All Products
Search
Document Center

Virtual Private Cloud:Manage intercommunication among ECS instances connected to different vSwitches

Last Updated:Sep 21, 2023

This topic describes how to use network access control lists (ACLs) to manage intercommunication among Elastic Compute Service (ECS) instances that are connected to different vSwitches.

Prerequisites

Background information

An enterprise creates a VPC in the cloud and two vSwitches in the VPC. ECS Instance 1 (192.168.1.206) is connected to vSwitch 1. ECS Instance 2 (192.168.0.229) and ECS Instance 3 (192.168.0.230) are connected to vSwitch 2. To meet business requirements, the enterprise must control intercommunication among the ECS instances, and between the ECS instances and the Internet.
  • ECS 1, ECS 2, and ECS 3 are not allowed to communicate with the Internet.
  • ECS 1 and ECS 3 are not allowed to communicate with each other.
  • ECS 1 and ECS 2 are allowed to communicate with each other.
Scenario

You can customize network ACL rules and associate the network ACL with vSwitches, as shown in the preceding figure. This way, you can control network traffic transmitted among the ECS instances connected to the vSwitches.

The following flowchart shows the procedure.Procedure

Step 1: Create a network ACL

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose ACL > Network ACL.
  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
  4. On the Network ACL page, click Create Network ACL.
  5. In the Create Network ACL dialog box, set the following parameters and click OK:
    • VPC: Select the VPC for which you want to create the network ACL.
    • Name: Enter a name for the network ACL.
    • Description: Enter a description for the network ACL.

Step 2: Associate the network ACL with a vSwitch

Associate the network ACL with vSwitch 1 and vSwitch 2.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose ACL > Network ACL.
  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
  4. On the Network ACL page, find the network ACL that you want to manage and click its ID.
  5. On the Associated Resources tab, click Associate vSwitch.
  6. In the Associate vSwitch dialog box, select vSwitch 1 and vSwitch 2, and click Associate.

Step 3: Add rules to the network ACL

Add inbound and outbound rules to the network ACL.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose ACL > Network ACL.
  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
  4. On the Network ACL page, find the network ACL that you want to manage and click Inbound Rule in the Actions column.
  5. On the Inbound Rule tab, click Manage Inbound Rule.
  6. Set the following parameters and click OK.
    PriorityRule NameActionProtocolSource IP AddressesDestination Port Range
    1Allow-traffic-from-ECS-Instance 2AcceptALL192.168.0.229/32-1/-1
    2Allow-traffic-from-ECS-Instance-1AcceptALL192.168.1.206/32-1/-1
    3Block-traffic-from-all-IP-addressesDropALL0.0.0.0/0-1/-1
  7. Click the Outbound Rule tab, and then click Manage Outbound Rule.
  8. Set the following parameters and click OK.
    PriorityRule NameActionProtocolDestination IP AddressDestination Port Range
    1Allow-traffic-destined-for-ECS-Instance-2AcceptALL192.168.0.229/32-1/-1
    2Allow-traffic-destined-for-ECS-Instance-1AcceptALL192.168.1.206/32-1/-1
    3Block-traffic-destined-for-all-IP-addressesDropALL0.0.0.0/0-1/-1

Step 4: Test the connectivity

Test the connectivity among the ECS instances, and between the ECS instances and the Internet.

  1. Log on to ECS Instance 1. For more information, see Connection methods.
  2. Run the ping command to ping ECS Instance 2, ECS Instance 3, and a public IP address to test the connectivity.
    The result indicates that ECS Instance 1 can access ECS Instance 2, but cannot access ECS Instance 3 or the Internet.
    Figure 1. ECS Instance 1 can access ECS Instance 2ECS Instance 1 can access ECS Instance 2
    Figure 2. ECS Instance 1 cannot access ECS Instance 3ECS Instance 1 cannot access ECS Instance 3
    Figure 3. ECS Instance 1 cannot access the InternetECS Instance 1 cannot access the Internet