Help Center> Virtual Private Cloud> Best Practices> Access Control

View PDF

Access Control

Access control can be managed at the ECS level, the subnet level, or based on services, by using security groups, network ACLs, and whitelists, respectively.

Security group: ECS-based access control
A security group is a logical group that controls the traffic for one or more ECSs. After a security group is created, you can add rules that control the inbound traffic to ECSs that it contains.
Network ACL: Subnet-based access control
Network ACLs control traffic in and out of one or more subnets based on priorities. Only packet filtering based on the 5-tuple (protocol, source port, destination port, source IP address, and destination IP address) is supported.
Whitelist: Service-based access control
Whitelist controls traffic from services (such as ELB, OBS) that use VPC subnet resources.

Scenario 1: Only Allowing Access to the Internet

An ECS bound with an EIP can access the Internet but cannot be accessed from the Internet with the protection of security group rules.

Figure 1 Only allowing outbound traffic

Configuration example

Inbound direction of a security group: No rules are added.

Outbound direction of a security group: All protocols and ports are allowed, as shown in Table 1.

**Table 1** Security group rule
Direction	Protocol/Application	Port	Destination	Description
Outbound	All	All	0.0.0.0/0	Allows all outbound traffic. (default)

Scenario 2: Denying Access to Specific IP Addresses

Network ACLs can deny the access from all ECSs in a subnet to specific IP addresses. For example, Figure 2 shows that ECSs in the subnet are denied to access 61.x.x.0/16.

Figure 2 Denying access to specific IP addresses

Configuration example

**Table 2** Network ACL rule
Direction	Action	Protocol	Source	Source Port Range	Destination	Destination Port Range	Description
Inbound	Allow	All	0.0.0.0/0	All	0.0.0.0/0	All	Allows all inbound traffic.
Inbound	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All	Denies all inbound traffic. (default)
Outbound	Deny	All	0.0.0.0/0	All	61.x.x.0/16	All	Denies the outbound traffic to 61.x.x.0/16.
Outbound	Allow	All	0.0.0.0/0	All	0.0.0.0/0	All	Allows all outbound traffic.
Outbound	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All	Denies all outbound traffic. (default)

Scenario 3: Layer 7 Load Balancing

Layer 7 load balancing may be used internally and the access source can be controlled through the whitelist.

Figure 3 ELB whitelist

Configuration example

Figure 4 Configuring a whitelist

Last Article: Lower Network Costs

Next Article: Using Third-Party Firewalls When Connecting VPCs

Did this article solve your problem?

Thank you for your score！Your feedback would help us improve the website.

Products

Compute

Application

Dedicated Cloud

Storage

Management & Deployment

Migration

Network

Enterprise Intelligence

Video

Database

Edge Cloud Services

DevCloud

Security

Cloud Communications

Internet of Things

Solutions

Industry-Specific Solutions

General-Purpose Solutions

Security

DevOps

Enterprise Intelligence

Essential Platform

Big Data

Visual Cognition

Speech and Semantics

Support

Help Center

Customer Services

Developers

Console

语言 - Language

中国站 - 简体中文

中国站 - English

International - 简体中文

International - English

Help Center

Access Control

Scenario 1: Only Allowing Access to the Internet

Scenario 2: Denying Access to Specific IP Addresses

Scenario 3: Layer 7 Load Balancing