Docs
vpc
Products Overview
Introduction to UNet ACL

Introduction to UNet ACL

Network ACL is a subnet-level security policy used to control the data flow in and out of the subnet. Users can precisely control the traffic in and out of the subnet by setting outbound and inbound rules. Network ACL is stateless. For example, if users need to allow certain access, they need to add corresponding inbound and outbound rules at the same time. If only inbound rules are added without adding outbound rules, it will lead to abnormal access.

Associated Subnet

After creating a network ACL, users can bind and unbind it with any subnet under the associated VPC. Before binding the subnet, please ensure that the rules in the ACL are correct to avoid affecting the normal communication of cloud resources in the associated subnet.

Outbound/Inbound Rules

Network ACL rules are divided into outbound rules and inbound rules. Updates to the Network ACL rules by the user will automatically apply to the associated subnets. The maximum number of outbound/inbound rules that can be added is 50 each.

Network ACL rules include the following components:

  • Strategy: Allow or deny.
  • Source IP/Destination IP: The network segment targeted by outbound/inbound rules.
  • Protocol Type: Supports TCP, UDP, ICMP, and GRE protocol types. You can select ALL to specify all protocol types.
  • Destination Port: The port range that can be filled in for TCP and UDP protocol types is 1-65535. No need to specify a port for other protocol types.
  • Priority: The priority of the rule. The smaller the number, the higher the priority. The fillable range is 1-30000. Only one outbound/inbound rule can be created at the same priority level.
  • Application Target: The effective range of the ACL rule. Supports all resources within the subnet, specified resources within the subnet. 'All resources within the subnet' means that the rule applies to all resources within the subnet that bind to this ACL; 'Specified resources within the subnet' means that the rule only applies to the selected resources and does not apply to resources within the subnet that are not selected.

Note: After creating a network ACL, the system will automatically add a default outbound rule and a default inbound rule. The default outbound rule is to allow outbound traffic for all protocols and all ports.

The default inbound rule is to allow inbound traffic for all protocols and all ports.

Default rules cannot be edited or deleted, they exist when the ACL is created. The default rule has the lowest priority, and can be overridden by adding rules with higher priority.

Product Quota

The quota for each network ACL is as follows (excluding default rules)

NameQuota
Number of outbound rules100
Inbound Rule Quantity100