Help Center/ Virtual Private Cloud/ API Reference/ FAQs/ What Are the Relationships Among Network ACL Groups, Policies, and Rules?
Updated on 2024-06-27 GMT+08:00

What Are the Relationships Among Network ACL Groups, Policies, and Rules?

Relationships

Network ACL resources are classified into groups, policies, and rules.

The relationships among them are as follows:

  • A network ACL policy can be associated with multiple network ACL rules.
  • A network ACL group can be associated with two network ACL policies. One policy controls inbound traffic and the other controls outbound traffic.
  • A network ACL policy must be associated with a network ACL group.

Log in to the network console and view basic information about the network ACL. You can view the name and ID of the network ACL.

On the Inbound Rules or Outbound Rules tab, you can add, modify, or delete network ACL rules. These rules are associated with the same inbound or outbound policy.

Example

The following describes how to create network ACL resources.

  • Creating a network ACL rule
POST /v2.0/fwaas/firewall_rules

Request body

{
    "firewall_rule": {
        "name": "fw-rule-ingress-1",
        "description": "create a ingress firewall rule ",
        "protocol": "TCP",
        "action": "ALLOW",
        "ip_version": 4,
        "destination_ip_address": "192.168.22.0/24",
        "source_ip_address": "0.0.0.0/0",
        "enabled": true
    }
}

Response body of obtaining firewall_rule_id: 84d10f4a-9f8b-41b8-bdfa-5a0f18736f12

{
    "firewall_rule": {
        "protocol": "tcp",
        "description": "create a ingress firewall rule ",
        "source_ip_address": "0.0.0.0/0",
        "destination_ip_address": "192.168.22.0/24",
        "source_port": null,
        "destination_port": null,
        "id": "84d10f4a-9f8b-41b8-bdfa-5a0f18736f12",
        "name": "fw-rule-ingress-1",
        "tenant_id": "5f6387106c2048b589b369d96c2f23a2",
        "project_id": "5f6387106c2048b589b369d96c2f23a2",
        "enabled": true,
        "action": "allow",
        "ip_version": 4,
        "public": false
    }
}
  • Creating a network ACL policy
POST /v2.0/fwaas/firewall_policies

Request body of associating with a network ACL rule

{
    "firewall_policy": {
        "description": "create a ingress firewall policy",
        "firewall_rules": [
          "84d10f4a-9f8b-41b8-bdfa-5a0f18736f12"
        ],
        "name": "fw-policy-ingress"
    }
}

Response body of obtaining firewall_policy_id: da037721-b895-4e07-bbcc-f5f6ac2759fb

{
    "firewall_policy": {
        "id": "da037721-b895-4e07-bbcc-f5f6ac2759fb",
        "name": "fw-policy-ingress",
        "project_id": "5f6387106c2048b589b369d96c2f23a2",
        "tenant_id": "5f6387106c2048b589b369d96c2f23a2",
        "description": "create a ingress firewall policy",
        "firewall_rules": [
          "84d10f4a-9f8b-41b8-bdfa-5a0f18736f12"
        ],
        "audited": false,
        "public": false
    }
}
  • Creating a network ACL group
POST /v2.0/fwaas/firewall_groups

Request body of associating with an inbound network ACL policy

{
    "firewall_group": {
        "name": "fw-group-example",
        "description": "create a firewall group",
        "ingress_firewall_policy_id": "da037721-b895-4e07-bbcc-f5f6ac2759fb",
        "admin_state_up": true
    }
}

Response body of obtaining firewall_group_id: 102493e8-fc6d-4f0d-b57f-55c5be86f5c0.

{
    "firewall_group": {
        "id": "102493e8-fc6d-4f0d-b57f-55c5be86f5c0",
        "name": "fw-group-example",
        "project_id": "5f6387106c2048b589b369d96c2f23a2",
        "tenant_id": "5f6387106c2048b589b369d96c2f23a2",
        "admin_state_up": true,
        "egress_firewall_policy_id": null,
        "ingress_firewall_policy_id": "da037721-b895-4e07-bbcc-f5f6ac2759fb",
        "description": "create a firewall group",
        "created_at": "2023-03-09T08:54:40",
        "updated_at": "2023-03-09T08:54:40",
        "status": "INACTIVE",
        "ports": [],
        "public": false
    }
}

Log in to the network console and view the created network ACL resources.