Network ACL

Prev Next

Available in VPC

Network ACL and ACG

NAVER Cloud Platform provides Network ACL and ACG features to enhance VPC security. You can create a robust network security system by using Network ACL to control Subnet access and ACG to manage server communication security within Subnets.

The following summarizes the characteristics and differences between Network ACL and ACG.

vpc-nacl-vpc_diagram_ko

Network ACL ACG
Works when access to subnet is made Works when access to server is made
Both allow and block rules for inbound/outbound traffic are configured
  • Applies allow rules by default
 Only allow rules for inbound/outbound traffic are configured
  • Applies block rules by default
Stateless method - inbound and outbound rules need to be configured separately since it doesn't save traffic status Stateful method - traffic allowed by inbound rules is automatically allowed for outbound direction since it saves traffic status
Rules are prioritized when deciding whether to allow the traffic All rules are evaluated before deciding whether to allow the traffic
Applied to all servers in the target subnet (no need to rely on the user specifying ACG) Applied only when specifying a security group at server startup, or when connecting the security group to instances

Network ACL interface

The following describes the basics of using Network ACL:

vpc-nacl-vpc-screen_ko

Component Description
① Menu name Show the current menu name and number of created Network ACLs.
② Basic features Create Network ACL, refresh Network ACL interface
③ Post-creation features Modify rules of created Network ACL, delete Network ACL
④ Search bar Enter search keywords and click i-vpc_find to search for the item.
⑤ Search filter Specify Network ACL view range
⑥ Network ACL list View created Network ACL list and information

View Network ACL list

You can view information for each Network ACL in the created Network ACL list. To check:

Note

When you create a VPC, a Default Network ACL is automatically created and visible in the list.

  1. In the VPC environment of the NAVER Cloud Platform console, navigate to i_menu > Services > Networking > VPC.
  2. Navigate to Network ACL > ACL Rule.
  3. When the list of created Network ACL appears, view the summarized information or click Network ACL to check the details.
    vpc-nacl-vpc-screen1_ko
    • Network ACL name: Name of Network ACL
    • Network ACL ID: ID value of Network ACL
    • VPC name: Name of the VPC to which the Network ACL belongs
    • Number of applied subnets: Number of subnets to which the Network ACL is applied
    • [Inbound rules] tab: List of inbound rules configured for the Network ACL
    • [Outbound rules] tab: List of outbound rules configured for the Network ACL
    • Number of Inbound ACLs: Number of configured inbound rules
    • Number of outbound ACLs: Number of configured outbound rules
    • Creation date and time: Date when the Network ACL was created
    • Applied subnets: List of subnets to which the Network ACL is applied
    • Memo: Notes related to the Network ACL, which you can edit by clicking [Edit]

Create Network ACL

To create a Network ACL:

  1. In the VPC environment of the NAVER Cloud Platform console, navigate to i_menu > Services > Networking > VPC.
  2. Navigate to Network ACL > ACL Rule.
  3. Click [Create Network ACL].
    vpc-nacl-vpc-add_ko
  4. When the Create Network ACL popup appears, enter a name for the Network ACL you want to create and select the VPC to apply.
    • Enter the Network ACL name using letters, numbers, and hyphens (-), with a length of 3–30 characters.
  5. Click [Create].
  6. Check the created Network ACL in the Network ACL list on the ACL Rule interface.

Set Network ACL rules

Inbound and outbound detailed rules can be set in the Network ACL created. To set detailed rules:

  1. Select the Network ACL to set rules from the ACL Rule interface and click [Set rule].
  2. When the Set Network ACL rules popup appears, enter an inbound rule and click [Add] to add the rule.
    vpc-nacl-vpc-inboundset_ko
    • Priority: Enter a rule priority between 0 and 199.
    • Protocol: Select the protocol for inbound traffic.
    • Source: Enter the IP range for inbound traffic or a predefined Deny-Allow Group.
    • Port: Specify the port for inbound traffic as a single number or a range.
    • Acceptability: Select whether to allow or deny the inbound traffic.
    • Memo: Enter notes related to the inbound traffic.
    • i-vpc_delete: Delete the inbound rule added on the list
  3. Click the [Outbound] tab to enter an outbound rule and click [Add] to add the rule.
    vpc-nacl-vpc-outboundset_ko
    • Priority: Enter a rule priority between 0 and 199.
    • Protocol: Select the protocol for outbound traffic.
    • Destination point: Enter the IP range for outbound traffic or a predefined Deny-Allow Group.
    • Port: Specify the port for outbound traffic as a single number or a range.
    • Acceptability: Select whether to allow or deny the outbound traffic.
    • Memo: Enter notes related to the outbound traffic.
    • i-vpc_delete: Delete the outbound rule added on the list
  4. Click [Apply].
  5. Click the Network ACL from the Network ACL list to check the rules configured.

Delete Network ACL

To delete the Network ACL created:

Note

The Network ACL is not going to be deleted in the following cases.

  • Automatically created Default Network ACL
  • The Network ACL that is applied to 1 or more subnets
  1. In the VPC environment of the NAVER Cloud Platform console, navigate to i_menu > Services > Networking > VPC.
  2. Navigate to Network ACL > ACL Rule.
  3. Click the Network ACL to delete and click [Delete].
  4. When the Delete Network ACL popup appears, click [Delete].

Set Deny-Allow Group

Deny-Allow Group is a group of multiple IPs. It can be used as an access source or destination when setting inbound/outbound rules in a Network ACL.

Deny-Allow Group page

The following describes the basics of using Deny-Allow Group.

vpc-nacl-vpc_groupscreen_ko

Component Description
① Menu name Shows the current menu name and number of Deny-Allow Groups created.
② Basic features Create Deny-Allow Group, refresh the Deny-Allow Group interface
③ Post-creation features Set IPs for a Deny-Allow Group created, delete Deny-Allow Group
④ Search bar Enter search keywords and click i-vpc_find to search for the item.
⑤ Search filter Specify the range of Deny-Allow Group to view
⑥ Deny-Allow Group list View the list of Deny-Allow Groups created and their information

View Deny-Allow Group list

Information of each group can be viewed from the list of Deny-Allow Groups created. To check:

  1. In the VPC environment of the NAVER Cloud Platform console, navigate to i_menu > Services > Networking > VPC.
  2. Navigate to Network ACL > Deny-Allow Group.
  3. When the Deny-Allow Group list appears, view the summarized information or click a Deny-Allow Group to check the details.
    vpc-nacl-vpc_groupscreen1_ko
    • Deny-Allow Group name: Name of Delete Deny-Allow Group
    • Deny-Allow Group ID: ID value of Deny-Allow Group
    • VPC name: Name of the VPC to which the Deny-Allow Group belongs
    • Number of applied ACL rules: Number of Network ACLs to which the Deny-Allow Group is applied
    • Applied Network ACLs: List of Network ACLs to which the Deny-Allow Group is applied
    • Registered IPs: List of IP addresses registered in the Deny-Allow Group
    • Memo: Notes related to the Deny-Allow Group, which you can edit by clicking [Edit]

Create Deny-Allow Group

To create a Deny-Allow Group:

  1. In the VPC environment of the NAVER Cloud Platform console, navigate to i_menu > Services > Networking > VPC.
  2. Navigate to Network ACL > Deny-Allow Group.
  3. Click [Create Group].
    vpc-nacl-vpc-groupadd_ko
  4. When the Create Deny-Allow Group popup appears, enter a name for the Deny-Allow Group you want to create and select the VPC to apply.
    • Enter the Deny-Allow Group name using letters, numbers, and hyphens (-), with a length of 3–30 characters.
  5. Click [Create].
  6. Check the created group from the Deny-Allow Group list in the Deny-Allow Group page.
Note

You can create up to 4 Deny-Allow Groups per VPC.

Register IPs to Deny-Allow Group

You can register IPs to a Deny-Allow Group created. To register an IP:

  1. Select the Deny-Allow Group to register IPs from the Deny-Allow Group page and click [Set IP].

  2. When the Set Deny-Allow Group popup appears, enter IPs to register in the group.
    vpc-nacl-vpc-groupset_ko

    Component Description
    ① Input window
    Bulk input
    Create
    Delete
    ⑤ IP list

  3. Click [OK].

  4. Check the added IPs by clicking the Deny-Allow Group from the Deny-Allow Group list.

Delete Deny-Allow Group

To delete a Deny-Allow Group created:

Note

The Deny-Allow Groups that are being used by a Network ACL rule are not going to be deleted. If you want to delete such a group, delete the group from the Network ACL rule where it's being used before proceeding with the deletion.

  1. In the VPC environment of the NAVER Cloud Platform console, navigate to i_menu > Services > Networking > VPC.
  2. Navigate to Network ACL > Deny-Allow Group.
  3. Click the Deny-Allow Group to delete and click [Delete].
  4. When the Delete Deny-Allow Group popup appears, click [Yes].