Help Center/ Virtual Private Cloud/ User Guide/ Access Control/ Network ACL/ Managing Network ACLs/ Creating a Network ACL
Updated on 2025-10-15 GMT+08:00
View PDF
Share

Creating a Network ACL

Scenarios

A security group protects the instances in it, such as ECSs, databases, and containers, while a network ACL protects associated subnets. Security groups are mandatory, while network ACLs are optional. If you want to add an additional layer of protection, you can create a network ACL and associate it with one or more subnets. Network ACLs and security groups can be used together for fine-grained and comprehensive access control.

After a network ACL is created, you need to add rules based on your service requirements, for example, allowing or denying traffic from or to specific ports or IP address ranges. Then, associate a subnet with the network ACL to protect the instances in the subnet. The detailed operations are as follows:

Step 1: Create a Network ACL

  1. Go to the network ACL list page.
  2. In the upper right corner of the network ACL list, click Create Network ACL.
  3. On the displayed page, configure the parameters as prompted.
    Table 1 Parameter descriptions

    Parameter

    Description

    Example Value

    Region

    Mandatory

    A network ACL can only be associated with the subnets in the same region.

    -

    Name

    Mandatory

    The network ACL name.

    The name can contain a maximum of 64 characters, which may consist of letters, digits, underscores (_), hyphens (-), and periods (.). The name cannot contain spaces.

    fw-A

    Enterprise Project

    Mandatory

    Enterprise project that the network ACL belongs to.

    An enterprise project facilitates project-level management and grouping of cloud resources and users. The default project is default.

    For details about creating and managing enterprise projects, see the Enterprise Management User Guide.

    default

    Tag (Optional)

    Optional

    When creating a network ACL, you can add tags to it to help you identify and search for given network ACLs.

    For details, see Managing Network ACL Tags.

    Tag key: test

    Tag value: 01

    Description (Optional)

    Supplementary information about the network ACL. This parameter is optional.

    The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A
  4. Click Create Now.

Step 2: Add Network ACL Rules

A network ACL comes with default inbound and outbound rules that deny all traffic in and out of associated subnets. You can add custom rules to allow traffic by referring to Adding a Network ACL Rule. Traffic will preferentially match the custom rules.

Step 3: Associate a Subnet with the Network ACL

You can associate one or more subnets with the network ACL. If the network ACL is enabled, it controls traffic in and out of the subnets.

Parent Topic: Managing Network ACLs