This topic describes how to use the network access control list (ACL) feature to control intercommunication between Elastic Compute Service (ECS) instances attached to different VSwitches.

Prerequisites

Before you use network ACLs, make sure that the following conditions are met:

Background information

A company creates a VPC network and two VSwitches in the VPC network. ECS Instance 1 (192.168.1.206) is attached to VSwitch 1. ECS Instance 2 (192.168.0.229) and ECS Instance 3 (192.168.0.230) are attached to VSwitch 2. To meet workload requirements, the company must control intercommunication between the ECS instances, and between the ECS instances and Internet.
  • Forbid the three ECS instances to access the Internet.
  • Forbid ECS Instance 1 and ECS Instance 3 to communicate with each other.
  • Allow ECS Instance 1 and ECS Instance 2 to communicate with each other.
Scenarios

As shown in the preceding figure, you can customize network ACL rules and bind the network ACL to the VSwitch to control network traffic transmitted between the ECS instances attached to the VSwitches.

The following flowchart shows the configuration procedure.Procedure

Step 1: Create a network ACL

To create a network ACL, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top status bar, select a region.
    Note The network ACL feature is supported in the following regions: China (Qingdao), China (Beijing), China (Hohhot), China (Chengdu), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Hong Kong), UK (London), US (Silicon Valley), Singapore, Germany (Frankfurt), and India (Mumbai).
  4. On the Network ACL page, click Create Network ACL.
  5. In the Create Network ACL dialog box that appears, configure the network ACL based on the following information, and then click OK.
    • VPC: Select a VPC network for the network ACL.
    • Name: Enter the name of the network ACL.
    • Description: Enter the description of the network ACL.

Step 2: Bind a network ACL to a VSwitch

To bind the network ACL to VSwitch 1 and VSwitch 2, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top status bar, select the region where the network ACL is deployed.
  4. On the Network ACL page, find the target network ACL, and click Manage in the Actions column.
  5. On the Resources tab, click Bind Resource.
  6. In the Bind Resource dialog box that appears, select VSwitch 1 and VSwitch 2, and click OK.

Step 3: Add network ACL rules

To add inbound and outbound rules to the network ACL, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top status bar, select the region where the network ACL is deployed.
  4. On the Network ACL page, find the target network ACL, and click Inbound Rule in the Actions column.
  5. On the Inbound Rule tab, click Create Inbound Rule.
  6. In the Create Inbound Rule dialog box that appears, configure the inbound rules based on the following information, and click OK.
    Name Effective order Action Protocol Source IP addresses Destination port range
    Allow traffic from ECS Instance 2 1 Accept all 192.168.0.229/32 -1/-1
    Allow traffic from ECS Instance 1 2 Accept all 192.168.1.206/32 -1/-1
    Block traffic from all IP addresses 3 Drop all 0.0.0.0/0 -1/-1
  7. Click the Outbound Rule tab, and then click Create Outbound Rule.
  8. In the Create Outbound Rule dialog box that appears, configure the outbound rules based on the following information, and click OK.
    Name Effective order Action Protocol Destination IP addresses Destination port range
    Allow traffic destined for ECS Instance 2 1 Accept all 192.168.0.229/32 -1/-1
    Allow traffic destined for ECS Instance 1 2 Accept all 192.168.1.206/32 -1/-1
    Block traffic destined for all IP addresses 3 Drop all 0.0.0.0/0 -1/-1

Step 4: Test the connectivity

To test the connectivity between the ECS instances, and between the ECS instances and Internet, follow these steps:

  1. Log on to ECS Instance 1.
  2. Run the ping command to ping ECS Instance 2, ECS Instance 3, and a public IP address to test the connectivity.
    The result shows that ECS Instance 1 can access ECS Instance 2, but cannot access ECS Instance 3 and the Internet.
    Figure 1. ECS Instance 1 can access ECS Instance 2
    ECS Instance 1 can access ECS Instance 2
    Figure 2. ECS Instance 1 cannot access ECS Instance 3
    ECS Instance 1 cannot access ECS Instance 3
    Figure 3. ECS Instance 1 cannot access the Internet
    ECS Instance 1 cannot access the Internet