order in which the outbound rule is evaluated.

    Value range: [1~20]. A smaller number indicates a higher priority. For more information, see Rule evaluation order.

    Action Select an authorization policy for the outbound rule. Valid values:
    • Accept
    • Drop
    Protocol Select the transport layer protocol. Valid values:
    • ALL: All protocols are supported.
    • ICMP
    • GRE
    • TCP
    • UDP
    Destination IP Addresses Enter the destination IP address range.

    Default value:

    Destination Port Range Enter the destination port range.

    Value range: [1~65535]. Separate the start port and the end port by using a forward slash (/), for example, 1/200 or 80/80. Note that you cannot set the port range to -1/-1, which indicates that all ports are allowed.