Why Is Access from a Specific IP Address Still Allowed After a Network ACL Rule That Denies the Access from the IP Address Has Been Added?
Network ACL rules have priorities. A smaller priority value represents a higher priority. Each network ACL includes a default rule whose priority value is an asterisk (*). Default rules have the lowest priority.
If rules conflict, the rule with the highest priority takes effect.
If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule. For example, if the priority of rule A is 1 but you need rule B to take priority over rule A, insert rule B before rule A. Then, rule B will have a priority of 1 and rule A will be 2. Similarly, if rule B is less important than rule A, insert rule B after rule A.
When a rule that denies access from a specified IP address is added, insert the rules that allow access from all IP addresses at the end. Then, the rule that denies access from the specified IP address will take priority over the other rules and will be effective. For details, see Changing the Sequence of a Network ACL Rule.
Security FAQs
- Does a Modified Security Group Rule or a Network ACL Rule Take Effect Immediately for Existing Connections?
- Why Is Outbound Access on TCP Port 25 Blocked?
- How Do I Know the Instances Associated with a Security Group?
- Why Can't I Delete a Security Group?
- Can I Change the Security Group of an ECS?
- How Do I Configure a Security Group for Multi-Channel Protocols?
- Why Are Some Ports of ECSs Inaccessible?
- Why Is Access from a Specific IP Address Still Allowed After a Network ACL Rule That Denies the Access from the IP Address Has Been Added?
- Why Are My Security Group Rules Not Applied?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
more