All Products
Search

This Product

    Virtual Private Cloud:Network ACLs

    Document Center

    Virtual Private Cloud:Network ACLs

    Last Updated:Nov 10, 2025

    You can create a network ACL and attach it to a vSwitch to precisely control its inbound and outbound traffic by configuring network ACL rules.

    How it works

    Applicable scope

    Network ACLs only apply to elastic network interfaces (ENIs) in associated vSwitches.

    1. Network ACLs control traffic for cloud resources that rely on ENIs for network communication, such as ECS, ECI, and NLB instances.

      Traffic for instances like RDS and CLB that do not rely on ENIs is not controlled by network ACLs. Access control for RDS instances is implemented through whitelists, while CLB instances use access control policies.
      Network ACLs do not control traffic for secondary ENIs that are bound to EIPs in cut-through mode.

    2. When accessing Alibaba Cloud services through PrivateLink, traffic passes through endpoint ENIs and is controlled by network ACL rules.

      image

    Rule enforcement mechanism

    1. Each rule has a priority. The system starts with the rule with priority 1 and sequentially evaluates whether traffic matches based on IP version, protocol type, source/destination address, and port range. When traffic matches a rule, the specified allow/deny policy is executed.

      For both inbound and outbound rules, the port range always matches the destination port of the traffic.
      When network ACLs deny traffic, they use a drop operation. The requester does not receive any response, resulting in a timeout or inability to establish a connection.

    2. Network ACL rules are stateless. When you configure an inbound rule to allow specific traffic to enter a vSwitch, response traffic is not automatically allowed. You must create an outbound rule to Allow response traffic to return to the client's ephemeral ports. When a client initiates a request to a server, it randomly selects a port from the ephemeral port range to receive the server's response.

      To ensure various types of clients can access your services normally, you can set the ephemeral port range to 1024-65535.

      Ephemeral port ranges for different client types

      Client

      Ephemeral port range

      Linux

      32768/61000

      Windows Server 2003

      1025/5000

      Windows Server 2008 and later versions

      49152/65535

      NAT Gateway

      1024/65535

    In the example configuration, there are two custom rules with overlapping source/destination address ranges. When a client with IP 192.168.0.1 accesses a service in the subnet using HTTPS protocol, the traffic first matches the rule with priority 1 and is therefore denied. When a client with IP 192.168.1.1 accesses, the traffic sequentially matches the rule with priority 2 and is therefore allowed, and the response traffic is sent back to the client's ephemeral port according to the outbound rule with priority 1.

    When a service needs to open many ports but some ports need to be denied access, you need to ensure that deny rules have higher priority than allow rules.
    image

    Differences from security groups

    Comparison item

    Network ACL

    Security group

    Applicable scope

    Controls traffic entering and exiting vSwitches based on network ACL rules.

    An access control method at the ECS instance level. Rules from multiple security groups associated with an ECS instance are sorted according to a fixed policy and collectively determine whether to allow inbound and outbound traffic for the instance.

    Return data flow state

    Stateless: Return data flow must be explicitly allowed by rules.

    Stateful: Return data flow is automatically allowed, not affected by any rules.

    Rule matching order

    Rules are evaluated sequentially according to their priority to determine if they match the traffic.

    First sorted by priority: when priorities are the same, rules with deny policies are placed before rules with allow policies.

    After sorting, rules are matched sequentially.

    Association with ECS instances

    Each vSwitch can only be associated with one network ACL.

    An ECS instance can join multiple security groups.

    Creating/deleting network ACLs

    You can create network ACLs and associate them with vSwitches to control traffic entering and exiting vSwitches.

    When you create a network ACL for a VPC with only IPv4 CIDR blocks, the system adds the following default rules for inbound and outbound directions:

    • Cloud service rules: Allow the use of Alibaba Cloud's private domain resolution service and ECS metadata service. These rules have the highest priority and cannot be modified or deleted.

      1. The default Alibaba Cloud DNS server IPs are 100.100.2.136 and 100.100.2.138, used for resolving internal domain names.
      2. The MetaServer IP is 100.100.100.200, which provides essential metadata services for ECS instances to ensure they run properly.

    • Custom rules: Allow all IPv4 traffic to ensure that creating a network ACL does not affect private network communication between different vSwitches in the same VPC. You can configure custom rules to precisely control traffic entering and exiting vSwitches.

    • System rules: Used to deny IPv4 traffic that does not match other rules. These rules have the lowest priority and cannot be modified or deleted.

    If IPv6 is enabled for the VPC where the ACL resides, custom rules allowing all IPv6 traffic and system rules denying all IPv6 traffic will be added to both inbound and outbound directions.

    Network ACLs can only be associated with vSwitches in the same VPC, and each vSwitch can only be associated with one network ACL.

    Console

    Creating a network ACL

    1. Go to the Virtual Private Cloud console - Network ACL page, select the target region at the top of the page, and click Create Network ACL.

    2. Configure VPC, selecting the VPC that contains the vSwitch you plan to associate with the network ACL.

    Associating vSwitches

    Click the instance ID or Actions column's Manage, go to the Associated Resources tab, click Associate VSwitch, select one or more target vSwitches and Confirm Association. Traffic for the associated vSwitches will be controlled according to the network ACL rules. To remove this control, you can click Actions column's Disassociate for the target vSwitch on this tab.

    You can also bind, change, or unbind a network ACL in the Network ACL parameter section on the target vSwitch's details page.

    Deleting a network ACL

    First ensure that all vSwitch associations have been removed. In the Actions column of the target network ACL, click Delete.

    API

    Terraform

    Unlike the console logic, Terraform only supports associating a network ACL with one vSwitch.
    Resources: alicloud_network_acl
    # Specify the region for the network ACL
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the VPC ID
variable "vpc_id" {
  default = "vpc-bp1k******" # Replace with the actual VPC ID
}

# Specify the vSwitch ID
variable "vswitch_id" {
  default = "vsw-bp1y******" # Replace with the actual vSwitch ID
}

# Create a network ACL and associate it with a vSwitch
resource "alicloud_network_acl" "example_network_acl" {
  vpc_id           = var.vpc_id # Specify the VPC to which the network ACL belongs
  network_acl_name = "example_network_acl_name"
  resources {
    resource_id   = var.vswitch_id # Specify the vSwitch to associate with the network ACL
    resource_type = "VSwitch"
  }
}

    Configuring network ACL rules

    After creating a network ACL, the system adds default rules to allow/deny all traffic. You can configure custom rules to precisely control specific traffic entering and exiting vSwitches.

    Based on Protocol, IP Version, Source IP Address/Destination IP Address, and Port Range matching to network ACL rules, the system will execute the specified Policy on the traffic, allowing or denying the corresponding traffic.

    When the protocol type is TCP(6)/UDP(17), you can adjust the port range. The value range is 0~65535, set in the format First Port/Last Port, but cannot be set to -1/-1 (which means no port restriction). When other protocol types are selected, the port range cannot be set and defaults to -1/-1.

    Common port list

    Port

    Service

    Description

    21

    FTP

    Port opened by FTP service for uploading and downloading files.

    22

    SSH

    SSH port, used for connecting to Linux instances through command line mode or remote connection software (such as PuTTY, XShell, SecureCRT, etc.).

    23

    Telnet

    Telnet port, used for Telnet remote logon to ECS instances.

    25

    SMTP

    Port opened by SMTP service for sending emails.

    53

    DNS

    Used for Domain Name Server (DNS) protocol.

    80

    HTTP

    Used for HTTP services to provide access functionality, such as IIS, Apache, Nginx, and other services.

    110

    POP3

    Used for POP3 protocol, which is a protocol for receiving emails.

    143

    IMAP

    Used for Internet Message Access Protocol (IMAP), which is a protocol for receiving emails.

    443

    HTTPS

    Used for HTTPS services to provide access functionality. HTTPS is a protocol that provides encryption and transmission through secure ports.

    1433

    SQL Server

    SQL Server TCP port, used for SQL Server to provide external services.

    1434

    SQL Server

    SQL Server UDP port, used to obtain information such as TCP/IP port numbers and IP addresses used by SQL Server.

    1521

    Oracle

    Oracle communication port, required to be allowed when Oracle SQL is deployed on an ECS instance.

    3306

    MySQL

    Port for MySQL database to provide external services.

    3389

    Windows Server Remote Desktop Services

    Windows Server Remote Desktop Services port, which can be used to connect to Windows instances using software.

    8080

    Proxy port

    Similar to port 80, port 8080 is typically used to provide WWW proxy services for web browsing. If you use port 8080, you need to add a colon and 8080 after the IP address when accessing websites or using proxy servers (for example: IP address:8080). After installing Apache Tomcat service, the default service port is 8080.

    137, 138, 139

    NetBIOS protocol

    NetBIOS protocol is commonly used for Windows file and printer sharing and Samba.

    • UDP ports 137 and 138 are typically used for communication when transferring files through Network Neighborhood.

    • Through port 139, connections attempt to obtain NetBIOS/SMB services.

    1. After adding/modifying/deleting network ACL rules, they are automatically applied to vSwitches associated with the network ACL.
    2. You can add IPv6 type inbound and outbound rules only when IPv6 is enabled for the VPC to which the network ACL belongs.
    3. After configuring a DHCP options set, you need to add inbound and outbound rules to allow the specified DNS server. Failure to add rules may cause domain name resolution issues.
    4. When using load balancing, you need to add rules in the inbound and outbound directions to allow requests received on the listener port to be forwarded to backend servers and health check port requests to be sent to backend servers.

    Console

    On the Inbound Rules/Outbound Rules tab of the target network ACL, you can follow these steps to configure custom rules.

    Because network ACL rules are stateless, when you set an inbound rule to allow specific traffic to enter a vSwitch, you need to set a corresponding outbound rule.

    Adding rules

    On the Inbound Rules/Outbound Rules tab of the target network ACL, click Manage Inbound Rules/Manage Outbound Rules. You can click Add IPv4 Rule/Add IPv6 Rule to configure rules one by one.

    To apply uniform access control to multiple IP address ranges, you can select Quick Add Rule and set the insertion position of the rule using Priority.

    To add rules with different policies in batch, you can use the provided template to Import Rules. All configuration items listed in the template must be filled in, and rules with missing configuration items cannot be imported. Successfully imported rules will be added sequentially based on existing rules and will not overwrite existing rules.

    Adjusting rule order

    Click Manage Inbound Rules/Manage Outbound Rules, and drag rules up and down to adjust their priorities.

    Deleting rules

    Click Delete in the Actions column of the target network ACL rule.

    API

    • Call UpdateNetworkAclEntries to update network ACL rules. Unlike the console logic, this API performs a full update of ACL rules. If only new rules are passed in, the original rules will be deleted, and only the newly passed rules will be kept. Therefore, when adding rules, you must pass in all rules that need to be retained.

    • Call CopyNetworkAclEntries to completely copy rules from one network ACL to another. To ensure all rules can be correctly identified and received by the target network ACL, you need to ensure that both VPCs either have only IPv4 CIDR blocks or both have IPv6 enabled. Network ACLs in VPCs without IPv6 enabled cannot configure IPv6 type rules. When completely copying rules to a network ACL in a VPC with IPv6 enabled, the system will not automatically add custom rules to allow all IPv6 traffic, which may affect IPv6 communication.

    Terraform

    This example adds deny rules in both inbound and outbound directions. You should adjust the rule configuration according to your actual access control policy.

    Resources: alicloud_network_acl
    # Specify the region for the network ACL
provider "alicloud" {
  region = "cn-hangzhou"
}

# Specify the VPC ID
variable "vpc_id" {
  default = "vpc-bp1k******" # Replace with the actual VPC ID
}

# Specify the vSwitch ID
variable "vswitch_id" {
  default = "vsw-bp1y******" # Replace with the actual vSwitch ID
}

# Create a network ACL and associate it with a vSwitch
resource "alicloud_network_acl" "example_network_acl" {
  vpc_id           = var.vpc_id # Specify the VPC to which the network ACL belongs
  network_acl_name = "example_network_acl_name"
  resources {
    resource_id   = var.vswitch_id # Specify the vSwitch to associate with the network ACL
    resource_type = "VSwitch"
  }
  ingress_acl_entries { # Specify inbound rules
    network_acl_entry_name = "example-ingress"
    protocol               = "tcp"         # Protocol type
    source_cidr_ip         = "10.0.0.0/24" # Source IP address
    port                   = "20/80"       # Port range
    policy                 = "drop"        # Policy
  }
  egress_acl_entries { # Specify outbound rules
    network_acl_entry_name = "example-egress"
    protocol               = "tcp"
    destination_cidr_ip    = "10.0.0.0/24" # Destination IP address
    port                   = "20/80"       # Port range
    policy                 = "drop"        # Policy
  }
}

    Network ACL rule configuration examples

    Restricting communication between ECS instances in different vSwitches

    Different vSwitches within the same VPC have private network communication by default. To restrict communication between resources in different vSwitches, you can use network ACLs to deny access from specific IPs.

    As shown in the diagram, you can configure inbound and outbound rules for the network ACL associated with vSwitch 1 to prohibit communication between instances in vSwitch 1 and ECS06.

    image

    Allowing only specific IPs to access cloud services

    After implementing Express Connect to enable communication between on-premises IDC and VPC, all resources in the on-premises IDC can access cloud services. You can use network ACLs to allow access only from specific IPs and deny all other access.

    As shown in the diagram, you can configure inbound and outbound rules for the network ACL associated with the vSwitch to allow only On-premises Server 1 and On-premises Server 2 to access instances within the vSwitch.

    image

    More information

    Billing

    The network ACL feature is free of charge.

    Supported regions

    Area

    Regions

    Asia Pacific - China

    China (Hangzhou), China (Shanghai), China (Nanjing - Local Region, Closing Down), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region, Closing Down)

    Asia Pacific - Others

    Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), and Thailand (Bangkok)

    Europe & Americas

    Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), and Mexico

    Middle East

    UAE (Dubai) and SAU (Riyadh - Partner Region)

    Important

    The SAU (Riyadh - Partner Region) region is operated by a partner.

    Quotas

    Quota name

    Description

    Default limit

    Increase quota

    vpc_quota_nacl_ingress_entry

    The number of inbound rules that can be created for a network ACL.

    If IPv6 is enabled for the VPC to which the network ACL belongs, the default number of IPv4 and IPv6 inbound rules that can be created is 20.

    20

    Go to the Quota Management page or Quota Center to request a quota increase.

    vpc_quota_nacl_egress_entry

    The number of outbound rules that can be created for a network ACL.

    If IPv6 is enabled for the VPC to which the network ACL belongs, the default number of IPv4 and IPv6 inbound rules that can be created is 20.

    20

    nacl_quota_vpc_create_count

    The number of network ACLs that can be created in a VPC.

    20