Help Center> Virtual Private Cloud> User Guide> Access Control> Network ACL> Managing Network ACL Rules> Modifying a Network ACL Rule
Updated on 2024-06-13 GMT+08:00
View PDF

Modifying a Network ACL Rule

Scenarios

If a network ACL rule no longer meets your requirements, you can modify the port, protocol, and source/destination it.

Modifying rules may affect how and where traffic is directed. Be careful with this operation as it may interrupt services.

Notes and Constraints

Default network ACL rules cannot be modified or deleted.

Procedure

  1. Log in to the management console.
  1. Click in the upper left corner and select the desired region and project.
  2. Click in the upper left corner and choose Networking > Virtual Private Cloud.

    The Virtual Private Cloud page is displayed.

  3. In the navigation pane on the left, choose Access Control > Network ACLs.

    The network ACL list is displayed.

  4. In the network ACL list, locate the target network ACL and click its name.

    The network ACL summary page is displayed.

  5. Click the Inbound Rules or Outbound Rules tab, locate the target rule, click Modify in the Operation column, and modify parameters based on Table 1.
    Table 1 Parameter descriptions

    Parameter

    Description

    Example Value

    Type
    Network ACL type. There are two options:
    • IPv4
    • IPv6

    IPv4

    Action
    The action in the network ACL. There are two options:
    • Allow: allows matched traffic in and out of a subnet.
    • Deny: denies matched traffic in and out of a subnet.

    Allow

    Protocol

    The protocol supported by the network ACL to match traffic. The value can be TCP, UDP, or ICMP.

    TCP

    Source
    The source from which the traffic is allowed or denied. The source can be:
    • IP address
      • Single IP address: IP address/mask

        Example IPv4 address: 192.168.10.10/32

        Example IPv6 address: 2002:50::44/128

      • IP address range in CIDR notation: IP address/mask

        Example IPv4 address range: 192.168.52.0/24

        Example IPv6 address range: 2407:c080:802:469::/64

      • All IP addresses

        0.0.0.0/0 represents all IPv4 addresses.

        ::/0 represents all IPv6 addresses.

    • IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way.

      Either the source or the destination of a network ACL rule can use the IP address group. For example, if the source uses an IP address group, the destination address cannot use an IP address group.

    192.168.0.0/24

    Source Port Range

    The source port or port range used to match traffic. The value ranges from 1 to 65535.

    Enter ports in the following format:
    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • Non-consecutive ports: Enter ports and port ranges, such as 22,24-30. You can enter a maximum of 20 ports and port ranges. Each port range must be unique.
    • All ports: Leave it empty or enter 1-65535.

    22-30

    Destination
    The destination to which the traffic is allowed or denied. The destination can be:
    • IP address
      • Single IP address: IP address/mask

        Example IPv4 address: 192.168.10.10/32

        Example IPv6 address: 2002:50::44/128

      • IP address range in CIDR notation: IP address/mask

        Example IPv4 address range: 192.168.52.0/24

        Example IPv6 address range: 2407:c080:802:469::/64

      • All IP addresses

        0.0.0.0/0 represents all IPv4 addresses.

        ::/0 represents all IPv6 addresses.

    • IP address group: The destination is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in a more simple way.

      Either the source or the destination of a network ACL rule can use the IP address group. For example, if the source uses an IP address group, the destination address cannot use an IP address group.

    0.0.0.0/0

    Destination Port Range

    The destination port or port range used to match traffic. The value ranges from 1 to 65535.

    Enter ports in the following format:
    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • Non-consecutive ports: Enter ports and port ranges, such as 22,23-30. You can enter a maximum of 20 ports and port ranges. Each port range must be unique.
    • All ports: Leave it empty or enter 1-65535.

    22-30

    Description

    Supplementary information about the network ACL rule. This parameter is optional.

    The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A
  6. Click OK.
Parent Topic: Managing Network ACL Rules