This topic describes how to use network access control lists (ACLs) to manage intercommunication between an on-premises data center and a Virtual Private Cloud (VPC) network.

Prerequisites

Before you start, make sure that the following requirements are met:

Background information

A company has created a public-facing Server Load Balancer (SLB) instance and multiple ECS instances. Static pages are hosted on the ECS instances. A listener has been configured for the SLB instance, and the ECS instances are specified as backend servers for the SLB instance. By default, Data Center 1 and Data Center 2 can access the static pages through the public IP address of the SLB instance. To meet business requirements, the company wants to allow Data Center 1 to access the static pages, and forbid Data Center 2 to access the static pages.

The following table lists the public IP addresses of the on-premises data centers and SLB instance.
Data center/SLB instance Public IP address
On-premises Data Center 1 111.xx.xx.111
On-premises Data Center 2 222.xx.xx.222
SLB instance 33.xx.xx.33

The preceding figure shows that you can associate a network ACL with the VSwitch to which the ECS instances are attached. You can configure network ACL rules to manage inbound and outbound network traffic transmitted through the VSwitch.

The following flowchart shows the configuration procedure.

Step 1: Create a network ACL

To create a network ACL, perform the following steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where you want to create the network ACL.
  4. On the Network ACL page, click Create Network ACL.
  5. In the Create Network ACL dialog box, set the following parameters, and click OK.
    • VPC: Select the VPC network for which you want to create the network ACL.
    • Name: Enter a name for the network ACL.

      The name must be 2 to 128 characters in length, and can contain letters, Chinese characters, digits, underscores (_), and hyphens (-). It must start with a letter or a Chinese character.

    • Description: Enter a description of the network ACL.

      The description must be 2 to 256 characters in length, and cannot start with http:// or https://.

Step 2: Associate the network ACL with a VSwitch

To associate a VSwitch with the network ACL, perform the following steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top navigation bar, select the region where the network ACL is created.
  4. On the Network ACL page, find the network ACL that you want to manage, and click Manage in the Actions column.
  5. On the Resources tab, click Bind Resource.
  6. In the Bind Resource dialog box, select a VSwitch, and click OK.

Step 3: Add network ACL rules

To add inbound and outbound rules to the network ACL, perform the following steps:

  1. Log on to the VPC console.
  2. In the left-side navigation pane, click Network ACL.
  3. In the top status bar, select the region where the network ACL is created.
  4. On the Network ACL page, find the network ACL that you want to manage, and click Inbound Rule in the Actions column.
  5. On the Inbound Rule tab, click Create Inbound Rule.
  6. In the Create Inbound Rule dialog box, set the following parameters, and click OK.
    Name Effective order Action Protocol Source IP address Destination port range
    Accept HTTP requests from Data Center 1 1 Allow TCP The public IP address of Data Center 1. Enter 111.xx.xx.111 in this example. 80/80
    Drop HTTP requests from Data Center 2 3 Deny TCP The public IP address of Data Center 2. Enter 222.xx.xx.222 in this example. 80/80
    You must add the following inbound rule if you have enabled the health check feature for the SLB instance.
    Name Effective order Action Protocol Source IP address Destination port range
    Allow health checks 2 Allow all The CIDR block that is used to perform health checks. Only 100.64.0.0/10 is allowed. -1/-1
  7. Click the Outbound Rule tab, and click Create Outbound Rule.
  8. In the Create Outbound Rule dialog box, set the following parameters, and click OK.
    Name Effective order Action Protocol Destination IP address Destination port range
    Accept HTTP traffic destined for Data Center 1 1 Allow TCP The public IP address of Data Center 1. Enter 111.xx.xx.111 in this example. 80/80
    Block HTTP traffic destined for Data Center 2 3 Deny TCP The public IP address of Data Center 2. Enter 222.xx.xx.222 in this example. 80/80
    You must add the following outbound rule if you have enabled the health check feature for the SLB instance.
    Name Effective order Action Protocol Destination IP address Destination port range
    Allow health checks 2 Allow all The CIDR block that is used to perform health checks. Only 100.64.0.0/10 is allowed. -1/-1

Step 4: Test the connectivity

To test the connectivity between the data centers and SLB instance, perform the following steps:

  1. Open the browser on the computer in Data Center 1.
  2. Enter http://33.xx.xx.33 into the address bar of the browser to test the connectivity.
    The result shows that the computer in Data Center 1 can access the static pages on the ECS instances.
  3. Open the browser on the computer in Data Center 2.
  4. Enter http://33.xx.xx.33 into the address bar of the browser to test the connectivity.
    The result shows that the computer in Data Center 2 cannot access the static pages on the ECS instances.