All Products
Search
Document Center

Virtual Private Cloud:Manage communication between a data center and a VPC

Last Updated:Sep 21, 2023

This topic describes how to use network access control lists (ACLs) to manage communication between a data center and a virtual private cloud (VPC).

Prerequisites

Background information

A company has created an Internet-facing Server Load Balancer (SLB) instance and ECS instances. Static pages are hosted on the ECS instances. A listener has been configured for the SLB instance, and the ECS instances are added as backend servers for the SLB instance. By default, Data Center 1 and Data Center 2 can access the static pages through the public IP address of the SLB instance. To meet business requirements, the company wants to allow Data Center 1 to access the static pages, and deny access from Data Center 2 to the static pages.

The following table lists the public IP addresses of the data centers and the SLB instance.
NetworkPublic IP address
Data Center 1111.XX.XX.111
Data Center 2222.XX.XX.222
SLB instance33.XX.XX.33
Architecture

You can associate a network ACL with the vSwitch to which the ECS instances belong. Then, you can configure network ACL rules to control inbound and outbound network traffic transmitted through the vSwitch.

The following flowchart shows the procedure.Procedure

Step 1: Create a network ACL

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose ACL > Network ACL.
  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
  4. On the Network ACL page, click Create Network ACL.
  5. In the Create Network ACL dialog box, set the following parameters and click OK:
    • VPC: Select the VPC for which you want to create the network ACL.
    • Name: Enter a name for the network ACL.
    • Description: Enter a description for the network ACL.

Step 2: Associate the network ACL with a vSwitch

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose ACL > Network ACL.
  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
  4. On the Network ACL page, find the network ACL that you want to manage and click its ID.
  5. On the Associated Resources tab, click Associate vSwitch.
  6. In the Associate vSwitch dialog box, select the vSwitch and click OK.

Step 3: Add rules to the network ACL

Add inbound and outbound rules to the network ACL.

  1. Log on to the VPC console.
  2. In the left-side navigation pane, choose ACL > Network ACL.
  3. In the top navigation bar, select the region to which the network ACK that you want to manage belongs.
  4. On the Network ACL page, find the network ACL that you want to manage and click Create Inbound Rule in the Actions column.
  5. On the Inbound Rule tab, click Manage Inbound Rule.
  6. Set the following parameters and click OK.
    PriorityRule NameActionProtocolSource IP AddressesDestination Port Range
    1Allow-HTTP-requests-from-Data-Center-1AcceptTCPThe public IP address of Data Center 1. 111.XX.XX.111 is used in this example. 80/80
    3Drop-HTTP-requests-from-Data-Center-2DropTCPThe public IP address of Data Center 2. 222.XX.XX.222 is used in this example. 80/80
    You must add the following inbound rule if the health check feature is enabled for the SLB instance.
    PriorityRule NameActionProtocolSource IP AddressesDestination Port Range
    2Allow-health-checksAcceptALLThe CIDR block used to perform health checks. Set the value to 100.64.0.0/10. -1/-1
  7. Click the Outbound Rule tab, and then click Manage Outbound Rule.
  8. Set the following parameters and click OK.
    PriorityRule NameActionProtocolDestination IP AddressDestination Port Range
    1Allow-HTTP-traffic-destined-for-Data-Center-1AcceptTCPThe public IP address of Data Center 1. 111.XX.XX.111 is used in this example. 1/65535
    3Drop-HTTP-requests-destined-for Data-Center-2DropTCPThe public IP address of Data Center 2. 222.XX.XX.222 is used in this example. 1/65535
    You must add the following outbound rule if you enable the health check feature for the SLB instance.
    PriorityRule NameActionProtocolDestination IP AddressDestination Port Range
    2Allow-health-checksAcceptALLThe CIDR block used to perform health checks. Set the value to 100.64.0.0/10. -1/-1

Step 4: Test the connectivity

To test the connectivity between the data centers and the SLB instance, perform the following steps:

  1. Open the browser on a computer in Data Center 1.
  2. Enter http://33.XX.XX.33 in the address bar of the browser to test the connectivity.
    The result shows that the device in Data Center 1 can access the static pages on the ECS instances. Accessible
  3. Open the browser on a device in Data Center 2.
  4. Enter http://33.XX.XX.33 in the address bar of the browser to test the connectivity.
    The result shows that the device in Data Center 2 cannot access the static pages on the ECS instances. Inaccessible