Network ACL Configuration Examples
This section provides examples for configuring network ACLs.
Denying Access from a Specific Port
You might want to block TCP port 445 to protect against the WannaCry ransomware attacks. You can add a network ACL rule to deny all incoming traffic from TCP port 445.
Network ACL Configuration
Direction |
Action |
Protocol |
Source |
Source Port Range |
Destination |
Destination Port Range |
Description |
---|---|---|---|---|---|---|---|
Inbound |
Deny |
TCP |
0.0.0.0/0 |
1-65535 |
0.0.0.0/0 |
445 |
Denies inbound traffic from any IP address through TCP port 445. |
Inbound |
Allow |
All |
0.0.0.0/0 |
1-65535 |
0.0.0.0/0 |
All |
Allows all inbound traffic. |
- By default, a network ACL denies all inbound traffic. You can add a rule to allow all inbound traffic if necessary.
- If you want a deny rule to be matched first, insert the deny rule above the allow rule. For details, see Changing the Sequence of a Network ACL Rule.
Allowing Access from Specific Ports and Protocols
In this example, an ECS in a subnet is used as the web server, and you need to allow inbound traffic from HTTP port 80 and HTTPS port 443 and allow all outbound traffic. You need to configure both the network ACL rules and security group rules to allow the traffic.
Network ACL Configuration
Table 2 lists the inbound and outbound rules required.
Direction |
Action |
Protocol |
Source |
Source Port Range |
Destination |
Destination Port Range |
Description |
---|---|---|---|---|---|---|---|
Inbound |
Allow |
TCP |
0.0.0.0/0 |
1-65535 |
0.0.0.0/0 |
80 |
Allows inbound HTTP traffic from any IP address to ECSs in the subnet through port 80. |
Inbound |
Allow |
TCP |
0.0.0.0/0 |
1-65535 |
0.0.0.0/0 |
443 |
Allows inbound HTTPS traffic from any IP address to ECSs in the subnet through port 443. |
Outbound |
Allow |
All |
0.0.0.0/0 |
All |
0.0.0.0/0 |
All |
Allows all outbound traffic from the subnet. |
Security group configuration
Table 3 lists the inbound and outbound security group rules required.
Direction |
Protocol/Application |
Port |
Source/Destination |
Description |
---|---|---|---|---|
Inbound |
TCP |
80 |
Source: 0.0.0.0/0 |
Allows inbound HTTP traffic from any IP address to ECSs associated with the security group through port 80. |
Inbound |
TCP |
443 |
Source: 0.0.0.0/0 |
Allows inbound HTTPS traffic from any IP address to ECSs associated with the security group through port 443. |
Outbound |
All |
All |
Destination: 0.0.0.0/0 |
Allows all outbound traffic from the security group. |
A network ACL adds an additional layer of security. Even if the security group rules allow more traffic than that actually required, the network ACL rules allow only access from HTTP port 80 and HTTPS port 443 and deny other inbound traffic.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot