CloudDCN Subnet Network ACL Overview

What Is a CloudDCN Subnet Network ACL?

A network ACL is an optional layer of protection for your CloudDCN subnets. After you add inbound and outbound rules to a network ACL and associate CloudDCN subnets with it, you can control traffic in and out of the subnets.

Network ACL Rules for CloudDCN Subnets

CloudDCN network ACLs has inbound and outbound rules that are used to control traffic in and out of CloudDCN subnets.
- Inbound rules: control traffic sent to the instances in a CloudDCN subnet.
- Outbound rules: control traffic from the instances in a CloudDCN subnet to external networks.
You need to define the protocol, source and destination ports, source and destination IP addresses, and other information for network ACL rules.
- Rule number: Network ACL rules are matched in ascending order, from the lowest to highest rule number.
  The default network ACL rule is marked with an asterisk (*) and is the very last rule that will be used for matching.
- Status: Enabled or Disabled. Enabled rules are applied, while disabled rules are not.
- Action: Allow or Deny. If a request matches a network ACL rule, the action defined in the rule is taken to allow or deny the request.
- Protocol: The protocol to match traffic. The value can be TCP, UDP, or ICMP.
- Source/Destination: The source or destination of the traffic.
- Source Port Range/Destination Port Range: The source or destination port or port range, which ranges from 1 to 65535.

How Network ACL Rules Work

After a network ACL is created, you can associate it with one or more CloudDCN subnets to control traffic in and out of the subnets. A network ACL can be associated with multiple CloudDCN subnets. However, a CloudDCN subnet can be associated with only one network ACL.
The network ACLs dedicated for CloudDCN subnets are stateful. If the network ACL rule allows outbound traffic from your instance, you also need to set the inbound rule's action to Allow so that responses to outbound traffic to flow in. Similarly, if inbound traffic is allowed, you need to set the outbound rule's action to Allow so that responses to such inbound traffic to flow out.

Each network ACL has the default inbound and outbound rules, as shown in Table 1. If a network ACL has no custom rules, the default inbound and outbound rules are applied, denying all traffic in and out of a CloudDCN subnet. You can use the default rules only when there is no need for traffic to go in and out of a CloudDCN subnet. If the traffic needs to go in and out of the subnet, you need to add custom rules to control traffic as required.

**Table 1** Default network ACL rules
Direction	Rule Number	Action	Protocol	Source	Source Port Range	Destination	Destination Port Range
Inbound	*	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All
Outbound	*	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All

The default and custom rules of a network ACL does not block the traffic described in Table 2.

**Table 2** Traffic not blocked by network ACL rules
Direction	Description
Inbound	Traffic between the source and destination in the same CloudDCN subnet
	Broadcast traffic to 255.255.255.255/32
	Multicast traffic to 224.0.0.0/24
Outbound	Traffic between the source and destination in the same CloudDCN subnet
	Broadcast traffic to 255.255.255.255/32
	Multicast traffic to 224.0.0.0/24
	TCP metadata traffic to 169.254.169.254/32 over port 80
	Traffic to 100.125.0.0/16 that is reserved for public services on the cloud, such as the DNS server address and NTP server address

How Traffic Matches Network ACL Rules

A CloudDCN subnet can only be associated with one network ACL. If there are multiple rules on the network ACL, rules are matched in ascending order, from the lowest to highest rule number. The default network ACL rule is marked with an asterisk (*) and is the very last rule that will be used for matching.

The matching sequence of inbound traffic is the same as that of outbound traffic. The following takes inbound traffic as an example to describe how the rules are applied.

If a custom rule is matched:
- If Action is set to Deny, traffic is denied to flow into the CloudDCN subnet.
- If Action is set to Allow, traffic is allowed to flow into the CloudDCN subnet.
If no custom rule is matched, the default rule is applied, denying traffic to flow into the CloudDCN subnet.

Figure 1 Network ACL matching

Network ACL Configuration Procedure

Figure 2 Procedure for configuring a network ACL

**Table 3** Procedure for configuring a network ACL
No.	Step	Description	Procedure
1	Create a network ACL dedicated for CloudDCN subnets.	Each network ACL comes with default inbound and outbound rules that deny traffic in and out of a CloudDCN subnet. The default rules cannot be deleted or modified.	Creating a Network ACL Dedicated for CloudDCN Subnets
2	Add network ACL rules.	The default network ACL rules cannot be modified or deleted. You can add custom rules to control traffic in and out of a CloudDCN subnet. Traffic will be preferentially matched against the custom rules.	Adding Network ACL Rules for CloudDCN Subnets
3	Associate the network ACL with one or more CloudDCN subnets.	You can associate the network ACL with one or more CloudDCN subnets. If it is enabled, it controls traffic in and out of the subnets. A CloudDCN subnet can be associated with only one network ACL.	Associating CloudDCN Subnets with a Network ACL

Constraints on Using Network ACLs

By default, each account can have up to 5 network ACLs in a region.
A network ACL can have no more than 40 rules in one direction, or performance will deteriorate.

Parent topic: CloudDCN Subnet Network ACL

Previous topic: CloudDCN Subnet Network ACL

Next topic: Creating a Network ACL Dedicated for CloudDCN Subnets