This topic describes how to use network access control lists (ACLs) to manage communication among Elastic Compute Service (ECS) instances in different vSwitches.
Prerequisites
A virtual private cloud (VPC) and vSwitches are created. For more information, see Create and manage a VPC and Create and manage a vSwitch.
ECS instances are created in the vSwitches. For more information, see Create an instance by using the wizard.
Background information
An enterprise creates a VPC, two vSwitches (vSwitch1 and vSwitch2), ECS1 (192.168.1.206) in vSwitch1, and ECS2 (192.168.0.229) and ECS3 (192.168.0.230) in vSwitch2. The following requirements need to be met:
ECS1, ECS2, and ECS3 cannot communicate with the Internet.
ECS1 cannot communicate with ECS3.
ECS1 can communicate with ECS2.
As shown in the preceding figure, you can configure network ACL rules and associate the network ACL with vSwitches to control ECS traffic.
The following flowchart shows the procedure.
Step 1: Create a network ACL
Log on to the VPC console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
On the Network ACL page, click Create Network ACL.
In the Create Network ACL dialog box, specify the following parameters and click OK.
VPC: Select the VPC for which you want to create the network ACL.
Name: Enter a name for the network ACL.
Description: Enter a description for the network ACL.
Step 2: Associate the network ACL with vSwitches
Associate the network ACL with vSwitch1 and vSwitch2.
Log on to the VPC console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
On the Network ACL page, find the network ACL that you want to manage and click its ID.
On the Associated Resources tab, click Associate vSwitch.
In the Associate vSwitch dialog box, select vSwitch1 and vSwitch2, and then click Confirm to Associate.
Step 3: Add rules to the network ACL
Add inbound and outbound rules to the network ACL.
Log on to the VPC console.
In the left-side navigation pane, choose .
In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
On the Network ACL page, find the network ACL that you want to configure and click Create Inbound Rule in the Actions column.
On the Inbound Rule tab, click Manage Inbound Rule.
Specify the following parameters and click OK.
Priority
Rule Name
Policy
Protocol
Source IP Address
Destination Port Range
1
Allow-traffic-from-ECS2
Allow
ALL
192.168.0.229/32
-1/-1
2
Allow-traffic-from-ECS1
Allow
ALL
192.168.1.206/32
-1/-1
3
Block-traffic-from-all-IP-addresses
Deny
ALL
0.0.0.0/0
-1/-1
Click the Outbound Rules tab, and click Manage Outbound Rule.
Specify the following parameters and click OK.
Priority
Rule Name
Policy
Protocol
Destination IP Address
Destination Port Range
1
Allow-traffic-destined-for-ECS2
Allow
ALL
192.168.0.229/32
-1/-1
2
Allow-traffic-destined-for-ECS1
Allow
ALL
192.168.1.206/32
-1/-1
3
Block-traffic-destined-for-all-IP-addresses
Deny
ALL
0.0.0.0/0
-1/-1
Step 4: Test the network connectivity
Test the connectivity among the ECS instances, and between the ECS instances and the Internet.
Log on to ECS1. For more information, see Connection methods.
NoteIf you cannot log on to ECS1, see FAQ about connections.
Run the
pingcommands topingECS2, ECS3, and a public IP address.The result indicates that ECS1 can access ECS2, but cannot access ECS3 or the Internet.
Figure 1. ECS1 can access ECS2
Figure 2. ECS1 cannot access ECS3
Figure 3. ECS1 cannot access the Internet
