Manage intercommunication among ECS instances attached to different VSwitches - Network ACL| Alibaba Cloud Documentation Center

This topic describes how to use network access control list (ACL) to control intercommunication among Elastic Compute Service (ECS) instances attached to different VSwitches.

Prerequisites

Before you start, make sure that the following requirements are met:

An Alibaba Cloud account is created. If you do not have an Alibaba Cloud account, click Create an Alibaba Cloud account.
A VPC network and VSwitches are created. For more information, see Create a VPC.
Elastic Compute Service (ECS) instances are created and attached to the VSwitches. For more information, see Create an instance by using the provided wizard.

Background information

A company creates a VPC network and two VSwitches in the VPC network. ECS Instance 1 (192.168.1.206) is attached to VSwitch 1. ECS Instance 2 (192.168.0.229) and ECS Instance 3 (192.168.0.230) are attached to VSwitch 2. To meet business requirements, the company must control intercommunication among the ECS instances, and between the ECS instances and the Internet.

Forbid the three ECS instances to access the Internet.
Forbid ECS Instance 1 and ECS Instance 3 to communicate with each other.
Allow ECS Instance 1 and ECS Instance 2 to communicate with each other.

You can customize network ACL rules and associate the network ACL with VSwitches, as shown in the preceding figure. This way, you can control network traffic transmitted among the ECS instances attached to the VSwitches.

The following flowchart shows the configuration procedure.

Step 1: Create a network ACL

To create a network ACL, perform the following steps:

Log on to the VPC console.
In the left-side navigation pane, click Network ACL.
In the top navigation bar, select the region where you want to create the network ACL.
On the Network ACL page, click Create Network ACL.
In the Create Network ACL dialog box that appears, set the following parameters, and click OK.
- VPC: Select the VPC network for which you want to create the network ACL.
- Name: Enter a name for the network ACL.
  The name must be 2 to 128 characters in length, and can contain letters, Chinese characters, digits, underscores (_), and hyphens (-). It must start with a letter or a Chinese character.
- Description: Enter a description for the network ACL.
  The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

Step 2: Associate the network ACL with VSwitches

To associate the network ACL with VSwitch 1 and VSwitch 2, perform the following steps:

Log on to the VPC console.
In the left-side navigation pane, click Network ACL.
In the top navigation bar, select the region where the network ACL is created.
On the Network ACL page, find the network ACL that you want to manage, and click Manage in the Actions column.
On the Resources tab, click Bind Resource.
In the Bind Resource dialog box, select VSwitch 1 and VSwitch 2, and click OK.

Step 3: Add network ACL rules

To add inbound and outbound rules to the network ACL, perform the following steps:

Log on to the VPC console.
In the left-side navigation pane, click Network ACL.
In the top navigation bar, select the region where the network ACL is created.
On the Network ACL page, find the network ACL that you want to manage, and click Inbound Rule in the Actions column.
On the Inbound Rule tab, click Create Inbound Rule.

In the Create Inbound Rule dialog box, set the following parameters, and click OK.


Name	Effective order	Action	Protocol	Source IP address	Destination port range
Allow traffic from ECS Instance 2	1	Allow	all	192.168.0.229/32	-1/-1
Allow traffic from ECS Instance 1	2	Allow	all	192.168.1.206/32	-1/-1
Block traffic from all IP addresses	3	Deny	all	0.0.0.0/0	-1/-1

Click the Outbound Rule tab, and click Create Outbound Rule.

In the Create Outbound Rule dialog box, set the following parameters, and click OK.


Name	Effective order	Action	Protocol	Destination IP address	Destination port range
Allow traffic destined for ECS Instance 2	1	Allow	all	192.168.0.229/32	-1/-1
Allow traffic destined for ECS Instance 1	2	Allow	all	192.168.1.206/32	-1/-1
Block traffic destined for all IP addresses	3	Deny	all	0.0.0.0/0	-1/-1

Step 4: Test the connectivity

To test the connectivity among the ECS instances, and between the ECS instances and the Internet, perform the following steps:

Log on to ECS Instance 1.
Run the ping command to ping ECS Instance 2, ECS Instance 3, and a public IP address to test the connectivity.
The result shows that ECS Instance 1 can access ECS Instance 2, but cannot access ECS Instance 3 or the Internet.

Figure 1. ECS Instance 1 can access ECS Instance 2

Figure 2. ECS Instance 1 cannot access ECS Instance 3

Figure 3. ECS Instance 1 cannot access the Internet