Network ACL Configuration Examples

Precautions

Note the following before configuring network ACL rules:

• Each network ACL has default rules, as shown in Table 1. If a network ACL has no custom rules, the default inbound and outbound rules are applied, denying all traffic in and out of a subnet.

  Table 1 Default network ACL rules

  Direction	Priority	Action	Protocol	Source	Source Port Range	Destination	Destination Port Range
  Inbound	*	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All
  Outbound	*	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All

• You do not need to add rules to allow response traffic to requests. This is because the network ACLs are stateful and allow the responses to flow in or out of the subnet without being controlled by rules.

Denying External Access to a Specific Port in a Subnet

If you want to block TCP port 445 to protect instances against WannaCry ransomware attacks, you can add inbound rules described in Table 2 to protect the instances in 10.0.0.0/24.

1. The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
2. Add custom rule 01 to deny all inbound traffic to TCP port 445. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Rule Numbers).

Denying Access from a Specific IP Address

You can add inbound rules as described in Table 3 to deny the access from abnormal IP addresses, for example, 10.1.1.12/32, to protect the instances in 10.5.0.0/24.

1. The default rule denies any traffic to the subnet. You need to add custom rule 02 to allow inbound traffic.
2. Add custom rule 01 to deny traffic from 10.1.1.12/32 to 10.5.0.0/24. Place the deny rule above the allow rule to let the deny rule be applied first. For details, see Adding a Network ACL Rule (Custom Rule Numbers).

Allowing External Access to Specific Ports on an Instance in a Subnet

If you deploy a web server in a subnet and want this server to be accessible from the Internet, you need to add network ACL and security group rule to allow HTTP traffic over port 80 and HTTPS traffic over port 443.

1. Add network ACL rules listed in Table 4.
   • Add custom rule A01 to allow any HTTP traffic to the instance in the subnet (10.8.0.0/24) over port 80.
   • Add custom rule A02 to allow any HTTPS traffic to the instance in the subnet (10.8.0.0/24) over port 443.

   Table 4 Network ACL rules for allowing access to specific ports on an instance in a subnet

   Direction	Priority	Action	Protocol	Source	Source Port Range	Destination	Destination Port Range	Description
   Inbound	1	Allow	TCP	0.0.0.0/0	All	10.8.0.0/24	80	Custom rule 01
   Inbound	2	Allow	TCP	0.0.0.0/0	All	10.8.0.0/24	443	Custom rule 02
   Inbound	*	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All	Default rule
   Outbound	*	Deny	All	0.0.0.0/0	All	0.0.0.0/0	All	Default rule

2. Add security group rules listed in Table 5.
   • Add inbound rule 01 to allow any HTTP traffic to the instance over port 80.
   • Add inbound rule 02 to allow any HTTPS traffic to the instance over port 443.
   • Add outbound rule 03 to allow any traffic to leave the security group.

     You do not need to worry about the loose control of the security group outbound rules. Network ACL rules only allow response traffic to inbound requests to leave the subnet.

   Table 5 Security group rules for allowing access to specific ports

   Direction	Priority	Action	Type	Protocol & Port	Source/Destination	Description
   Inbound	1	Allow	IPv4	TCP: 80	IP address: 0.0.0.0/0	Rule 01
   Inbound	1	Allow	IPv4	TCP: 443	IP address: 0.0.0.0/0	Rule 02
   Outbound	1	Allow	IPv4	All	IP address: 0.0.0.0/0	Rule 03