This topic describes how to use network access control lists (ACLs) to manage intercommunication
among Elastic Compute Service (ECS) instances that are attached to different vSwitches.
Prerequisites
Before you get started, make sure that the following requirements are met:
Background information
An enterprise creates a VPC in the cloud and two vSwitches in the VPC. ECS Instance
1 (192.168.1.206) is attached to vSwitch 1. ECS Instance 2 (192.168.0.229) and ECS
Instance 3 (192.168.0.230) are attached to vSwitch 2. To meet business requirements,
the enterprise must manage intercommunication among the ECS instances, and between
the ECS instances and the Internet.
- Forbid the three ECS instances to access the Internet.
- Forbid ECS Instance 1 and ECS Instance 3 to communicate with each other.
- Allow ECS Instance 1 and ECS Instance 2 to communicate with each other.

You can customize network ACL rules and associate the network ACL with vSwitches,
as shown in the preceding figure. This way, you can control network traffic transmitted
among the ECS instances attached to the vSwitches.
The following flowchart shows the procedure.

Step 1: Create a network ACL
- Log on to the VPC console.
- In the left-side navigation pane, click Network ACL.
- In the top navigation bar, select the region where the network ACL is created.
- On the Network ACL page, click Create Network ACL.
- In the Create Network ACL dialog box, set the following parameters, and click OK:
- VPC: Select the VPC for which you want to create the network ACL.
- Name: Enter a name for the network ACL.
The name must be 2 to 128 characters in length, and can contain letters, digits, underscores
(_), and hyphens (-). The name must start with a letter.
- Description: Enter a description for the network ACL.
The description must be 2 to 256 characters in length, and cannot start with http://
or https://
.
Step 2: Associate the network ACL with a vSwitch
Associate the network ACL with vSwitch 1 and vSwitch 2.
- Log on to the VPC console.
- In the left-side navigation pane, click Network ACL.
- In the top navigation bar, select the region where the network ACL is created.
- On the Network ACL page, find the network ACL that you want to manage and click the ID of the network
ACL.
- On the Resources tab, click Associate VSwitch.
- In the Associate VSwitch dialog box, select vSwitch 1 and vSwitch 2, and click Associate.
Step 3: Add rules to the network ACL
Add inbound and outbound rules to the network ACL.
- Log on to the VPC console.
- In the left-side navigation pane, click Network ACL.
- In the top navigation bar, select the region where the network ACL is created.
- On the Network ACL page, find the network ACL that you want to manage and click Inbound Rule in the Actions column.
- On the Inbound Rule tab, click Manage Inbound Rule.
- In the Manage Inbound Rule dialog box, set the following parameters, and click OK.
Priority |
Rule name |
Action |
Protocol type |
Source IP addresses |
Source port range |
1 |
Allow traffic from ECS Instance 2 |
Accept |
ALL |
192.168.0.229/32 |
-1/-1 |
2 |
Allow traffic from ECS Instance 1 |
Accept |
ALL |
192.168.1.206/32 |
-1/-1 |
3 |
Block traffic from all IP addresses |
Drop |
ALL |
0.0.0.0/0 |
-1/-1 |
- Click the Outbound Rule tab, and click Manage Outbound Rule.
- In the Manage Outbound Rule dialog box, set the following parameters, and click OK.
Priority |
Rule name |
Action |
Protocol type |
Source IP addresses |
Source port range |
1 |
Allow traffic destined for ECS Instance 2 |
Accept |
ALL |
192.168.0.229/32 |
-1/-1 |
2 |
Allow traffic destined for ECS Instance 1 |
Accept |
ALL |
192.168.1.206/32 |
-1/-1 |
3 |
Block traffic destined for all IP addresses |
Drop |
ALL |
0.0.0.0/0 |
-1/-1 |
Step 4: Test the connectivity
Test the connectivity among the ECS instances, and between the ECS instances and the
Internet.
- Log on to ECS Instance 1.
- Run the
ping
command to ping
ECS Instance 2, ECS Instance 3, and a public IP address to test the connectivity.