For details on the ACL function, refer to the Network ACL document.
To create an ACL, click Create ACL and enter the following values:
Click Confirm to create the ACL.
Among the properties of the ACL, you can change the name and description.
You can delete the selected ACL. It can only be deleted when there is no network bound to the ACL.
If you select an ACL, the ACL Rule menu appears at the bottom. When an ACL rule is added, the added rule is reflected in all networks using this ACL.
Click Confirm to create the ACL rule.
[Note] Setting source and destination as a pair
For example, to allow only 192.168.0.10 to access tcp 22 of 192.168.0.13, add a rule as follows. "protocol"="tcp", "src cidr"="192.168.0.10/32", "dst cidr"="192.168.0.13/32", "dst_port_range_min"=22, "policy"="allow" "protocol"="tcp", "src cidr"="192.168.0.13/32", "src_port_range_min"=22, "dst cidr"="192.168.0.10/32", "policy"="allow" For the required configuration, packets need to come in and go out through the address. If only the first rule is defined, from the instance's point of view, only the traffic coming through the dst is allowed. To allow packets going out from the src, the second rule must be defined.
[Note] Source and destination addresses
For example, assuming that the floating IP 133.186.237.10 is associated with the fixed IP 192.168.0.10 in the NHN Cloud instance, and if the purpose of configuration is to allow access from the same VPC, it is convenient to set the fixed IP 192.168.0.10 as the address in the ACL rule. Assuming that you set a rule that allows port 80 access from 192.168.0.10 to 192.168.0.20 between two instances of 192.168.0.10 (fip:133.186.237.10) and 192.168.0.20 (fip:133.186.237.20):
If you set the rule with a fixed IP, set it as follows and access from 192.168.0.10 with the fixed IP, like curl http://192.168.0.20. "protocol"="tcp", "src cidr"="192.168.0.10/32", "dst cidr"="192.168.0.20/32", "dst_port_range_min"=80, "policy"="allow" "protocol"="tcp", "src cidr"="192.168.0.20/32", "src_port_range_min"=80, "dst cidr"="192.168.0.10/32", "policy"="allow"
If you set the rule with a floating IP, set it as follows and access from 133.186.237.10 with the floating IP, like curl http://133.186.237.20. "protocol"="tcp", "src cidr"="133.186.237.10/32", "dst cidr"="192.168.0.20/32", "dst_port_range_min"=80, "policy"="allow" "protocol"="tcp", "src cidr"="192.168.0.20/32", "src_port_range_min"=80, "dst cidr"="133.186.0.10/32", "policy"="allow" "protocol"="tcp", "src cidr"="192.168.0.10/32", "dst cidr"="133.186.237.20/32", "dst_port_range_min"=80, "policy"="allow" "protocol"="tcp", "src cidr"="133.186.237.20/32", "src_port_range_min"=80, "dst cidr"="192.168.0.10/32", "policy"="allow"
In case of access from another VPC
To allow port 80 access from 133.186.237.30 (VPC1) to 192.168.0.40 (fip:133.186.237.40, VPC2), set the ACL rule bound to VPC2 as follows. (No ACL rule required for VPC1.) "protocol"="tcp", "src cidr"="133.186.237.30/32", "dst cidr"="192.168.0.40/32", "dst_port_range_min"=80, "policy"="allow" "protocol"="tcp", "src cidr"="192.168.0.40/32", "src_port_range_min"=80, "dst cidr"="133.186.237.30/32", "policy"="allow"
[Note] ACL rule order
When creating an ACL, by default, the rule to allow all is applied to the order number 101, and the rule to deny all is applied to the order number 32765. Therefore, the default state is a state where all is allowed. After that, the user can delete the order number 101 and add a rule optionally. The basic usage is to manage a whitelist. The last rule in each ACL has an order number of 32765 and the policy of deny all, and cannot be deleted. You can add any rule you want using a value between 101 and 32765 as an order number. Numbers 1 to 100 are reserved for internal systems. The order cannot be modified and it must be deleted and then added again. Therefore, to change the order, it is recommended to set the order number with an interval of 10 to 100 when setting the rule. To change the method to managing a blacklist, add a rule that allows all to the order number 32764, and manage the blacklist rule in the lower order number.
[Note] Number of ACLs and ACL rules
You can create up to 10 ACLs per project. You can create up to 100 ACL rules per project.
Among the properties of a rule, only the description can be changed.
If you select an ACL, the ACL Rule menu appears at the bottom. When you delete an ACL rule, the rule is deleted from all networks that use this ACL.
Select the network to apply the ACL to and click Confirm. One ACL can be bound to multiple networks. For each network, only one ACL can be bound.
Select the network to unbind ACL from and click Confirm.