Docs
vpc
Planning Suggestions
ACL Planning

ACL Planning

The newly created ACL table is in blacklist mode by default, and the default outbound and inbound rules are the “allow all” rules with the lowest priority. In practical scenarios, due to its stateless nature, ACL setting can be quite complex. The following will introduce the points of ACL rule setting and how to set appropriate ACL rules according to the scene.

ACL Rule Suggestions

When setting up ACL rules, the following is suggested:

  • ACL rules are stateless, so both outbound and inbound directions need to be considered when setting rules.
  • The default effective level of the UCloud Global ACL product is a single cloud resource. For example, if a reject rule with a target address of 0.0.0.0/0 is added, the interaction between the host and other hosts in the same subnet will also be affected. Therefore, it is necessary to add an additional accept rule for the same subnet segment.
  • Different inbound rules in the same ACL table are not allowed to have the same priority. Different outbound rules in the same ACL table are not allowed to have the same priority.
  • When setting up ACL rules, they should be as close as possible to the source of the traffic. For example, to forbid an IP to access subnet resources, blacklisting can be achieved in both outbound and inbound rules. It should be set up as an inbound rule to reject traffic.
  • The public service segment of UCloud Global is accepted by default.

ACL Case Study

By use of an example, let’s discuss how to configure ACL rules.

The network architecture is shown below:

In this example, we need to configure ACL rules for subnet A in the UCloud Global Guangzhou Region. Subnet A needs to meet the following rules:

  • The segment of subnet A is 10.10.1.0/24, and all within the subnet can communicate with each other.
  • Port 22 of subnet A can and can only be accessed by subnet B, whose segment is 192.168.1.0/24.
  • Cloud resources of subnet A can only access port 53 (UDP/TCP) of 8.8.8.8 and cannot access other external network addresses.
  • Port 80 of subnet A’s cloud resources can be accessed by any address.
  • Subnet A can normally use the public services provided by UCloud Global.

All other traffic is forbidden.

Therefore, the ACL rules for subnet A should be configured as follows:

  • Inbound rules
PriorityDestination PortProtocolSource AddressStrategyDescription
122TCP192.168.1.0/24AcceptAllow subnet B to access port 22
280TCP0.0.0.0/0AcceptAllow any address to access port 80
332768-65535TCP8.8.8.8/32AcceptAllow subnet internal host to access port TCP 53 of 8.8.8.8, temporary port pass
432768-65535UDP8.8.8.8/32AcceptAllow subnet internal host to access port UDP 53 of 8.8.8.8, temporary port pass
5AllAll10.10.1.0/24AcceptAllow intercommunication between hosts within the network
6AllAll10.13.192.0/18AcceptAllow access to public services
30000AllAll0.0.0.0/0RejectReject all traffic by default
*AllAll0.0.0.0/0AcceptAll traffic is allowed by default, automatically added by the system at creation. Lowest priority.
  • Outbound rules
PriorityDestination PortProtocolDestination AddressPolicyDescription
153TCP8.8.8.8/32AcceptAllow subnet internal hosts to access port TCP 53 of 8.8.8.8
253UDP8.8.8.8/32AcceptAllow subnet internal hosts to access port UDP 53 of 8.8.8.8
332768-65535TCP0.0.0.0/0AcceptAllow port 80 to access the outside, allow port 22 to access subnet B, temporary port released.
4AllAll10.10.1.0/24AcceptAllow subnet internal hosts to communicate with each other
5AllAll10.13.192.0/18AcceptAllow access to public services
30000AllALLALLRejectReject all traffic by default
*AllAll0.0.0.0/0AcceptAll traffic is allowed by default. The system automatically adds it when it is created. The priority is the lowest.

ACL Rule Analysis

Taking “The port 22 of Subnet A can and is only be accessed by Subnet B, and the segment of Subnet B is 192.168.1.0/24.” as an example, the analysis is as follows:

The temporary port is a port that can be assigned from a preset range when TCP, UDP, etc., actively initiate a connection. The port is occupied only during the connection life cycle. This range can be obtained through the following:

cat /proc/sys/net/ipv4/ip_local_port_range

The following commands can be used to modify the temporary port range:

echo "32768 65535" >  /proc/sys/net/ipv4/ip_local_port_range

This article uses “32768-65535” to refer to the temporary port.

As shown above, the four tuples of port 22 of subnet A being accessed by subnet B are marked. Therefore, under the condition of default rejection, the following inbound and outbound rules need to be added:

  • Inbound rules
PriorityDestination PortProtocolSource AddressActionDescription
122TCP192.168.1.0/24AcceptAllow subnet B to access port 22
  • Outbound rules
PriorityDestination PortProtocolDestination AddressActionDescription
132768-65535TCP192.168.1.0/24AcceptAllow subnet B to access port 22

For other scenarios, the inbound, outbound quintuplets (source and target IP, port, and protocol used) can be listed and analyzed.