Overview of network ACLs - Virtual Private Cloud - Alibaba Cloud Documentation Center

Feature release and supported regions


Area	Region
Asia Pacific	China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Nanjing - Local Region), China (Fuzhou - Local Region), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and India (Mumbai)
Europe & Americas	Germany (Frankfurt), UK (London), US (Silicon Valley), and US (Virginia)
Middle East	UAE (Dubai)

Features

A network ACL is used to filter inbound and outbound network traffic of ECS instances that are attached to the vSwitch with which the network ACL is associated. The network traffic forwarded to ECS instances by a Server Load Balancer (SLB) instance is also filtered.

Note The network traffic of an ECS instance is not filtered by a network ACL in the following scenario: The ECS instance is associated with a secondary elastic network interface (ENI) and the secondary ENI is associated with an elastic IP address (EIP) in cut-through mode. For more information, see Associate an EIP with a secondary ENI in cut-through mode.
Network ACLs are stateless. If you configure an inbound rule that allows traffic, you must also configure a corresponding outbound rule. Otherwise, the system may fail to respond to requests.
If you create a network ACL that does not contain a rule, all inbound traffic and outbound traffic are denied.
If a network ACL is associated with a vSwitch, the network ACL does not filter the traffic forwarded between ECS instances that are attached to the vSwitch.

Descriptions

You can add rules to or delete rules from a network ACL. Changes to the rules are automatically synchronized to the associated vSwitch. By default, an inbound rule and an outbound rule are automatically added to a newly created network ACL. These rules allow all inbound and outbound network traffic transmitted through the associated vSwitch. You can delete the default rules. The following table describes the default inbound and outbound rules.

Default inbound rule


Effective order	Protocol	Source IP Addresses	Destination Port Range	Action	Type
1	ALL	0.0.0.0/0	-1/-1	Accept	Custom

Default outbound rule


Effective order	Protocol	Destination IP Address	Destination Port Range	Action	Type
1	ALL	0.0.0.0/0	-1/-1	Accept	Custom

A rule of a network ACL contains the following parameters:

Effective order: the priority of the rule. A smaller value specifies a higher priority. The system matches requests against rules in descending order of priority. Rule 1 has the highest priority. If a request matches a rule, the system applies the rule to the request and ignores the other rules.

For example, the following rules are added to a network ACL and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In this case, the requests match Rules 2 and 3. Rule 2 has a higher priority than Rule 3. Therefore, the system applies Rule 2. Based on the action of Rule 2, the requests are denied.


Effective order	Protocol	Destination IP Address	Destination Port Range	Action	Type
1	ALL	10.0.0.0/8	-1/-1	Accept	Custom
2	ALL	172.16.0.0/12	-1/-1	Drop	Custom
3	ALL	172.16.0.0/12	-1/-1	Accept	Custom

Action: the action to be performed on specific traffic. Valid values: Accept and Drop.
Protocol: the protocol of traffic. Valid values:
- ALL: all protocols. If you select ALL, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.
- ICMP: Internet Control Message Protocol (ICMP). If you select ICMP, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.
- GRE: Generic Routing Encapsulation (GRE). If you select GRE, you cannot specify a port range. The port range is set to -1/-1, which specifies all ports.
- TCP: Transmission Control Protocol (TCP). If you select TCP, you can specify a port range in 1/200 or 80/80 format. You cannot specify -1/-1. Valid values for a port: 1 to 65535.
- UDP: User Datagram Protocol (UDP). If you select UDP, you can specify a port range in 1/200 or 80/80 format. You cannot specify -1/-1. Valid values for a port: 1 to 65535.
Source IP Addresses: the source IP addresses from which inbound traffic is transmitted. This parameter is available only when you configure an inbound rule.
Destination IP Address: the destination IP addresses to which outbound traffic is transmitted. This parameter is available only when you configure an outbound rule.
Destination Port Range: the range of destination ports to which the inbound rule applies.
Destination Port Range: the range of destination ports to which the outbound rule applies.

Comparison between network ACLs and security groups

Network ACLs control data transmitted through associated vSwitches while security groups control data transmitted through associated ECS instances. The following table describes the differences between network ACLs and security groups.


Feature	Network ACL	Security group
Application scope	vSwitches	ECS instances
Status of returned traffic	Stateless: Returned traffic must be allowed by inbound rules.	Stateful: Returned traffic is automatically allowed and not affected by rules.
Whether rules are evaluated	The system matches a request against rules in descending order of priority. Not all rules are matched.	The system matches a request against all rules before a rule is applied.
Association with ECS instances	The vSwitch to which an ECS instance belongs can be associated with only one network ACL.	Each ECS instance can be added to more than one security group.

The following figure shows how network ACLs and security groups are applied to ensure network security.

Limits


Item	Limit	Adjustable
Maximum number of network ACLs that can be created in each VPC	20	No quotas
Maximum number of rules that can be added to a network ACL	Inbound rules: 20 Outbound rules: 20	You can request a quota increase by using one of the following methods: Go to Quota Management page to request a quota increase. For more information, see Manage quotas. Log on to the Quota Center page to request a quota increase. For more information, see Submit an application to increase a quota.
VPCs that do not support network ACLs	If a VPC contains an ECS instance of the following instance families, the VPC does not support network ACLs: ecs.c1, ecs.c2, ecs.c4, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4. For more information, see Advanced VPC features.	If your Elastic Compute Service (ECS) instance does not support advanced virtual private cloud (VPC) features, upgrade or release the ECS instance. For more information about how to upgrade an ECS instance, see Upgrade the instance types of subscription instances and Change the instance type of a pay-as-you-go instance. For more information about how to release an ECS instance, see Release an instance. Note If a VPC contains an ECS instance of the specified instance families and the network ACL feature is enabled, you must upgrade or release the ECS instance for the network ACL to work as expected.

Procedure

For more information, see Work with network ACLs.