Help Center/ Virtual Private Cloud/ User Guide/ Access Control/ Network ACL/ Network ACL Configuration Examples
Updated on 2025-09-24 GMT+08:00
View PDF

Network ACL Configuration Examples

You can use network ACLs to control the traffic in and out of a subnet. When both security groups and network ACLs are configured, traffic matches network ACL rules first and then security group rules. You can add security group rules as required and use network ACLs to protect instances in the associated subnets. The following provides some examples on how network ACLs can be used.

If your network ACL rules do not work, submit a service ticket.

Precautions

Note the following before configuring network ACL rules:
  • Each network ACL has default rules, as shown in Table 1. If a network ACL has no custom rules, the default inbound and outbound rules are applied, denying all traffic in and out of a subnet.
    Table 1 Default network ACL rules

    Direction

    Rule Number

    Action

    Protocol

    Source

    Source Port Range

    Destination

    Destination Port Range

    Inbound

    *

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All

    Outbound

    *

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All
  • You do not need to add rules to allow response traffic to requests. This is because the network ACLs are stateful and allow the responses to flow in or out of the subnet without being controlled by rules.

For more information about how network ACL rules work, see How Network ACL Rules Work.

Denying External Access to a Specific Port in a Subnet

If you want to block TCP port 445 to protect instances against WannaCry ransomware attacks, you can add inbound rules described in Table 2 to protect the instances in 10.0.0.0/24.
  1. The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
  2. Add custom rule 01 to deny all inbound traffic to TCP port 445. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Rule Numbers).
Table 2 Inbound rules for denying external access to a specific port in a subnet

Direction

Rule Number

Type

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

1

IPv4

Deny

TCP

0.0.0.0/0

All

10.0.0.0/24

445

Custom rule 01

Inbound

2

IPv4

Allow

All

0.0.0.0/0

All

10.0.0.0/24

All

Custom rule 02

Inbound

*

--

Deny

All

0.0.0.0/0

All

0.0.0.0/0

All

Default rule

Denying Access from a Specific IP Address

You can add inbound rules as described in Table 3 to deny the access from abnormal IP addresses, for example, 10.1.1.12/32, to protect the instances in 10.5.0.0/24.
  1. The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
  2. Add custom rule 01 to deny traffic from 10.1.1.12/32 to 10.5.0.0/24. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Rule Numbers).
Table 3 Inbound rules for denying access from a specific IP address

Direction

Rule Number

Type

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

1

IPv4

Deny

TCP

10.1.1.12/32

All

10.5.0.0/24

All

Custom rule 01

Inbound

2

IPv4

Allow

All

0.0.0.0/0

All

10.5.0.0/24

All

Custom rule 02

Inbound

*

--

Deny

All

0.0.0.0/0

All

0.0.0.0/0

All

Default rule

Allowing External Access to Instances in a Subnet Over Specific Ports

If you deploy web servers in a subnet and want these servers to be accessible from the Internet, you need to add network ACL and security group rules to allow HTTP traffic over port 80 and HTTPS traffic over port 443.
  1. Add network ACL rules listed in Table 4.
    • Add custom rule A01 to allow any HTTP traffic to the instances in the subnet over port 80.
    • Add custom rule A02 to allow any HTTPS traffic to the instances in the subnet over port 443.

    10.8.0.0/24 is the CIDR block of the subnet to be protected. If the destination of a rule is set to this CIDR block, all instances in the subnet can be protected.

    Table 4 Network ACL rules for allowing access to instances in a subnet over specific ports

    Direction

    Rule Number

    Type

    Action

    Protocol

    Source

    Source Port Range

    Destination

    Destination Port Range

    Description

    Inbound

    1

    IPv4

    Allow

    TCP

    0.0.0.0/0

    All

    10.8.0.0/24

    80

    Custom rule 01

    Inbound

    2

    IPv4

    Allow

    TCP

    0.0.0.0/0

    All

    10.8.0.0/24

    443

    Custom rule 02

    Inbound

    *

    --

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All

    Default rule

    Outbound

    *

    --

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All

    Default rule
  2. Add the rules listed in Table 5 to the security group. Ensure that all security groups associated with the instances are configured.
    • Add inbound rule 01 to allow any HTTP traffic to the instances over port 80.
    • Add inbound rule 02 to allow any HTTPS traffic to the instances over port 443.
    • Add outbound rule 03 to allow any traffic to leave the security group.

      You do not need to worry about the loose control of the security group outbound rules. Network ACL rules only allow response traffic to inbound requests to leave the subnet.

    Table 5 Security group rules for allowing access to instances in a subnet over specific ports

    Direction

    Rule Number

    Action

    Type

    Protocol & Port

    Source/Destination

    Description

    Inbound

    1

    Allow

    IPv4

    TCP: 80

    IP address: 0.0.0.0/0

    Rule 01

    Inbound

    1

    Allow

    IPv4

    TCP: 443

    IP address: 0.0.0.0/0

    Rule 02

    Outbound

    1

    Allow

    IPv4

    All

    IP address: 0.0.0.0/0

    Rule 03

Allowing External Access to Specific Instances in a Subnet

In this example, ECS-01 in Subnet-A with an EIP bound functions as a web server to provide services accessible from the Internet. In this case, you need to allow all traffic to ECS-01 over ports 80 (HTTP) and 443 (HTTPS). The CIDR block of Subnet-A is 10.10.0.0/24, the private IP address of ECS-01 is 10.10.0.25, and the EIP is 12.12.11.xx.

Internet traffic is only allowed to ECS-01, so the destination must be ECS-01. According to the mechanism about how network ACL rules take effect, you are advised to set the destination of the rule to the private IP address of ECS-01, as shown in Table 6. If the destination of the rule is set to the EIP bound to ECS-01, the network ACL cannot take effect, as shown in Table 7.

Table 6 Correct Network ACL rules (destination being the private IP address of ECS)

Direction

Rule Number

Type

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

1

IPv4

Allow

TCP

0.0.0.0/0

All

10.10.0.25 /32

80

Custom rule 01

Inbound

2

IPv4

Allow

TCP

0.0.0.0/0

All

10.10.0.25 /32

443

Custom rule 02

Inbound

*

--

Deny

All

0.0.0.0/0

All

0.0.0.0/0

All

Default rule

Outbound

*

--

Deny

All

0.0.0.0/0

All

0.0.0.0/0

All

Default rule
Table 7 Incorrect Network ACL rules (destination being an EIP)

Direction

Rule Number

Type

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

1

IPv4

Allow

TCP

0.0.0.0/0

All

12.12.11.xx /32

80

Custom rule 01

Inbound

2

IPv4

Allow

TCP

0.0.0.0/0

All

12.12.11.xx /32

443

Custom rule 02
Parent Topic: Network ACL