Help Center> Virtual Private Cloud> User Guide> Access Control> Network ACL> Network ACL Configuration Examples
Updated on 2024-07-02 GMT+08:00

Network ACL Configuration Examples

You can use network ACLs to control the traffic in and out of a subnet. When both security groups and network ACLs are configured, traffic matches network ACL rules first and then security group rules. You can add security group rules as required and use network ACLs to protect instances in the associated subnets. The following provides some examples on how network ACLs can be used.

If your network ACL rules do not work, submit a service ticket.

Precautions

Note the following before configuring network ACL rules:
  • Each network ACL has default rules, as shown in Table 1. If a network ACL has no custom rules, the default rule is applied, denying all traffic in and out of a subnet.
    Table 1 Default network ACL rules

    Direction

    Priority

    Action

    Protocol

    Source

    Source Port Range

    Destination

    Destination Port Range

    Inbound

    *

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All

    Outbound

    *

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All

  • You do not need to add a rule to allow response traffic to inbound requests. This is because the network ACLs are stateful and allow the responses to leave the subnet without being controlled by rules.

For more information about how network ACL rules work, see How Network ACL Rules Work.

Denying External Access to a Specific Port in a Subnet

If you want to block TCP port 445 to protect instances against WannaCry ransomware attacks, you can add inbound rules described in Table 2 to protect the instances in 10.0.0.0/24.
  1. The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
  2. Add custom rule 01 to deny all inbound traffic to TCP port 445. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Priorities).
Table 2 Inbound rules for denying external access to a specific port in a subnet

Direction

Priority

Type

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

1

IPv4

Deny

TCP

0.0.0.0/0

All

10.0.0.0/24

445

Custom rule 01

Inbound

2

IPv4

Allow

All

0.0.0.0/0

All

10.0.0.0/24

All

Custom rule 02

Inbound

*

--

Deny

All

0.0.0.0/0

All

0.0.0.0/0

All

Default rule

Denying Access from a Specific IP Address

You can add inbound rules as described in Table 3 to deny the access from abnormal IP addresses, for example, 10.1.1.12/32, to protect the instances in 10.5.0.0/24.
  1. The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
  2. Add custom rule 01 to deny traffic from 10.1.1.12/32 to 10.5.0.0/24. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Priorities).
Table 3 Inbound rules for denying access from a specific IP address

Direction

Priority

Type

Action

Protocol

Source

Source Port Range

Destination

Destination Port Range

Description

Inbound

1

IPv4

Deny

TCP

10.1.1.12/32

All

10.5.0.0/24

All

Custom rule 01

Inbound

2

IPv4

Allow

All

0.0.0.0/0

All

10.5.0.0/24

All

Custom rule 02

Inbound

*

--

Deny

All

0.0.0.0/0

All

0.0.0.0/0

All

Default rule

Allowing External Access to Specific Ports on an Instance in a Subnet

If you deploy a web server in a subnet and want this server to be accessible from the Internet, you need to add network ACL and security group rule to allow HTTP traffic over port 80 and HTTPS traffic over port 443.
  1. Add network ACL rules listed in Table 4.
    • Add custom rule A01 to allow any HTTP traffic to the instance in the subnet (10.8.0.0/24) over port 80.
    • Add custom rule A02 to allow any HTTPS traffic to the instance in the subnet (10.8.0.0/24) over port 443.
    Table 4 Network ACL rules for allowing access to specific ports on an instance in a subnet

    Direction

    Priority

    Type

    Action

    Protocol

    Source

    Source Port Range

    Destination

    Destination Port Range

    Description

    Inbound

    1

    IPv4

    Allow

    TCP

    0.0.0.0/0

    All

    10.8.0.0/24

    80

    Custom rule 01

    Inbound

    2

    IPv4

    Allow

    TCP

    0.0.0.0/0

    All

    10.8.0.0/24

    443

    Custom rule 02

    Inbound

    *

    --

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All

    Default rule

    Outbound

    *

    --

    Deny

    All

    0.0.0.0/0

    All

    0.0.0.0/0

    All

    Default rule

  2. Add security group rules listed in Table 5.
    • Add inbound rule 01 to allow any HTTP traffic to the instance over port 80.
    • Add inbound rule 02 to allow any HTTPS traffic to the instance over port 443.
    • Add outbound rule 03 to allow any traffic to leave the security group.

      You do not need to worry about the loose control of the security group outbound rules. Network ACL rules only allow response traffic to inbound requests to leave the subnet.

    Table 5 Security group rules for allowing access to specific ports

    Direction

    Priority

    Action

    Type

    Protocol & Port

    Source/Destination

    Description

    Inbound

    1

    Allow

    IPv4

    TCP:80

    IP address: 0.0.0.0/0

    Rule 01

    Inbound

    1

    Allow

    IPv4

    TCP:443

    IP address: 0.0.0.0/0

    Rule 02

    Outbound

    1

    Allow

    IPv4

    All

    IP address: 0.0.0.0/0

    Rule 03