Network ACL Configuration Examples
You can use network ACLs to control the traffic in and out of a subnet. When both security groups and network ACLs are configured, traffic matches network ACL rules first and then security group rules. You can add security group rules as required and use network ACLs to protect instances in the associated subnets. The following provides some examples on how network ACLs can be used.
- Denying External Access to a Specific Port in a Subnet
- Denying Access from a Specific IP Address
- Allowing External Access to Specific Ports on an Instance in a Subnet
If your network ACL rules do not work, submit a service ticket.
Precautions
- Each network ACL has default rules, as shown in Table 1. If a network ACL has no custom rules, the default rule is applied, denying all traffic in and out of a subnet.
- You do not need to add a rule to allow response traffic to inbound requests. This is because the network ACLs are stateful and allow the responses to leave the subnet without being controlled by rules.
For more information about how network ACL rules work, see How Network ACL Rules Work.
Denying External Access to a Specific Port in a Subnet
- The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
- Add custom rule 01 to deny all inbound traffic to TCP port 445. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Rule Numbers).
Direction |
Priority |
Type |
Action |
Protocol |
Source |
Source Port Range |
Destination |
Destination Port Range |
Description |
---|---|---|---|---|---|---|---|---|---|
Inbound |
1 |
IPv4 |
Deny |
TCP |
0.0.0.0/0 |
All |
10.0.0.0/24 |
445 |
Custom rule 01 |
Inbound |
2 |
IPv4 |
Allow |
All |
0.0.0.0/0 |
All |
10.0.0.0/24 |
All |
Custom rule 02 |
Inbound |
* |
-- |
Deny |
All |
0.0.0.0/0 |
All |
0.0.0.0/0 |
All |
Default rule |
Denying Access from a Specific IP Address
- The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
- Add custom rule 01 to deny traffic from 10.1.1.12/32 to 10.5.0.0/24. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Rule Numbers).
Direction |
Priority |
Type |
Action |
Protocol |
Source |
Source Port Range |
Destination |
Destination Port Range |
Description |
---|---|---|---|---|---|---|---|---|---|
Inbound |
1 |
IPv4 |
Deny |
TCP |
10.1.1.12/32 |
All |
10.5.0.0/24 |
All |
Custom rule 01 |
Inbound |
2 |
IPv4 |
Allow |
All |
0.0.0.0/0 |
All |
10.5.0.0/24 |
All |
Custom rule 02 |
Inbound |
* |
-- |
Deny |
All |
0.0.0.0/0 |
All |
0.0.0.0/0 |
All |
Default rule |
Allowing External Access to Specific Ports on an Instance in a Subnet
- Add network ACL rules listed in Table 4.
- Add custom rule A01 to allow any HTTP traffic to the instance in the subnet (10.8.0.0/24) over port 80.
- Add custom rule A02 to allow any HTTPS traffic to the instance in the subnet (10.8.0.0/24) over port 443.
Table 4 Network ACL rules for allowing access to specific ports on an instance in a subnet Direction
Priority
Type
Action
Protocol
Source
Source Port Range
Destination
Destination Port Range
Description
Inbound
1
IPv4
Allow
TCP
0.0.0.0/0
All
10.8.0.0/24
80
Custom rule 01
Inbound
2
IPv4
Allow
TCP
0.0.0.0/0
All
10.8.0.0/24
443
Custom rule 02
Inbound
*
--
Deny
All
0.0.0.0/0
All
0.0.0.0/0
All
Default rule
Outbound
*
--
Deny
All
0.0.0.0/0
All
0.0.0.0/0
All
Default rule
- Add security group rules listed in Table 5.
- Add inbound rule 01 to allow any HTTP traffic to the instance over port 80.
- Add inbound rule 02 to allow any HTTPS traffic to the instance over port 443.
- Add outbound rule 03 to allow any traffic to leave the security group.
You do not need to worry about the loose control of the security group outbound rules. Network ACL rules only allow response traffic to inbound requests to leave the subnet.
Table 5 Security group rules for allowing access to specific ports Direction
Priority
Action
Type
Protocol & Port
Source/Destination
Description
Inbound
1
Allow
IPv4
TCP: 80
IP address: 0.0.0.0/0
Rule 01
Inbound
1
Allow
IPv4
TCP: 443
IP address: 0.0.0.0/0
Rule 02
Outbound
1
Allow
IPv4
All
IP address: 0.0.0.0/0
Rule 03
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.