All Products
Search
Document Center

Virtual Private Cloud:Network ACLs

Last Updated:May 27, 2026

Network ACLs let you control inbound and outbound traffic at the vSwitch level by defining prioritized allow or deny rules.

How it works

Scope

A network ACL applies only to elastic network interfaces (ENIs) within the associated vSwitch.

  1. A network ACL controls traffic for cloud resources that use ENIs, such as ECS, ECI, and NLB instances.

    ApsaraDB RDS and CLB instances do not use ENIs, so network ACLs do not apply. RDS access is controlled by whitelists, and CLB access by access control policies.
    A network ACL does not control traffic for a secondary ENI associated with an EIP in ENI-visible mode.
  2. PrivateLink traffic passes through the interface endpoint ENI and is subject to network ACL rules.

    image

Rule evaluation mechanism

  1. Rules are evaluated in ascending priority order starting from 1. Each rule matches traffic by IP version, protocol, source or destination address, and port range. The first matching rule applies its allow or deny policy, and evaluation stops.

    For both inbound and outbound rules, the port range always matches the destination port of the traffic.
    Inbound rules apply to source addresses only, and outbound rules apply to destination addresses only. A single rule cannot specify both a source and a destination address.
    Denied traffic is silently dropped. The source receives no response, resulting in a timeout or connection failure.
  2. Network ACL rules are stateless. An inbound allow rule does not automatically permit return traffic — you must create an outbound rule to Allow responses back to the client's ephemeral port. Clients randomly select an ephemeral port to receive responses.

    To support all client types, set the ephemeral port range to 1024-65535.

    Ephemeral port ranges for different types of clients

    Client

    Ephemeral port range

    Linux

    32768-61000

    Windows Server 2003

    1025-5000

    Windows Server 2008 and later

    49152-65535

    NAT Gateway

    1024-65535

In this example, two rules have overlapping CIDR blocks. A client at 192.168.0.1 accessing the vSwitch over HTTPS matches Priority 1 and is denied. A client at 192.168.1.1 matches Priority 2 and is allowed. Return traffic reaches the client's ephemeral port through the outbound Priority 1 rule.

To open many ports while denying specific ones, assign deny rules a lower priority number (higher priority) than allow rules.
image

Differences between network ACLs and security groups

Item

Network ACL

Security group

Scope

Controls inbound and outbound traffic for a vSwitch.

Multiple security groups can be associated with one instance. Their combined rules control inbound and outbound traffic.

Statefulness

Stateless: Return traffic must be explicitly allowed by an outbound rule.

Stateful: Return traffic is automatically allowed, regardless of outbound rules.

Rule evaluation

Rules are evaluated by priority; the first match applies.

Rules are evaluated by priority. For rules with the same priority, deny rules take precedence over allow rules.

Association

Each vSwitch can be associated with only one network ACL.

An ECS instance can be associated with multiple security groups.

Rule address configuration

Inbound rules apply to source addresses only, and outbound rules apply to destination addresses only. A single rule cannot specify both a source and destination address.

Inbound rules specify the traffic source, and outbound rules specify the traffic destination.

Create and delete network ACLs

Create a network ACL and associate it with a vSwitch to control traffic.

When you create a network ACL for an IPv4-only VPC, the system adds the following default inbound and outbound rules:

  • Cloud service rule: Allows access to Alibaba Cloud DNS and the ECS metadata service. This rule has the highest priority and cannot be modified or deleted.

    1. Default DNS server addresses: 100.100.2.136 and 100.100.2.138 (internal domain name resolution).
    2. MetaServer address: 100.100.100.200 (ECS instance metadata service).
  • Custom rule: Allows all IPv4 traffic to preserve connectivity between vSwitches in the same VPC. Add custom rules to control vSwitch traffic.

  • System rule: Denies all IPv4 traffic not matched by other rules. This rule has the lowest priority and cannot be modified or deleted.

If the VPC has IPv6 enabled, the system also adds a custom rule allowing all IPv6 traffic and a system rule denying all IPv6 traffic for both directions.

A network ACL can be associated only with vSwitches within its VPC. Each vSwitch can be associated with only one network ACL.

Console

Create a network ACL

  1. Go to the VPC console - network ACL page. Select a region at the top of the page, and then click Create Network ACL.

  2. For VPC, select the VPC that contains the vSwitches to associate with the network ACL.

Associate vSwitches

Click the network ACL ID, or click Manage in the Actions column. On the Associated Resources tab, click Associate vSwitch. Select one or more vSwitches and click OK. To disassociate a vSwitch, click Unbind in the Actions column for the target vSwitch on this tab.

You can also associate, replace, or unbind a network ACL in the Network ACL section on the details page of the target vSwitch.

Delete a network ACL

Ensure that the network ACL is not associated with any vSwitch. In the Actions column of the target network ACL, click Delete.

API

Terraform

Terraform associates a network ACL with only one vSwitch at a time.
Resources: alicloud_network_acl
# Specify the region of the network ACL.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the VPC ID.
variable "vpc_id" {
  default = "vpc-bp1k******" # Replace with your VPC ID.
}

# Specify the vSwitch ID.
variable "vswitch_id" {
  default = "vsw-bp1y******" # Replace with your vSwitch ID.
}

# Create a network ACL and associate it with a vSwitch. 
resource "alicloud_network_acl" "example_network_acl" {
  vpc_id           = var.vpc_id # The VPC to which the network ACL belongs.
  network_acl_name = "example_network_acl_name"
  resources {
    resource_id   = var.vswitch_id # Specify the vSwitch to associate with the network ACL.
    resource_type = "VSwitch"
  }
}

Configure network ACL rules

  • After you create a network ACL, default rules allow or deny all traffic.

  • Configure custom rules to control vSwitch traffic. When traffic matches a rule's Protocol, IP Version, Source IP Address or Destination IP Address, and port range, the system enforces the Policy.

    • For TCP(6) or UDP(17), specify a port range (0-65535) in the format start_port/end_port. Do not use -1/-1. For other protocols, the port range defaults to -1/-1 (all ports).

    • IPv6 rules require IPv6 to be enabled on the VPC.

    • Rule changes are automatically applied to all associated vSwitches.

  • Group frequently used CIDR blocks in a prefix list and reference it in network ACL rules. Changes to a prefix list automatically update all referencing rules.

    • A prefix list's maximum entries setting (not its actual entry count) counts against your network ACL rule quota. To stay within quota, reduce the maximum, merge adjacent IP ranges, or remove unused entries.

    • A prefix list is region-specific and cannot be shared across regions. A single prefix list cannot mix IPv4 and IPv6 CIDR blocks.

Common ports

Port

Service

Description

21

FTP

File upload and download.

22

SSH

Remote login to Linux instances (PuTTY, Xshell, SecureCRT).

23

Telnet

Remote login to ECS instances.

25

SMTP

Sending emails.

53

DNS

Domain name resolution.

80

HTTP

Web services (IIS, Apache, Nginx).

110

POP3

Receiving email (POP3 protocol).

143

IMAP

Receiving email (IMAP protocol).

443

HTTPS

Encrypted web traffic (HTTPS).

1433

SQL Server

SQL Server TCP communication.

1434

SQL Server

SQL Server UDP port for service discovery (TCP/IP port and IP address lookup).

1521

Oracle

Oracle database communication. Required if Oracle SQL runs on an ECS instance.

3306

MySQL

MySQL database communication.

3389

Windows Server Remote Desktop Services

Remote Desktop connection to Windows instances.

8080

Proxy port

Commonly used for WWW proxy services. Access URLs require the port suffix (e.g., IP address:8080). Default port for Apache Tomcat.

137, 138, 139

NetBIOS protocol

Used for Windows file and printer sharing (Samba).

  • UDP 137/138: Network Neighborhood file transfer.

  • TCP 139: NetBIOS/SMB service connections.

1. If you configure a DHCP options set with a custom DNS server, add inbound and outbound rules to allow traffic to that server. Otherwise, domain name resolution may fail.
2. When using a load balancer, add rules to allow listener port forwarding and health check traffic to backend servers.

Console

On the Inbound Rules or Outbound Rules tab for the target network ACL, follow these steps to configure custom rules.

Network ACL rules are stateless. An inbound allow rule requires a corresponding outbound rule for return traffic.

Add rules

  • Manual configuration: On the Inbound Rules or Outbound Rules tab of the target network ACL, click Manage Inbound Rule or Manage Outbound Rule.

    • Click Add IPv4 Rule or Add IPv6 Rule to configure rules one by one.

    • To apply the same rule to multiple CIDR blocks, select Quick Add and set Priority to specify where the rule is inserted.

    • After you manage frequently used CIDR blocks in a prefix list, click Add IPv4 Rule or Add IPv6 Rule, set IP Version to VPC Prefix List, and then set Source IP Address/Destination IP Address to the prefix list.

  • Batch import: Use the provided template to Import Rule.

    • All template fields are required. Incomplete rules cannot be imported.

    • Prefix lists are not supported.

    • Imported rules are appended after existing rules without overwriting.

Reorder rules

Click Manage Inbound Rule or Manage Outbound Rule, and then drag the rules up or down to adjust their evaluation order.

Delete rules

In the Actions column of the target network ACL rule, click Delete.

API

  • Call UpdateNetworkAclEntries to update network ACL rules. This API performs a full replacement — any existing rules not included in your request are deleted. To retain rules, include them in the API call.

  • Call CopyNetworkAclEntries to copy all rules from one network ACL to another. Both ACLs must belong to VPCs with matching IP version configurations. You cannot add IPv6 rules to a network ACL in an IPv4-only VPC. Copying rules to an IPv6-enabled VPC does not add the default allow-all-IPv6 custom rule, which can disrupt IPv6 communication.

Terraform

This example adds deny rules for inbound and outbound traffic. Adjust to match your access control policy.

Resource: alicloud_network_acl
# Specify the region for the network ACL.
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the VPC ID.
variable "vpc_id" {
  default = "vpc-bp1k******" # Replace with the actual ID of your VPC.
}

# Specify the vSwitch ID.
variable "vswitch_id" {
  default = "vsw-bp1y******" # Replace with the actual ID of your vSwitch.
}

# Create a network ACL and associate it with a vSwitch.
resource "alicloud_network_acl" "example_network_acl" {
  vpc_id           = var.vpc_id # Specify the VPC for the network ACL.
  network_acl_name = "example_network_acl_name"
  resources {
    resource_id   = var.vswitch_id # Specify the vSwitch to associate with the network ACL.
    resource_type = "VSwitch"
  }
  ingress_acl_entries { # Specify inbound rules.
    network_acl_entry_name = "example-ingress"
    protocol               = "tcp"         # Protocol
    source_cidr_ip         = "10.0.0.0/24" # Source CIDR block 
    port                   = "20/80"       # Port range
    policy                 = "drop"        # Policy
  }
  egress_acl_entries { # Specify outbound rules.
    network_acl_entry_name = "example-egress"
    protocol               = "tcp"
    destination_cidr_ip    = "10.0.0.0/24" # Destination CIDR block 
    port                   = "20/80"       # Port range
    policy                 = "drop"        # Policy
  }
}

Network ACL rule examples

Restrict communication between different vSwitches

By default, vSwitches within the same VPC communicate freely. Use a network ACL to deny access from specific IP addresses.

In this example, inbound and outbound rules for vSwitch 1's network ACL prevent its instances from communicating with ECS06.

image

Allow access from specific IP addresses

When an on-premises data center connects to a VPC through Express Connect, all data center resources can access cloud services. Use a network ACL to allow only specific IP addresses.

In this example, the network ACL allows access to vSwitch instances only from on-premises servers 1 and 2.

image

More information

Billing

Network ACLs are free of charge.

Supported regions

Area

Regions

Asia Pacific - China

China (Hangzhou), China (Shanghai), China (Nanjing - Local Region, Closing Down), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Zhongwei), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region, Closing Down)

Asia Pacific - Others

Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and Malaysia (Johor)

Europe & Americas

Germany (Frankfurt), UK (London), France (Paris), US (Silicon Valley), US (Virginia), and Mexico

Middle East

UAE (Dubai) and Saudi Arabia (Riyadh) (partner region)

Quotas

Quota name

Description

Default limit

Adjustable

vpc_quota_nacl_ingress_entry

Inbound rules per network ACL.

If IPv6 is enabled for the VPC to which the network ACL belongs, the default number of IPv4 and IPv6 inbound rules that can be created is 20.

20

Yes.

Go to the Quota Management page or Quota Center to request a quota increase.

vpc_quota_nacl_egress_entry

Outbound rules per ACL.

If IPv6 is enabled for the VPC to which the network ACL belongs, the default number of IPv4 and IPv6 inbound rules that can be created is 20.

20

nacl_quota_vpc_create_count

Network ACLs per VPC.

20