You can associate a network ACL with multiple subnets that require the same level of network traffic control and set inbound and outbound rules to precisely control their inbound and outbound traffic.
For example, when you host a multi-layer web application in a Tencent Cloud VPC instance and create different subnets for the web-layer, logic-layer, and data-layer services, you can use a network ACL to ensure that the web-layer and data-layer subnets cannot access each other, and only the logic-layer subnet can access the web-layer and data-layer subnets.
ACL rules
After you add or delete a rule in a network ACL, the changes you make will be automatically applied to the associated subnets.
You can configure inbound and outbound network ACL rules. Each rule consists of the following elements:
Source IP/Destination IP: The origin or target IP address of the traffic. For inbound rules, enter the source IP; for outbound rules, enter the destination IP. Both source and destination IPs support the following formats:
Single IP: Such as "192.168.0.1" or "FF05::B5".
CIDR block: Such as "192.168.1.0/24" or "FF05:B5::/60".
All IPv4 addresses: "0.0.0.0/0".
All IPv6 addresses: "0::0/0" or "::/0".
Protocol: Select a protocol that the ACL rule allows or denies, such as TCP and UDP.
Port: The source or destination port of the traffic. Supported formats include:
Single port: Such as "22" or "80".
Port range: Such as "1-65535" or "100-20000".
All ports: All.
Policy: Select Allow or Refuse.
Default Rules
Once created, every network ACL has two default rules that cannot be modified or deleted, with the lowest priority.
Default inbound rule
Protocol
Port
Source IP
Policy
Note
ALL
ALL
0.0.0.0/0
Refuse
Denies all inbound traffic.
Default outbound rule
Protocol
Port
Destination IP
Policy
Note
ALL
ALL
0.0.0.0/0
Refuse
Denies all outbound traffic.
Rule priorities
The rules of a network ACL are prioritized from top to bottom. The rule at the top of the list has the highest priority and will take effect first, while the rule at the bottom has the lowest priority and will take effect last.
If there is a rule conflict, the rule with the higher priority will prevail by default.
When traffic goes in or out of a subnet that is bound to a network ACL, the network ACL rules will be matched sequentially from top to bottom. If a rule is matched successfully and takes effect, the subsequent rules will not be matched.
Application example
To allow all source IP addresses to access all ports of CVMs in a subnet associated with a network ACL and deny the source IP address 192.168.200.11/24 of HTTP services to access port 80, add the following two inbound rules to the network ACL:
Protocol
Port
Source IP
Policy
Note
HTTP
80
192.168.200.11/24
Refuse
Denies this IP address of HTTP services to access port 80.
ALL
ALL
0.0.0.0/0
Allow
Allows all source IP addresses to access all ports.
Security group vs. network ACL
Item
Security Group
Network ACL
Traffic throttling
Traffic throttling at the instance level, such as CVM and TencentDB
Traffic throttling at the subnet level
Policy
Allow or refuse.
Allow or refuse.
Stateful/Stateless
Stateful: returned traffic is automatically permitted without being subject to any rules.
Stateless: Returned traffic must be explicitly allowed by rules.
Effective time
Security group rules are applied to an instance, such as a CVM or TencentDB instance, only if you specify a security group when creating the instance or associate a security group with the instance after it is created.
ACL rules are automatically applied to all instances, such as CVM and TencentDB instances, in the associated subnet.
Rule priorities
If there is a rule conflict, the rule with the higher priority will prevail by default.
If there is a rule conflict, the rule with the higher priority will prevail by default.
