Network ACLs let you control inbound and outbound traffic at the vSwitch level by defining prioritized allow or deny rules.
How it works
Scope
A network ACL applies only to elastic network interfaces (ENIs) within the associated vSwitch.
-
A network ACL controls traffic for cloud resources that use ENIs, such as ECS, ECI, and NLB instances.
ApsaraDB RDS and CLB instances do not use ENIs, so network ACLs do not apply. RDS access is controlled by whitelists, and CLB access by access control policies.
A network ACL does not control traffic for a secondary ENI associated with an EIP in ENI-visible mode.
-
PrivateLink traffic passes through the interface endpoint ENI and is subject to network ACL rules.
Rule evaluation mechanism
-
Rules are evaluated in ascending priority order starting from 1. Each rule matches traffic by IP version, protocol, source or destination address, and port range. The first matching rule applies its allow or deny policy, and evaluation stops.
For both inbound and outbound rules, the port range always matches the destination port of the traffic.
Inbound rules apply to source addresses only, and outbound rules apply to destination addresses only. A single rule cannot specify both a source and a destination address.
Denied traffic is silently dropped. The source receives no response, resulting in a timeout or connection failure.
-
Network ACL rules are stateless. An inbound allow rule does not automatically permit return traffic — you must create an outbound rule to Allow responses back to the client's ephemeral port. Clients randomly select an ephemeral port to receive responses.
To support all client types, set the ephemeral port range to 1024-65535.
In this example, two rules have overlapping CIDR blocks. A client at 192.168.0.1 accessing the vSwitch over HTTPS matches Priority 1 and is denied. A client at 192.168.1.1 matches Priority 2 and is allowed. Return traffic reaches the client's ephemeral port through the outbound Priority 1 rule.
To open many ports while denying specific ones, assign deny rules a lower priority number (higher priority) than allow rules.
Differences between network ACLs and security groups
|
Item |
Network ACL |
Security group |
|
Scope |
Controls inbound and outbound traffic for a vSwitch. |
Multiple security groups can be associated with one instance. Their combined rules control inbound and outbound traffic. |
|
Statefulness |
Stateless: Return traffic must be explicitly allowed by an outbound rule. |
Stateful: Return traffic is automatically allowed, regardless of outbound rules. |
|
Rule evaluation |
Rules are evaluated by priority; the first match applies. |
Rules are evaluated by priority. For rules with the same priority, deny rules take precedence over allow rules. |
|
Association |
Each vSwitch can be associated with only one network ACL. |
An ECS instance can be associated with multiple security groups. |
|
Rule address configuration |
Inbound rules apply to source addresses only, and outbound rules apply to destination addresses only. A single rule cannot specify both a source and destination address. |
Inbound rules specify the traffic source, and outbound rules specify the traffic destination. |
Create and delete network ACLs
Create a network ACL and associate it with a vSwitch to control traffic.
When you create a network ACL for an IPv4-only VPC, the system adds the following default inbound and outbound rules:
-
Cloud service rule: Allows access to Alibaba Cloud DNS and the ECS metadata service. This rule has the highest priority and cannot be modified or deleted.
1. Default DNS server addresses: 100.100.2.136 and 100.100.2.138 (internal domain name resolution).
2. MetaServer address: 100.100.100.200 (ECS instance metadata service).
-
Custom rule: Allows all IPv4 traffic to preserve connectivity between vSwitches in the same VPC. Add custom rules to control vSwitch traffic.
-
System rule: Denies all IPv4 traffic not matched by other rules. This rule has the lowest priority and cannot be modified or deleted.
If the VPC has IPv6 enabled, the system also adds a custom rule allowing all IPv6 traffic and a system rule denying all IPv6 traffic for both directions.
A network ACL can be associated only with vSwitches within its VPC. Each vSwitch can be associated with only one network ACL.
Console
Create a network ACL
-
Go to the VPC console - network ACL page. Select a region at the top of the page, and then click Create Network ACL.
-
For VPC, select the VPC that contains the vSwitches to associate with the network ACL.
Associate vSwitches
Click the network ACL ID, or click Manage in the Actions column. On the Associated Resources tab, click Associate vSwitch. Select one or more vSwitches and click OK. To disassociate a vSwitch, click Unbind in the Actions column for the target vSwitch on this tab.
You can also associate, replace, or unbind a network ACL in the Network ACL section on the details page of the target vSwitch.
Delete a network ACL
Ensure that the network ACL is not associated with any vSwitch. In the Actions column of the target network ACL, click Delete.
API
-
Call CreateNetworkAcl to create a network ACL.
-
Call AssociateNetworkAcl to associate a network ACL with a vSwitch.
-
Call UnassociateNetworkAcl to unassociate a network ACL from a vSwitch.
-
Call DeleteNetworkAcl to delete a network ACL.
Terraform
Terraform associates a network ACL with only one vSwitch at a time.
Resources: alicloud_network_acl
# Specify the region of the network ACL.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the VPC ID.
variable "vpc_id" {
default = "vpc-bp1k******" # Replace with your VPC ID.
}
# Specify the vSwitch ID.
variable "vswitch_id" {
default = "vsw-bp1y******" # Replace with your vSwitch ID.
}
# Create a network ACL and associate it with a vSwitch.
resource "alicloud_network_acl" "example_network_acl" {
vpc_id = var.vpc_id # The VPC to which the network ACL belongs.
network_acl_name = "example_network_acl_name"
resources {
resource_id = var.vswitch_id # Specify the vSwitch to associate with the network ACL.
resource_type = "VSwitch"
}
}
Configure network ACL rules
-
After you create a network ACL, default rules allow or deny all traffic.
-
Configure custom rules to control vSwitch traffic. When traffic matches a rule's Protocol, IP Version, Source IP Address or Destination IP Address, and port range, the system enforces the Policy.
-
For
TCP(6)orUDP(17), specify a port range (0-65535) in the formatstart_port/end_port. Do not use-1/-1. For other protocols, the port range defaults to-1/-1(all ports). -
IPv6 rules require IPv6 to be enabled on the VPC.
-
Rule changes are automatically applied to all associated vSwitches.
-
-
Group frequently used CIDR blocks in a prefix list and reference it in network ACL rules. Changes to a prefix list automatically update all referencing rules.
-
A prefix list's maximum entries setting (not its actual entry count) counts against your network ACL rule quota. To stay within quota, reduce the maximum, merge adjacent IP ranges, or remove unused entries.
-
A prefix list is region-specific and cannot be shared across regions. A single prefix list cannot mix IPv4 and IPv6 CIDR blocks.
-
1. If you configure a DHCP options set with a custom DNS server, add inbound and outbound rules to allow traffic to that server. Otherwise, domain name resolution may fail.
2. When using a load balancer, add rules to allow listener port forwarding and health check traffic to backend servers.
Console
On the Inbound Rules or Outbound Rules tab for the target network ACL, follow these steps to configure custom rules.
Network ACL rules are stateless. An inbound allow rule requires a corresponding outbound rule for return traffic.
Add rules
-
Manual configuration: On the Inbound Rules or Outbound Rules tab of the target network ACL, click Manage Inbound Rule or Manage Outbound Rule.
-
Click Add IPv4 Rule or Add IPv6 Rule to configure rules one by one.
-
To apply the same rule to multiple CIDR blocks, select Quick Add and set Priority to specify where the rule is inserted.
-
After you manage frequently used CIDR blocks in a prefix list, click Add IPv4 Rule or Add IPv6 Rule, set IP Version to VPC Prefix List, and then set Source IP Address/Destination IP Address to the prefix list.
-
-
Batch import: Use the provided template to Import Rule.
-
All template fields are required. Incomplete rules cannot be imported.
-
Prefix lists are not supported.
-
Imported rules are appended after existing rules without overwriting.
-
Reorder rules
Click Manage Inbound Rule or Manage Outbound Rule, and then drag the rules up or down to adjust their evaluation order.
Delete rules
In the Actions column of the target network ACL rule, click Delete.
API
-
Call UpdateNetworkAclEntries to update network ACL rules. This API performs a full replacement — any existing rules not included in your request are deleted. To retain rules, include them in the API call.
-
Call CopyNetworkAclEntries to copy all rules from one network ACL to another. Both ACLs must belong to VPCs with matching IP version configurations. You cannot add IPv6 rules to a network ACL in an IPv4-only VPC. Copying rules to an IPv6-enabled VPC does not add the default allow-all-IPv6 custom rule, which can disrupt IPv6 communication.
Terraform
This example adds deny rules for inbound and outbound traffic. Adjust to match your access control policy.
Resource: alicloud_network_acl
# Specify the region for the network ACL.
provider "alicloud" {
region = "cn-hangzhou"
}
# Specify the VPC ID.
variable "vpc_id" {
default = "vpc-bp1k******" # Replace with the actual ID of your VPC.
}
# Specify the vSwitch ID.
variable "vswitch_id" {
default = "vsw-bp1y******" # Replace with the actual ID of your vSwitch.
}
# Create a network ACL and associate it with a vSwitch.
resource "alicloud_network_acl" "example_network_acl" {
vpc_id = var.vpc_id # Specify the VPC for the network ACL.
network_acl_name = "example_network_acl_name"
resources {
resource_id = var.vswitch_id # Specify the vSwitch to associate with the network ACL.
resource_type = "VSwitch"
}
ingress_acl_entries { # Specify inbound rules.
network_acl_entry_name = "example-ingress"
protocol = "tcp" # Protocol
source_cidr_ip = "10.0.0.0/24" # Source CIDR block
port = "20/80" # Port range
policy = "drop" # Policy
}
egress_acl_entries { # Specify outbound rules.
network_acl_entry_name = "example-egress"
protocol = "tcp"
destination_cidr_ip = "10.0.0.0/24" # Destination CIDR block
port = "20/80" # Port range
policy = "drop" # Policy
}
}
Network ACL rule examples
Restrict communication between different vSwitches
By default, vSwitches within the same VPC communicate freely. Use a network ACL to deny access from specific IP addresses.
In this example, inbound and outbound rules for vSwitch 1's network ACL prevent its instances from communicating with ECS06.
Allow access from specific IP addresses
When an on-premises data center connects to a VPC through Express Connect, all data center resources can access cloud services. Use a network ACL to allow only specific IP addresses.
In this example, the network ACL allows access to vSwitch instances only from on-premises servers 1 and 2.
More information
Billing
Network ACLs are free of charge.
Supported regions
Area | Regions |
Asia Pacific - China | China (Hangzhou), China (Shanghai), China (Nanjing - Local Region, Closing Down), China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Zhongwei), China (Hong Kong), China (Wuhan - Local Region), and China (Fuzhou - Local Region, Closing Down) |
Asia Pacific - Others | Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), and Malaysia (Johor) |
Europe & Americas | Germany (Frankfurt), UK (London), France (Paris), US (Silicon Valley), US (Virginia), and Mexico |
Middle East | UAE (Dubai) and Saudi Arabia (Riyadh) (partner region) |
Quotas
Quota name | Description | Default limit | Adjustable |
vpc_quota_nacl_ingress_entry | Inbound rules per network ACL. If IPv6 is enabled for the VPC to which the network ACL belongs, the default number of IPv4 and IPv6 inbound rules that can be created is 20. | 20 | Yes. Go to the Quota Management page or Quota Center to request a quota increase. |
vpc_quota_nacl_egress_entry | Outbound rules per ACL. If IPv6 is enabled for the VPC to which the network ACL belongs, the default number of IPv4 and IPv6 inbound rules that can be created is 20. | 20 | |
nacl_quota_vpc_create_count | Network ACLs per VPC. | 20 |