Adding a Network ACL Rule

Scenarios

You can add inbound and outbound rules to a network ACL to control the traffic in and out of a subnet. Network ACL rules are matched in an ascending order, either by the system-generated rule numbers or those you define.

Adding a Network ACL Rule (Default Rule Numbers): Rules are matched in order of their number, starting with the lowest. The rule number is automatically assigned.

As shown in Table 1, there are two custom inbound rules (rule A and rule B) and one default rule. The priority of rule A is 1 and that of rule B is 2. The default rule has the lowest priority. If rule C is added, the system sets its priority to 3, which has lower priority than rules A and B and higher priority than the default rule.

**Table 1** Default priorities
Priority (Rules A and B)		Priority (Rules A, B, and C)
Custom rule A	1	Custom rule A	1
--	--	Custom rule B	2
Custom rule B	2	Custom rule C	3
Default rule	*	Default rule	*

Adding a Network ACL Rule (Custom Rule Numbers): If you want a rule to be matched earlier or later than a specific rule, you can insert the rule above or below the specific rule.

In Table 2, there are two custom inbound rules (rule A and rule B) and one default rule. The priority of rule A is 1 and that of rule B is 2. The default rule has the lowest priority. If you want rule C to be matched earlier than rule B, you can insert rule C above rule B. After rule C is added, the priority of rule C is 2, and that of rule B is 3.

**Table 2** Custom priorities
Priority (Rules A and B)		Priority (Rules A, B, and C)
Custom rule A	1	Custom rule A	1
--	--	Custom rule C	2
Custom rule B	2	Custom rule B	3
Default rule	*	Default rule	*

Notes and Constraints

A network ACL can contain up to 100 rules in one direction, or performance will deteriorate.

Click in the upper left corner and select the desired region and project.
Click in the upper left corner and choose Networking > Virtual Private Cloud.
The Virtual Private Cloud page is displayed.
In the navigation pane on the left, choose Access Control > Network ACLs.
The network ACL list is displayed.
In the network ACL list, locate the target network ACL and click its name.
The network ACL summary page is displayed.
On the Inbound Rules or Outbound Rules tab, click Add Rule.
The Add Inbound Rule or Add Outbound Rule dialog box is displayed.

Configure required parameters.

Click to add more rules.
Locate the row that contains the network ACL rule and click Replicate in the Operation column to replicate an existing rule.

**Table 3** Parameter descriptions
Parameter	Description	Example Value
Type	Network ACL type. There are two options: IPv4 IPv6	IPv4
Action	The action in the network ACL. There are two options: Allow: allows matched traffic in and out of a subnet. Deny: denies matched traffic in and out of a subnet.	Allow
Protocol	The protocol supported by the network ACL to match traffic. The value can be TCP, UDP, or ICMP.	TCP
Source	The source from which the traffic is allowed or denied. The source can be: IP address Single IP address: IP address/mask Example IPv4 address: 192.168.10.10/32 Example IPv6 address: 2002:50::44/128 IP address range in CIDR notation: IP address/mask Example IPv4 address range: 192.168.52.0/24 Example IPv6 address range: 2407:c080:802:469::/64 All IP addresses 0.0.0.0/0 represents all IPv4 addresses. ::/0 represents all IPv6 addresses. IP address group: The source is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in an easier way. Either the source or the destination of a network ACL rule can use the IP address group. For example, if the source uses an IP address group, the destination address cannot use an IP address group. If no IP address groups are available, create one by referring to Creating an IP Address Group.	192.168.0.0/24
Source Port Range	The source port or port range used to match traffic. The value ranges from 1 to 65535. Enter ports in the following format: Individual port: Enter a port, such as 22. Consecutive ports: Enter a port range, such as 22-30. Non-consecutive ports: Enter ports and port ranges, such as 22,24-30. You can enter a maximum of 20 ports and port ranges. Each port range must be unique. All ports: Leave it empty or enter 1-65535.	22-30
Destination	The destination to which the traffic is allowed or denied. The destination can be: IP address Single IP address: IP address/mask Example IPv4 address: 192.168.10.10/32 Example IPv6 address: 2002:50::44/128 IP address range in CIDR notation: IP address/mask Example IPv4 address range: 192.168.52.0/24 Example IPv6 address range: 2407:c080:802:469::/64 All IP addresses 0.0.0.0/0 represents all IPv4 addresses. ::/0 represents all IPv6 addresses. IP address group: The destination is an IP address group. An IP address group is a collection of one or more IP addresses. You can select an available IP address group from the drop-down list. An IP address group can help you manage IP address ranges and IP addresses with same security requirements in an easier way. Either the source or the destination of a network ACL rule can use the IP address group. For example, if the source uses an IP address group, the destination address cannot use an IP address group. If no IP address groups are available, create one by referring to Creating an IP Address Group.	0.0.0.0/0
Destination Port Range	The destination port or port range used to match traffic. The value ranges from 1 to 65535. Enter ports in the following format: Individual port: Enter a port, such as 22. Consecutive ports: Enter a port range, such as 22-30. Non-consecutive ports: Enter ports and port ranges, such as 22,23-30. You can enter a maximum of 20 ports and port ranges. Each port range must be unique. All ports: Leave it empty or enter 1-65535.	22-30
Description	Supplementary information about the network ACL rule. This parameter is optional. The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).	N/A

Click OK.
Return to the rule list to check the new rule.
- Rules are assigned a number based on the order they are added, with lower-numbered rule matched earlier.
- If the status of the new rule is Enabled, the rule is applied.

Click in the upper left corner and select the desired region and project.
Click in the upper left corner and choose Networking > Virtual Private Cloud.
The Virtual Private Cloud page is displayed.
In the navigation pane on the left, choose Access Control > Network ACLs.
The network ACL list is displayed.
In the network ACL list, locate the target network ACL and click its name.
The network ACL summary page is displayed.
Click the Inbound Rules or Outbound Rules tab and insert a rule.
- Locate the target rule and choose More > Insert Rule Above in the Operation column. The new rule will be matched earlier than the current rule.
- Locate the target rule and choose More > Insert Rule Below in the Operation column. The new rule will be matched later than the current rule.