Manage intercommunication between ECS instances attached to different VSwitches - Network ACL| Alibaba Cloud Documentation Center

This topic describes how to use the network access control list (ACL) feature to control intercommunication between Elastic Compute Service (ECS) instances attached to different VSwitches.

Prerequisites

Before you use network ACLs, make sure that the following conditions are met:

You have created an Alibaba Cloud account. To create an Alibaba Cloud account, go to the Alibaba Cloud site. For more information, see Create an Alibaba Cloud account.
A Virtual Private Cloud (VPC) network and two VSwitches are created. For more information, see Create a VPC network.
ECS instances are created and attached to the VSwitches. For more information, see Create an instance by using the provided wizard.

Background information

A company creates a VPC network and two VSwitches in the VPC network. ECS Instance 1 (192.168.1.206) is attached to VSwitch 1. ECS Instance 2 (192.168.0.229) and ECS Instance 3 (192.168.0.230) are attached to VSwitch 2. To meet workload requirements, the company must control intercommunication between the ECS instances, and between the ECS instances and Internet.

Forbid the three ECS instances to access the Internet.
Forbid ECS Instance 1 and ECS Instance 3 to communicate with each other.
Allow ECS Instance 1 and ECS Instance 2 to communicate with each other.

As shown in the preceding figure, you can customize network ACL rules and bind the network ACL to the VSwitch to control network traffic transmitted between the ECS instances attached to the VSwitches.

The following flowchart shows the configuration procedure.

Step 1: Create a network ACL

To create a network ACL, follow these steps:

Log on to the VPC console.
In the left-side navigation pane, click Network ACL.
In the top status bar, select a region.

Note The network ACL feature is supported in the following regions: China (Qingdao), China (Beijing), China (Hohhot), China (Chengdu), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Hong Kong), UK (London), US (Silicon Valley), Singapore, Germany (Frankfurt), and India (Mumbai).
On the Network ACL page, click Create Network ACL.
In the Create Network ACL dialog box that appears, configure the network ACL based on the following information, and then click OK.
- VPC: Select a VPC network for the network ACL.
- Name: Enter the name of the network ACL.
- Description: Enter the description of the network ACL.

Step 2: Bind a network ACL to a VSwitch

To bind the network ACL to VSwitch 1 and VSwitch 2, follow these steps:

Log on to the VPC console.
In the left-side navigation pane, click Network ACL.
In the top status bar, select the region where the network ACL is deployed.
On the Network ACL page, find the target network ACL, and click Manage in the Actions column.
On the Resources tab, click Bind Resource.
In the Bind Resource dialog box that appears, select VSwitch 1 and VSwitch 2, and click OK.

Step 3: Add network ACL rules

To add inbound and outbound rules to the network ACL, follow these steps:

Log on to the VPC console.
In the left-side navigation pane, click Network ACL.
In the top status bar, select the region where the network ACL is deployed.
On the Network ACL page, find the target network ACL, and click Inbound Rule in the Actions column.
On the Inbound Rule tab, click Create Inbound Rule.

In the Create Inbound Rule dialog box that appears, configure the inbound rules based on the following information, and click OK.


Name	Effective order	Action	Protocol	Source IP addresses	Destination port range
Allow traffic from ECS Instance 2	1	Accept	all	192.168.0.229/32	-1/-1
Allow traffic from ECS Instance 1	2	Accept	all	192.168.1.206/32	-1/-1
Block traffic from all IP addresses	3	Drop	all	0.0.0.0/0	-1/-1

Click the Outbound Rule tab, and then click Create Outbound Rule.

In the Create Outbound Rule dialog box that appears, configure the outbound rules based on the following information, and click OK.


Name	Effective order	Action	Protocol	Destination IP addresses	Destination port range
Allow traffic destined for ECS Instance 2	1	Accept	all	192.168.0.229/32	-1/-1
Allow traffic destined for ECS Instance 1	2	Accept	all	192.168.1.206/32	-1/-1
Block traffic destined for all IP addresses	3	Drop	all	0.0.0.0/0	-1/-1

Step 4: Test the connectivity

To test the connectivity between the ECS instances, and between the ECS instances and Internet, follow these steps:

Log on to ECS Instance 1.
Run the ping command to ping ECS Instance 2, ECS Instance 3, and a public IP address to test the connectivity.
The result shows that ECS Instance 1 can access ECS Instance 2, but cannot access ECS Instance 3 and the Internet.

Figure 1. ECS Instance 1 can access ECS Instance 2

Figure 2. ECS Instance 1 cannot access ECS Instance 3

Figure 3. ECS Instance 1 cannot access the Internet