A network access control list (ACL) allows you to manage network access in a virtual private cloud (VPC). You can create a network ACL in a VPC and add inbound and outbound rules to the network ACL. After you create a network ACL, you can associate it with a vSwitch. This way, you can use the network ACL to control the traffic that flows through the Elastic Compute Service (ECS) instances that are connected to the vSwitch.
Operations
Create a network ACL
A VPC is created. For more information, see Create and manage a VPC.
Add rules to the network ACL
After you create a network ACL, you can add inbound rules to the network ACL. You can use inbound rules to control whether ECS instances in a vSwitch can be accessed over the Internet or private networks. You can also add outbound rules to the network ACL. You can use outbound rules to control whether ECS instances in a vSwitch can access the Internet or private networks.
- Log on to the VPC console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where the network ACL is created.
- On the Network ACL page, find the network ACL that you want to manage and click its ID.
- On the Basic Information page, you can create inbound and outbound rules.
- Create an inbound rule
- Click the Inbound Rule tab, and then click Manage Inbound Rule.
- Set the following parameters and click OK.
Parameter Description Priority The priority of the inbound rule. A smaller value indicates a higher priority. You can create at most 20 rules. For more information, see Rule priorities.
Rule Name Enter a name for the inbound rule. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter but cannot start with
http://
orhttps://
.Action Select an action for the inbound rule. Valid values: - Accept: accepts network traffic that is destined for the ECS instances connected to the vSwitch.
- Drop: drops network traffic that is destined for the ECS instances connected to the vSwitch.
Protocol Select a transport layer protocol. Valid values: - ALL: all protocols
- ICMP: Internet Control Message Protocol (ICMP)
- GRE: Generic Routing Encapsulation (GRE)
- TCP: Transmission Control Protocol (TCP)
- UDP: User Datagram Protocol (UDP)
Source IP Addresses The source CIDR block from which data is transmitted. Default value: 0.0.0.0/32.
Destination Port Range Enter the destination port range of the inbound rule. Valid values: 1 to 65535. Separate the first port and last port with a forward slash (/), for example, 1/200 or 80/80. A value of -1/-1 specifies all ports. Therefore, you cannot set the value only to -1/-1.
- Create an outbound rule
- Click the Outbound Rule tab, and then click Manage Outbound Rule.
- Set the following parameters and click OK.
Parameter Description Priority The priority of the outbound rule. A smaller value indicates a higher priority. You can create at most 20 rules. For more information, see Rule priorities.
Rule Name Enter a name for the outbound rule. The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter. It cannot start with
http://
orhttps://
.Action Select an action for the outbound rule. Valid values: - Accept: allows ECS instances connected to the vSwitch to access the Internet or other private networks.
- Drop: forbids ECS instances connected to the vSwitch to access the Internet or other private networks.
Protocol Select a transport layer protocol. Valid values: - ALL: all protocols
- ICMP: ICMP
- GRE: GRE
- TCP: TCP
- UDP: UDP
Destination IP Address Specify the destination CIDR block of traffic. Default value: 0.0.0.0/32.
Destination Port Range Enter the destination port range of the outbound rule. Valid values: 1 to 65535. Separate the first port and last port with a forward slash (/), for example, 1/200 or 80/80. A value of -1/-1 specifies all ports. Therefore, you cannot set the value only to -1/-1.
- Create an inbound rule
Change the priorities of network ACL rules
Network ACL rules take effect in descending order of priority. A smaller value indicates a higher priority. You can prioritize network ACL rules based on your business requirements.
- Log on to the VPC console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where the network ACL is created.
- On the Network ACL page, find the network ACL that you want to manage and click its ID.
- On the Basic Information page, you can change the priorities of inbound and outbound rules.
- Change the priority of an inbound rule
- Click the Inbound Rule tab, and then click Manage Inbound Rule.
- Drag and drop an inbound rule upwards or downwards, and then click OK.
- Change the priority of an outbound rule
- Click the Outbound Rule tab, and then click Manage Outbound Rule.
- Drag and drop an inbound rule upwards or downwards, and then click OK.
- Change the priority of an inbound rule
Associate a network ACL with a vSwitch
Before you associate a network ACL with a vSwitch, make sure that the following requirements are met:- A network ACL is created and network ACL rules are added to it.
- A vSwitch is created. The vSwitch and network ACL must belong to the same VPC. For more information, see Work with vSwitches.
Disassociate a network ACL from a vSwitch
You can disassociate a network ACL from a vSwitch. After the network ACL is disassociated from the vSwitch, the network ACL no longer controls traffic that flows through the ECS instances connected to the vSwitch.
- Log on to the VPC console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where the network ACL is created.
- On the Network ACL page, find the network ACL that you want to manage and click Associate vSwitch in the Actions column.
- On the Resources tab, find the vSwitch and click Unbind in the Actions column.
- In the Unbind Network ACL message, click OK.
Delete a network ACL
Before you delete a network ACL, you must disassociate the network ACL from the vSwitch.
- Log on to the VPC console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select the region where the network ACL is created.
- On the Network ACL page, find the network ACL that you want to delete and click Delete in the Actions column.
- In the Delete Network ACL message, click OK.
References
- CreateNetworkAcl: creates a network ACL.
- UpdateNetworkAclEntries: updates the rules of a network ACL.
- AccosicateNetworkAcl: associates a network ACL with a vSwitch.
- UnassociateNetworkAcl: disassociates a network ACL from a vSwitch.
- DeleteNetworkAcl: deletes a network ACL.