Adding a Network ACL Rule

Scenarios

You can add inbound and outbound rules to a network ACL to control the traffic in and out of a subnet. Network ACL rules are matched in an ascending order, either by the system-generated rule numbers or those you define.

Adding a Network ACL Rule (Default Rule Numbers): Rules are matched in order of their number, starting with the lowest. The rule number is automatically assigned.
As shown in Table 1, there are two custom inbound rules (rule A and rule B) and one default rule. The priority of rule A is 1 and that of rule B is 2. The default rule has the lowest priority. If rule C is added, the system sets its priority to 3, which has lower priority than rules A and B and higher priority than the default rule.

Table 1 Default priorities
Priority (Rules A and B)
Priority (Rules A, B, and C)
Custom rule A
1
Custom rule A
1
--
--
Custom rule B
2
Custom rule B
2
Custom rule C
3
Default rule
*
Default rule
*
Adding a Network ACL Rule (Custom Rule Numbers): If you want a rule to be matched earlier or later than a specific rule, you can insert the rule above or below the specific rule.
In Table 2, there are two custom inbound rules (rule A and rule B) and one default rule. The priority of rule A is 1 and that of rule B is 2. The default rule has the lowest priority. If you want rule C to be matched earlier than rule B, you can insert rule C above rule B. After rule C is added, the priority of rule C is 2, and that of rule B is 3.

Table 2 Custom priorities
Priority (Rules A and B)
Priority (Rules A, B, and C)
Custom rule A
1
Custom rule A
1
--
--
Custom rule C
2
Custom rule B
2
Custom rule B
3
Default rule
*
Default rule
*

Table 1 Default priorities
Priority (Rules A and B)	Priority (Rules A, B, and C)
Custom rule A	1	Custom rule A	1
--	--	Custom rule B	2
Custom rule B	2	Custom rule C	3
Default rule	*	Default rule	*

Table 2 Custom priorities
Priority (Rules A and B)	Priority (Rules A, B, and C)
Custom rule A	1	Custom rule A	1
--	--	Custom rule C	2
Custom rule B	2	Custom rule B	3
Default rule	*	Default rule	*

Adding a Network ACL Rule (Default Rule Numbers)

Click in the upper left corner and choose Network > Virtual Private Cloud.
The Virtual Private Cloud page is displayed.
In the navigation pane on the left, choose Access Control > Network ACLs.
The network ACL list is displayed.
In the network ACL list, locate the target network ACL and click its name.
The network ACL summary page is displayed.
On the Inbound Rules or Outbound Rules tab, click Add Rule.
The Add Inbound Rule or Add Outbound Rule dialog box is displayed.

Configure required parameters.

Click to add more rules.
Locate the row that contains the network ACL rule and click Replicate in the Operation column to replicate an existing rule.

Table 3 Parameter descriptions
Parameter	Description	Example Value
Type	Network ACL type. There are two options: IPv4 IPv6	IPv4
Action	The action for the network ACL rule. There are two options: Allow: allows matched traffic in and out of a subnet. Deny: denies matched traffic in and out of a subnet.	Allow
Protocol	The protocol supported by the network ACL to match traffic. The value can be TCP, UDP, or ICMP.	TCP
Source	The source from which the traffic is allowed. The source can be an IP address, IP address range, or IP address group. Either the source or the destination can use the IP address group. IP address: Single IP address: 192.168.10.10/32 (IPv4); 2002:50::44/128 (IPv6) All IP addresses: 0.0.0.0/0 (IPv4); ::/0 (IPv6) IP address range: 192.168.1.0/24 (IPv4); 2407:c080:802:469::/64 (IPv6) IP address group: ipGroup-A	192.168.0.0/24
Source Port Range	The source ports or port ranges used to match traffic. The value ranges from 1 to 65535.	22-30
Destination	The destination to which the traffic is allowed. The destination can be an IP address, IP address range, or IP address group. Either the source or the destination can use the IP address group. IP address: Single IP address: 192.168.10.10/32 (IPv4); 2002:50::44/128 (IPv6) All IP addresses: 0.0.0.0/0 (IPv4); ::/0 (IPv6) IP address range: 192.168.1.0/24 (IPv4); 2407:c080:802:469::/64 (IPv6) IP address group: ipGroup-A	0.0.0.0/0
Destination Port Range	The destination ports or port ranges used to match traffic. The value ranges from 1 to 65535.	22-30
Description	Supplementary information about the network ACL rule. This parameter is optional. The description can contain a maximum of 255 characters and cannot contain angle brackets (< or >).	N/A

Click OK.
Return to the rule list to check the new rule.

Adding a Network ACL Rule (Custom Rule Numbers)

Click in the upper left corner and choose Network > Virtual Private Cloud.
The Virtual Private Cloud page is displayed.
In the navigation pane on the left, choose Access Control > Network ACLs.
The network ACL list is displayed.
In the network ACL list, locate the target network ACL and click its name.
The network ACL summary page is displayed.
Click the Inbound Rules or Outbound Rules tab and insert a rule.
- Locate the target rule and choose More > Insert Rule Above in the Operation column. The new rule will be matched earlier than the current rule.
- Locate the target rule and choose More > Insert Rule Below in the Operation column. The new rule will be matched later than the current rule.

Parent topic: Managing Network ACL Rules

Предыдущая статья

Managing Network ACL Rules

Следующая статья

Modifying a Network ACL Rule

Была ли эта статья полезна?

Поддержка Юридические документы