Este conteúdo foi traduzido por máquina para sua conveniência e a Huawei Cloud não pode garantir que o conteúdo foi traduzido com precisão. Para exibir o conteúdo original, use o link no canto superior direito para mudar para a página em inglês.
Computação
Elastic Cloud Server
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Redes
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Gerenciamento e governança
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
Cloud Operations Center
Resource Governance Center
Migração
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Análises
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
IoT
IoT Device Access
Outros
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Segurança e conformidade
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Serviços de mídia
Media Processing Center
Video On Demand
Live
SparkRTC
Armazenamento
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Cloud Server Backup Service
Storage Disaster Recovery Service
Scalable File Service
Volume Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Bancos de dados
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Aplicações de negócios
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Data Lake Factory
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Distribuição de conteúdo e computação de borda
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Soluções
SAP Cloud
High Performance Computing
Serviços para desenvolvedore
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
Cloud Application Engine
MacroVerse aPaaS
KooPhone
KooDrive

ACLs da rede Overview

Atualizado em 2024-09-18 GMT+08:00

A ACL da rede is an optional layer of security for your subnets. After you associate one or more subnets with a ACL da rede, you can control traffic in and out of the subnets.

Similar to security groups, ACLs da rede control access to subnets and add an additional layer of defense to your subnets. Security groups only have the "allow" rules, but ACLs da rede have both "allow" and "deny" rules. You can use ACLs da rede together with security groups to implement comprehensive and fine-grained access control.

ACLs da rede Basics

  • Your VPC does not come with a ACLs da rede, but you can create a ACLs da rede and associate it with a VPC subnet if required. By default, each ACLs da rede denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.
  • You can associate a ACLs da rede with multiple subnets. However, a subnet can only be associated with one ACLs da rede at a time.
  • Each newly created ACLs da rede is in the Inactive state until you associate subnets with it.
  • ACLs da rede are stateful. If the ACLs da rede allows outbound traffic and you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound ACLs da rede rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

    The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked.

Default regra de ACLs da rede

By default, each ACLs da rede has preset rules that allow the following packets:

  • Packets whose source and destination are in the same subnet.
  • Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information.
  • Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols.
  • Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata.
  • Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16).
  • A ACLs da rede denies all traffic in and out of a subnet excepting the preceding packets. Tabela 1 shows the default rules. You cannot modify or delete the default rules.
    Tabela 1 Default regra de ACLs da rede

    Direction

    Priority

    Action

    Protocol

    Source

    Destination

    Description

    Inbound

    *

    Deny

    All

    0.0.0.0/0

    0.0.0.0/0

    Denies all inbound traffic.

    Outbound

    *

    Deny

    All

    0.0.0.0/0

    0.0.0.0/0

    Denies all outbound traffic.

Rule Priorities

  • Each ACLs da rede rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority.
  • If multiple regra de ACLs da rede conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.

Application Scenarios

  • If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users.

    Solution: You can add regra de ACLs da rede to deny access from suspect IP addresses.

  • How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm?

    Solution: You can add regra de ACLs da rede to deny access traffic from a specific port and protocol, for example, TCP port 445.

  • No defense is required for the communication within a subnet, but access control is required for communication between subnets.

    Solution: You can add regra de ACLs da rede to control traffic between subnets.

  • For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance.

    Solution: A ACLs da rede allows you to adjust the rule sequence so that frequently used rules are applied before other rules.

Configuration Procedure

Figura 1 shows the procedure for configuring a ACLs da rede.

Figura 1 ACLs da rede configuration procedure
  1. Create a ACLs da rede by following the steps described in Criação de uma ACL da rede.
  2. Add regra de ACLs da rede by following the steps described in Adição uma regra de ACL da rede.
  3. Associate subnets with the ACLs da rede by following the steps described in Associação de sub-redes com uma ACL da rede. After subnets are associated with the ACLs da rede, the subnets will be protected by the configured regra de ACLs da rede.

Notes and Constraints

  • By default, you can create a maximum of 200 ACLs da rede in your cloud account.
  • A ACL da rede can contain no more than 20 rules in one direction, or performance will deteriorate.
  • For optimal performance, import no more than 40 regra de ACLs da rede at a time. Existing rules will still be available after new rules are imported. Each rule can be imported only once.

Usamos cookies para aprimorar nosso site e sua experiência. Ao continuar a navegar em nosso site, você aceita nossa política de cookies. Saiba mais

Feedback

Feedback

Feedback

0/500

Conteúdo selecionado

Envie o conteúdo selecionado com o feedback