Help Center/ Cloud Data Center / User Guide/ Network/ CloudDCN Subnet Network ACL/ Adding Network ACL Rules for CloudDCN Subnets
Updated on 2025-03-31 GMT+08:00

Adding Network ACL Rules for CloudDCN Subnets

Scenarios

You can add inbound and outbound rules to a network ACL to control the traffic in and out of a CloudDCN subnet. Network ACL rules are matched in ascending order, either by the system-generated rule numbers or those you define.

  • Adding a Network ACL Rule (Default Rule Numbers): Rules are matched in order of their number, starting with the lowest. The rule number is automatically assigned based on the time when the rule is added.

    In Table 1, there are two custom inbound rules (rule A and rule B) and one default rule. The rule A number is 1 and rule B number is 2. The default rule is the last rule that is used for matching traffic. When you add rule C, the rule number will be 3, which will be matched later than rules A and B but earlier than the default rule.

    Table 1 Default rule numbers

    Rule Number (Rules A and B)

    Rule Number (Rules A, B, and C)

    Custom rule A

    1

    Custom rule A

    1

    --

    --

    Custom rule B

    2

    Custom rule B

    2

    Custom rule C

    3

    Default rule

    *

    Default rule

    *

  • Adding a Network ACL Rule (Custom Rule Numbers): If you want a rule to be matched earlier or later than a specific rule, you can insert the rule above or below the specific rule.

    In Table 2, there are two custom inbound rules (rule A and rule B) and one default rule. The rule A number is 1 and rule B number is 2. The default rule is the last rule that is used for matching traffic. If you want rule C to be matched earlier than rule B, you can insert rule C above rule B. After rule C is added, the rule C number is 2, and rule B number is 3.

    Table 2 Custom rule numbers

    Rule Number (Rules A and B)

    Rule Number (Rules A, B, and C)

    Custom rule A

    1

    Custom rule A

    1

    --

    --

    Custom rule C

    2

    Custom rule B

    2

    Custom rule B

    3

    Default rule

    *

    Default rule

    *

Constraints

A network ACL can contain up to 40 rules in one direction, or performance will deteriorate.

Adding a Network ACL Rule (Default Rule Numbers)

  1. Log in to the management console.
  1. Click in the upper left corner and select the desired region and project.
  2. Click in the upper left corner and choose Networking > Virtual Private Cloud.

    The Virtual Private Cloud page is displayed.

  3. In the navigation pane on the left, choose Access Control > Network ACLs.

    The Network ACL list is displayed.

  4. In the Network ACL list, locate the target Network ACL and click its name.

    The Network ACL summary page is displayed.

  5. On the Inbound Rules or Outbound Rules tab, click Add Rule.

    The Add Inbound Rule or Add Outbound Rule dialog box is displayed.

  6. Configure required parameters.
    • Click to add more rules.
    • Locate the row that contains the Network ACL rule and click Replicate in the Operation column to replicate an existing rule.
    Table 3 Parameter descriptions

    Parameter

    Description

    Example Value

    Action

    The action for the network ACL rule. There are two options:
    • Allow: allows matched traffic in and out of a CloudDCN subnet.
    • Deny: denies matched traffic in and out of a CloudDCN subnet.

    Allow

    Protocol

    The protocol to match traffic. The value can be TCP, UDP, or ICMP.

    TCP

    Source

    The source from which the traffic is allowed or denied. The source can be:
    • Single IP address: IP address/mask

      Example IPv4 address: 192.168.10.10/32

    • An IP address range in CIDR notation: IP address/mask

      Example IPv4 address range: 192.168.52.0/24

    • All IP addresses

      0.0.0.0/0 represents all IPv4 addresses.

    192.168.0.0/24

    Source Port Range

    The source ports or port ranges used to match traffic. The value ranges from 1 to 65535.

    Enter ports in the following format:
    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • All ports: Leave it empty or enter 1-65535.

    22-30

    Destination

    The destination to which the traffic is allowed or denied. The destination can be:
    • Single IP address: IP address/mask

      Example IPv4 address: 192.168.10.10/32

    • An IP address range in CIDR notation: IP address/mask

      Example IPv4 address range: 192.168.52.0/24

    • All IP addresses

      0.0.0.0/0 represents all IPv4 addresses.

    0.0.0.0/0

    Destination Port Range

    The destination ports or port ranges used to match traffic. The value ranges from 1 to 65535.

    Enter ports in the following format:
    • Individual port: Enter a port, such as 22.
    • Consecutive ports: Enter a port range, such as 22-30.
    • All ports: Leave it empty or enter 1-65535.

    22-30

    Description

    (Optional) Supplementary information about the network ACL rule.

    The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).

    N/A

  7. Click OK.

    Return to the rule list to check the new rule.

    • Rules are assigned a number based on the order they are added, with lower-numbered rule matched earlier.
    • If the status of the new rule is Enabled, the rule is applied.

Adding a Network ACL Rule (Custom Rule Numbers)

  1. Log in to the management console.
  1. Click in the upper left corner and select the desired region and project.
  2. Click in the upper left corner and choose Networking > Virtual Private Cloud.

    The Virtual Private Cloud page is displayed.

  3. In the navigation pane on the left, choose Access Control > Network ACLs.

    The Network ACL list is displayed.

  4. In the Network ACL list, locate the target Network ACL and click its name.

    The Network ACL summary page is displayed.

  5. Click the Inbound Rules or Outbound Rules tab and insert a rule.
    • Locate the target rule and choose More > Insert Rule Above in the Operation column. The new rule will be matched earlier than the current rule.
    • Locate the target rule and choose More > Insert Rule Below in the Operation column. The new rule will be matched later than the current rule.