- Print
- PDF
Network ACL
- Print
- PDF
Available in VPC
Network ACL and ACG
NAVER Cloud Platform provides two features to enhance the VPC security, network ACL and ACG. You can build a robust network security system by using network ACL to control access to subnets, as well as use ACG to control communication security for servers within subnets.
The following is the summary of characteristics and differences of network ACL and ACG.
Network ACL | ACG |
---|---|
Works when access to subnet is made | Works when access to server is made |
Both allow and block rules for inbound/outbound traffic are configured. | Only allow rules for inbound/outbound traffic are configured. |
Stateless method - inbound and outbound rules need to be configured separately since it doesn't save traffic status. | Stateful method - traffic allowed by inbound rules is automatically allowed for outbound direction since it saves traffic status. |
Rules are prioritized when deciding whether to allow the traffic. | All rules are evaluated before deciding whether to allow the traffic. |
Applied to all servers in the target subnet (no need to rely on the user specifying the ACG.) | Applied only when specifying a security group at server startup, or when connecting the security group to instances |
Network ACL page
The basics of using network ACL are as follows.
Area | Description |
---|---|
① Menu name | Name of the menu currently being viewed, number of network ACLs created |
② Basic features | Create network ACL, refresh the network ACL page |
③ Post-creation features | Modify a network ACL rule created, delete network ACL |
④ Search window | Enter a search word, and then click the button to search for the item |
⑤ Search filter | Specify the range of network ACL to search. |
⑥ Network ACL list | View the list of created network ACLs and their information. |
View network ACL list
You can check the information of each network ACL from the list of network ACLs that have been created and are in operation. The following describes how to view the information.
A default network ACL is created automatically and can be seen on the list when you create a VPC.
- From the NAVER Cloud Platform console's VPC environment, click the Services > Networking > VPC menus, in that order.
- Click the Network ACL > ACL rule menus, in that order.
- When the list of created network ACLs appears, view the summarized information or click a network ACL to check the details.
- Network ACL name: name of the network ACL
- Network ACL ID: ID value of the network ACL
- VPC name: name of the VPC where the network ACL belongs
- Number of applied subnets: number of subnets to which the network ACL is applied
- [Inbound rules] tab: the list of inbound rules set on the network ACL
- [Outbound rules] tab: the list of outbound rules set on the network ACL
- Number of inbound ACLs: number of inbound rules configured
- Number of outbound ACLs: number of outbound rules configured
- Creation date and time: date and time when the network ACL was created
- Applied subnets: the list of subnets to which the network ACL is applied
- Memo: This is the memo related to the network ACL, and it can be edited by clicking the [Edit] button.
Create network ACL
The following describes how to create a network ACL.
- From the NAVER Cloud Platform console's VPC environment, click the Services > Networking > VPC menus, in that order.
- Click the Network ACL > ACL rule menus, in that order.
- Click the [Create network ACL] button.
- When the Create network ACL pop-up window appears, enter a name for the network ACL to create, and then select a VPC to apply.
- A network ACL name should be 3 to 30 characters in English letters, numbers, and hyphens (-).
- Click the [Create] button.
- Check the network ACL created in the network ACL list in the ACL rule page.
Set network ACL rules
Inbound and outbound detailed rules can be set in the network ACL created. You can set detailed rules as follows.
- Select the network ACL to set rules from the ACL rule page, and then click the [Set rule] button.
- When the Set network ACL rules pop-up window appears, enter an inbound rule and click the [Add] button to add the rule.
- Priority: It indicates priority of the rule. Enter a number between 0 and 199.
- Protocol: Select a protocol for the inbound traffic.
- Access source: Enter an IP range for the inbound traffic, or a Deny-Allow group configured in advance.
- Refer to Deny-Allow group settings guide for more information about Deny-Allow group configuration.
- Port: This is the port for the inbound traffic. Specify a port number or range.
- Allow/Deny: Select whether to allow or deny the inbound traffic.
- Memo: Enter a memo related to the inbound traffic.
- : Delete the inbound rule added on the list.
- Click the [Outbound] tab to enter an outbound rule, and then click the [Add] button to add the rule.
- Priority: It indicates priority of the rule. Enter a number between 0 and 199.
- Protocol: Select a protocol for the outbound traffic.
- Destination: Enter an IP range for the outbound traffic, or a Deny-Allow group configured in advance.
- Refer to Deny-Allow group settings guide for more information about Deny-Allow group configuration.
- Port: This is the port for the outbound traffic. Specify a port number or range.
- Allow/Deny: Select whether to allow or deny the outbound traffic.
- Memo: Enter a memo related to the outbound traffic.
- : Delete the outbound rule added on the list.
- Click the [Apply] button.
- Click the network ACL from the network ACL list to check the rules configured.
Delete network ACL
The following describes how to delete a network ACL created.
The network ACL is not going to be deleted in the following cases.
- The default network ACL created automatically
- The network ACL that is applied to one or more subnets
- From the NAVER Cloud Platform console's VPC environment, click the Services > Networking > VPC menus, in that order.
- Click the Network ACL > ACL rule menus, in that order.
- Click a network ACL to delete, and then click the [Delete] button.
- When the Delete network ACL pop-up window appears, click the [Delete] button.
Set Deny-Allow group
Deny-Allow group is a group of multiple IPs. It can be used as an access source or destination when setting inbound/outbound rules in a network ACL.
Deny-Allow group page
The basics of using Deny-Allow group are as follows.
Area | Description |
---|---|
① Menu name | Name of the menu currently being viewed, number of Deny-Allow groups created |
② Basic features | Create Deny-Allow group, refresh the Deny-Allow group page |
③ Post-creation features | Set IPs for a Deny-Allow group created, delete Deny-Allow group |
④ Search window | Enter a search word, and then click the button to search for the item |
⑤ Search filter | Specify the range of Deny-Allow group to search |
⑥ Deny-Allow group list | View the list of Deny-Allow groups created and their information |
View Deny-Allow group list
Information of each group can be viewed from the list of Deny-Allow groups created. The following describes how to view the information.
- From the NAVER Cloud Platform console's VPC environment, click the Services > Networking > VPC menus, in that order.
- Click the Network ACL > Deny-Allow group menus, in that order.
- When the Deny-Allow group list appears, view the summarized information or click a Deny-Allow group to check the details.
- Deny-Allow group name: name of the Deny-Allow group
- Deny-Allow group ID: ID value of the Deny-Allow group
- VPC name: name of the VPC where the Deny-Allow group belongs
- Number of ACL rules applied: the number of network ACLs where the Deny-Allow group is applied
- Network ACL applied: the list of network ACLs where the Deny-Allow group is applied
- Registered IPs: the list of IP addresses that have been registered to the Deny-Allow group
- Memo: This is the memo related to the Deny-Allow group, and it can be edited by clicking the [Edit] button.
Create Deny-Allow group
The following describes how to create a Deny-Allow group.
- From the NAVER Cloud Platform console's VPC environment, click the Services > Networking > VPC menus, in that order.
- Click the Network ACL > Deny-Allow group menus, in that order.
- Click the [Create group] button.
- When the Create Deny-Allow group pop-up window appears, enter a name of the Deny-Allow group to create, and then select a VPC to apply.
- A Deny-Allow group name should be 3 to 30 characters in English letters, numbers, and hyphens (-).
- Click the [Create] button.
- Check the created group from the Deny-Allow group list in the Deny-Allow group page.
Up to 4 Deny-Allow groups can be created per one VPC.
Add IPs to Deny-Allow group
You can add IPs to a Deny-Allow group created. The following describes how to add IPs.
Select the Deny-Allow group to add IPs from the Deny-Allow group page, and then click the [Set IP] button.
When the Set Deny-Allow group pop-up window appears, enter IPs to add to the group.
Area Description ① Input window Enter an IP address to add - The input can be made in /32, so enter it without the subnet mask (/32).
- Up to 100 IPs can be entered.
② Bulk input Click when you want to add many IPs at once. - Separate each IP by adding a space using [Tab] and [Space] keys or entering a comma (,).
- Click the [Apply] button to add them at once.
③ Create Add the IPs entered to the list. ④ Delete Delete the selected IPs from the list. ⑤ IP list The list of IPs that have been entered and added Click the [OK] button.
Check the added IPs by clicking the Deny-Allow group from the Deny-Allow group list.
Delete Deny-Allow group
The following describes how to delete a Deny-Allow group created.
The Deny-Allow groups that are being used by a network ACL rule are not going to be deleted. If you want to delete such a group, then delete the group from the network ACL rule where it's being used before proceeding with the deletion.
- From the NAVER Cloud Platform console's VPC environment, click the Services > Networking > VPC menus, in that order.
- Click the Network ACL > Deny-Allow group menus, in that order.
- Click the Deny-Allow group to delete, and then click the [Delete] button.
- When the Delete Deny-Allow group pop-up window appears, click the [Yes] button.