Help Center> Virtual Private Cloud> User Guide> Access Control> Network ACL> Management Network ACL Rules> Adding a Network ACL Rule (Default Effective Sequence)
Updated on 2024-04-30 GMT+08:00
View PDF

Adding a Network ACL Rule (Default Effective Sequence)

Scenarios

You can add inbound and outbound rules to a network ACL to control the traffic in and out of a subnet.

When you perform the following operations to add a rule, the system generates a priority based on the sequence when the rule is added. You cannot specify a priority.

For example, there are two custom inbound rules (rule A and rule B) and one default rule. The priority of rule A is 1 and that of rule B is 2. The default rule has the lowest priority. If rule C is added, the system sets its priority to 3, which has lower priority than rules A and B and higher priority than the default rule.

If the default priorities do not meet your requirements, you can customize the priorities by referring to Adding a Network ACL Rule (Custom Effective Sequence).

Notes and Constraints

A network ACL can contain no more than 20 rules in one direction, or performance will deteriorate.

Procedure

  1. Log in to the management console.
  1. Click in the upper left corner and select the desired region and project.
  2. Click in the upper left corner and choose Networking > Virtual Private Cloud.

    The Virtual Private Cloud page is displayed.

  3. In the navigation pane on the left, choose Access Control > Network ACLs.
  4. Locate the target network ACL and click its name to switch to the page showing details of that particular network ACL.
  5. On the Inbound Rules or Outbound Rules tab, click Add Rule to add an inbound or outbound rule.
    • Click + to add more rules.
    • Locate the row that contains the network ACL rule and click Replicate in the Operation column to replicate an existing rule.
    Table 1 Parameter descriptions

    Parameter

    Description

    Example Value

    Priority

    Priority of a network ACL rule. A smaller priority value represents a higher priority. Each network ACL includes a default rule whose priority value is an asterisk (*). Default rules have the lowest priority.

    3

    Status

    Status of a network ACL. When you add a rule to it, its default status is Enabled.

    Enabled

    Type

    This parameter is available only after the IPv6 function is enabled.

    The network ACL type. This parameter is mandatory. You can select a value from the drop-down list. Currently, only IPv4 and IPv6 are supported.

    IPv4

    Action

    The action in the network ACL. This parameter is mandatory. You can select a value from the drop-down list. Currently, the value can be Allow or Deny.

    Allow

    Protocol

    The protocol supported by the network ACL. This parameter is mandatory. You can select a protocol from the drop-down list.

    You can select TCP, UDP, ICMP, or All.

    TCP

    Source
    The source can be:
    • IP address
      • Single IP address: IP address/mask

        Example IPv4 address: 192.168.10.10/32

        Example IPv6 address: 2002:50::44/128

      • IP address range in CIDR notation: IP address/mask

        Example IPv4 address range: 192.168.52.0/24

        Example IPv6 address range: 2407:c080:802:469::/64

      • All IP addresses

        0.0.0.0/0 represents all IPv4 addresses.

        ::/0 represents all IPv6 addresses.

    • IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way.

      Either the source or the destination of a network ACL rule can use the IP address group. For example, if the source uses an IP address group, the destination address cannot use an IP address group.

    0.0.0.0/0

    Source Port Range

    The source port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.

    You must specify this parameter if TCP or UDP is selected for Protocol.

    22, or 22-30

    Destination
    The destination can be:
    • IP address
      • Single IP address: IP address/mask

        Example IPv4 address: 192.168.10.10/32

        Example IPv6 address: 2002:50::44/128

      • IP address range in CIDR notation: IP address/mask

        Example IPv4 address range: 192.168.52.0/24

        Example IPv6 address range: 2407:c080:802:469::/64

      • All IP addresses

        0.0.0.0/0 represents all IPv4 addresses.

        ::/0 represents all IPv6 addresses.

    • IP address group: The destination is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way.

      Either the source or the destination of a network ACL rule can use the IP address group. For example, if the source uses an IP address group, the destination address cannot use an IP address group.

    0.0.0.0/0

    Destination Port Range

    The destination port number or port number range. The value ranges from 1 to 65535. For a port number range, enter two port numbers connected by a hyphen (-). For example, 1-100.

    You must specify this parameter if TCP or UDP is selected for Protocol.

    22, or 22-30

    Description

    Supplementary information about the network ACL rule. This parameter is optional.

    The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A
  6. Click OK.
Parent Topic: Management Network ACL Rules