This topic describes how to use network access control lists (ACLs) to manage interconnections between a data center and a VPC.

Prerequisites

Before you use network ACLs, ensure that you have made the following preparations:
  • You have created an Alibaba Cloud account. If you have not created an Alibaba Cloud account, log on to the Alibaba Cloud official website. For more information, see Create an Alibaba Cloud account.
  • You have created a VPC and a VSwitch. For more information, see Create a VPC.
  • You have created ECS instances in the VSwitch. For more information, see Create an instance by using the provided wizard.
  • You have added the ECS instances to a security group that allows Internet access to the ECS instances over HTTP. For more information, see the "Scenario 8: Allow public network access to your ECS instance over HTTP or HTTPS" section in Scenarios for security groups.

Background information

A company creates an Internet-facing Server Load Balancer (SLB) instance and ECS instances. The ECS instances have static pages deployed and the SLB instance has a listener configured. The ECS instances are specified as origin servers for the SLB instance. By default, Data Center 1 and Data Center 2 can access the static pages through the public IP address of the SLB instance. To meet workload requirements, the company wants to allow only Data Center 1 to access the static pages. Access to the static pages from Data Center 2 is denied.

The following table lists the public IP addresses of each data center and the SLB instance.
Data center or SLB instance Public IP address
Data Center 1 111.xx.xx.111
Data Center 2 222.xx.xx.222
SLB instance 33.xx.xx.33

The preceding figure shows that you can associate a network ACL with the VSwitch of the zone to which the ECS instance belongs. You can configure network ACL rules to manage inbound and outbound network traffic transmitted through the VSwitch of the ECS instances.

The following flowchart shows the configuration process.

Step 1: Create a network ACL

To create a network ACL, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. On the top of the page, select the region to which the network ACL belongs.
    Note The network ACL feature is applicable to the following regions: China (Qingdao), China (Beijing), China (Hohhot), China (Chengdu), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Hong Kong), UK (London), US (Silicon Valley), Singapore, and Germany (Frankfurt).
  4. On the Network ACL page, click Create Network ACL.
  5. In the Create Network ACL dialog box that appears, set the following parameters for the network ACL, and click OK.
    • VPC: Select a VPC for the network ACL.
    • Name: Enter the name of the network ACL.
    • Description: Enter the description of the network ACL.

Step 2: Bind a VSwitch

To associate a VSwitch with the network ACL, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. On the top of the page, select the region to which the network ACL belongs.
  4. On the Network ACL page, find the network ACL that you want to manage, and click Manage in the Actions column for the network ACL.
  5. On the Resources tab, click Bind Resource.
  6. In the Bind Resource dialog box that appears, select a VSwitch and click OK.

Step 3: Add rules to the network ACL

To add inbound and outbound rules to the network ACL, follow these steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. On the top of the page, select the region to which the network ACL belongs.
  4. On the Network ACL page, find the network ACL that you want to manage, and click Inbound Rule in the Actions column for the network ACL.
  5. On the Inbound Rule tab, click Create Inbound Rule.
  6. In the Create Inbound Rule dialog box that appears, set the following parameters and click OK.
    Name Effective order Action Protocol Source IP addresses Destination port range
    AllowHTTPRequestsFromOn-premisesDataCenter1 1 Accept TCP The public IP address of Data Center 1. Enter 111.xx.xx.111 in this example. 80/80
    DenyHTTPRequestsFromOn-premisesDataCenter2 3 Drop TCP The public IP address of Data Center 2. Enter 222.xx.xx.222 in this example. 80/80
    You must add the following inbound rule if you enable the health check feature for the SLB instance.
    Name Effective order Action Protocol Source IP addresses Destination port range
    Allow Health Check 2 Accept all The CIDR block used to perform health checks. Only 100.64.0.0/10 is allowed. -1/-1
  7. Click the Outbound Rule tab. Click Create Outbound Rule.
  8. In the Create Outbound Rule dialog box that appears, set the following parameters, and click OK.
    Name Effective order Action Protocol Destination IP addresses Destination port range
    AllowTrafficToBeDestinedForOn-premisesDataCenter1 1 Accept TCP The public IP address of Data Center 1. Enter 111.xx.xx.111 in this example. 80/80
    DenyTrafficToBeDestinedForOn-premisesDataCenter2 3 Drop TCP The public IP address of Data Center 2. Enter 222.xx.xx.222 in this example. 80/80
    You must add the following outbound rule if you enable the health check feature for the SLB instance.
    Name Effective order Action Protocol Destination IP addresses Destination port range
    Allow Health Check 2 Accept all The CIDR block used to perform health checks. Only 100.64.0.0/10 is allowed. -1/-1

Step 4: Test the connectivity

To test the connectivity between the data centers and the SLB instance, follow these steps:

  1. In Data Center 1, open the browser on your computer.
  2. In the browser, enter http://33.xx.xx.33 to test the connectivity.
    The result shows that the static pages on the ECS instance can be accessed from the computer in Data Center 1.
  3. In Data Center 2, open the browser on your computer.
  4. In the browser, enter http://33.xx.xx.33 to test the connectivity.
    The result shows that the static pages on the ECS instance cannot be accessed from the computer in Data Center 2.