Network access control lists (ACLs) are a network access control feature in virtual private clouds (VPCs). You can create network ACL rules and associate a network ACL with a vSwitch. This allows you to manage inbound and outbound traffic of Elastic Compute Service (ECS) instances that are attached to the vSwitch.
Features
Network ACL rules only apply to inbound and outbound traffic of ECS instances in the associated vSwitches. The traffic forwarded by server load balancer (SLB) instances to ECS instances is also filtered.
NoteIf an ECS instance is associated to a secondary elastic network interface (ENI) that is bound to an elastic IP address (EIP) in the cut-through mode, the network ACL does not filter the traffic of the ECS instance.For more information, see Set the cut-through mode.
Network ACL rules are stateless. After configuring an accept rule for inbound traffic, it is essential to set a corresponding outbound rule. Failure to do so may result in unresponsive requests.
Network ACLs deny all inbound and outbound traffic if no rules are configured.
The traffic between ECS instances in a vSwitch is not filtered by the network ACL linked to that vSwitch.
Network ACLs allow the DNS servers at 100.100.2.128/28 and 100.100.2.112/28, and the Metaserver at 100.100.100.200/32.
Descriptions
Parameters
A network ACL rule contains the following parameters:
Priority: A smaller value specifies a higher priority. The system matches requests against rules in descending order of priority, applies the first matching rule, and disregards the rest.
For example, the following rules are added to a network ACL and requests destined for IP address 172.16.0.1 are sent from an ECS instance. In this case, the requests match Rules 2 and 3. As Rule 2 has higher priority than Rule 3, the system applies Rule 2 and denies the requests based on the policy of Rule 2.
Priority
Protocol
Destination IP Address
Port Range
Policy
Type
1
ALL
10.0.0.0/8
-1/-1
Allow
Custom
2
ALL
172.16.0.0/12
-1/-1
Deny
Custom
3
ALL
172.16.0.0/12
-1/-1
Allow
Custom
Policy: Allow or deny specific traffic.
Protocol: The protocol of traffic.
A Protocol includes a protocol name and a protocol number. The protocol number is assigned by IANA (Internet Assigned Numbers Authority) to specify the protocol type in the IP packet header.
You can search by protocol name or number in the console. Common protocol types are as follows:
ALL: All protocols.
ICMP(1): Internet Control Message Protocol.
GRE(47): Generic Routing Encapsulation.
TCP(6): Transmission Control Protocol.
UDP(17): User Datagram Protocol.
ICMPv6(58): Internet Control Message Protocol for the IPv6.
IP Version: Traffic type. Choose the IP version compatible with the protocol type. Valid values: IPv4 and IPv6.
Source IP Address (for inbound rules): The source IP addresses from which inbound traffic is transmitted.
Destination IP Address (for outbound rules): The destination IP addresses to which outbound traffic is transmitted.
Port Range: The range of ports to which the inbound or outbound rule applies.
When you select TCP(6) or UDP(17), the port range is 1 to 65535. Enter the parameter in the format of First Port/Last Port.
For example, 1/200 controls traffic on ports 1 to 200, while 80/80 controls traffic on port 80, which corresponds to HTTP traffic.
Do not set the value to -1/-1.
For more information about common port ranges and their applications, see Common scenarios.
When you select other protocol types, the port range is set to -1/-1, which indicates all ports, and cannot be modified.
Outbound and inbound rules
Before you create outbound and inbound rules, take note of the following rules:
When you add or delete rules in a network ACL, the changes are automatically applied to the associated vSwitches.
When you add IPv6 outbound and inbound rules in a network ACL, you need to assign an IPv6 CIDR block to the VPC where the network ACL resides.
When you configure a DHCP options set, ensure that you permit the DNS server IP addresses in outbound and inbound rules of the network ACL. Failure to add rules may cause operational issues for the DHCP options set.
Default outbound and inbound rules vary based on whether the VPC has IPv6 enabled.
If the VPC does not have IPv6 enabled, five rules will be created by default for the inbound and outbound directions. Among them, the cloud service routes are addresses of the DNS server and Metaserver that are allowed by the network ACL.
If the VPC has IPv6 enabled, one system default deny rule and one custom allow-all rule are added for both inbound and outbound directions, resulting in a total of seven default rules.
Limits
Quotas
Name/ID | Description | Default value | Adjustable |
vpc_quota_nacl_ingress_entry | Maximum number of inbound rules that can be added to a network access control list (ACL) | 20 | You can increase the quota by performing the following operations:
|
vpc_quota_nacl_egress_entry | Maximum number of outbound rules that can be added to a network ACL | 20 | |
nacl_quota_vpc_create_count | Maximum number of network ACLs that can be created in each VPC | 20 |
Supported regions
References
For more information about how to implement access control in VPCs, see Create and manage a network ACL.
You can use network ACLs to Manage communication among ECS instances in different vSwitches or Manage communication between a data center and a VPC.