IBM Cloud Docs
About network ACLs

About network ACLs

You can use an access control list (ACL) to control all incoming and outgoing traffic in IBM Cloud® Virtual Private Cloud. An ACL is a built-in, virtual firewall, similar to a security group. In contrast to security groups, ACL rules control traffic to and from the subnets, rather than to and from the instances.

For a comparison of the characteristics of security groups and ACLs, see the comparison table.

The example that is presented in this document shows how to create network ACLs in your VPC by using the CLI. For more information about how to set up ACLs in the IBM Cloud console, see Configuring ACLs in the UI.

Working with ACLs and ACL rules

To make your ACLs effective, create rules that determine how to handle your inbound and outbound network traffic. You can create multiple inbound and outbound rules. For more information about rules quotas, see Quotas.

  • With inbound rules, you can allow or deny traffic from a source IP range, with specified protocols and ports.
  • With outbound rules, you can allow or deny traffic to a destination IP range, with specified protocols and ports.
  • ACL rules are prioritized and considered in sequence. Higher priority rules are evaluated first and override lower priority rules.
  • Inbound rules are separated from outbound rules.
  • If no rules are specified, then implicit deny is the default behavior.

For more information about using ICMP, TCP, and UDP protocols in your ACL rules, see Understanding internet communication protocols.

Attaching an ACL to a subnet

You can attach an ACL to a subnet two different ways:

  • You can create a new subnet, and specify an ACL to attach. If you don't specify an ACL, a default network ACL is attached. The default ACL allows all inbound traffic to this subnet, and all outbound traffic from this subnet.

Creating a VPC automatically creates a default network ACL. You can modify the default network ACL and specify a different ACL to attach.

  • You can attach an ACL to an existing subnet. If another ACL is attached to this subnet already, that ACL is detached before the new ACL is attached.

ACL example

In the example that follows, you create two ACLs and associate them with two subnets by using the command-line interface (CLI). Figure 1 shows what the scenario looks like.

Figure showing an example ACL scenario
ACL with two subnets

As Figure 1 illustrates, you have two web servers that deal with requests from the internet and two back-end servers that you want to hide from the public. In this example, you place the servers into two separate subnets, 10.10.10.0/24 and 10.10.20.0/24, and you need to allow the web servers to exchange data with the back-end servers. Also, you want to allow limited outbound traffic from the back-end servers.

Example rules

The example rules that follow show how to set up the ACL rules for the basic scenario.

As a best practice, give fine-grained rules a higher priority than coarse-grained rules. For example, you have a rule that blocks all traffic from the subnet 10.10.30.0/24. If it is assigned a higher priority, any fine-grained rules with lower priority that allow traffic from 10.10.30.5 are never applied.

ACL-1 example rules

Example rules for ACL-1
Inbound/Outbound Allow/Deny Source IP Destination IP Protocol Port Description
Inbound Allow 0.0.0.0/0 0.0.0.0/0 TCP 80 Allow HTTP traffic from the internet
Inbound Allow 0.0.0.0/0 0.0.0.0/0 TCP 443 Allow HTTPS traffic from the internet
Inbound Allow 10.10.20.0/24 0.0.0.0/0 All All Allow all inbound traffic from the subnet 10.10.20.0/24 where the back-end servers are placed
Inbound Deny 0.0.0.0/0 0.0.0.0/0 All All Deny all other traffic inbound
Outbound Allow 0.0.0.0/0 0.0.0.0/0 TCP 80 Allow HTTP traffic to the internet
Outbound Allow 0.0.0.0/0 0.0.0.0/0 TCP 443 Allow HTTPS traffic to the internet
Outbound Allow 0.0.0.0/0 10.10.20.0/24 All All Allow all outbound traffic to the subnet 10.10.20.0/24 where the back-end servers are placed
Outbound Deny 0.0.0.0/0 0.0.0.0/0 All All Deny all other traffic outbound

ACL-2 example rules

Example rules for ACL-2
Inbound/Outbound Allow/Deny Source IP Destination IP Protocol Port Description
Inbound Allow 10.10.10.0/24 0.0.0.0/0 All All Allow all inbound traffic from the subnet 10.10.10.0/24 where the web servers are placed
Inbound Deny 0.0.0.0/0 0.0.0.0/0 All All Deny all other traffic inbound
Outbound Allow 0.0.0.0/0 0.0.0.0/0 TCP 80 Allow HTTP traffic to the internet
Outbound Allow 0.0.0.0/0 0.0.0.0/0 TCP 443 Allow HTTPS traffic to the internet
Outbound Allow 0.0.0.0/0 10.10.10.0/24 All All Allow all outbound traffic to the subnet 10.10.10.0/24 where the web servers are placed
Outbound Deny 0.0.0.0/0 0.0.0.0/0 All All Deny all other traffic outbound

This example illustrates general cases only. In your scenarios, you might want to have more granular control over the traffic:

  • You might have a network administrator who needs access to the 10.10.10.0/24 subnet from a remote network for operation purposes. In that case, you need to allow SSH traffic from the internet to this subnet.
  • You might want to narrow down the protocol scope that you allow between your two subnets.

Example steps

The following example steps skip the prerequisite steps of using the CLI to create a VPC, which must be done first. For more information, see Using the CLI to create VPC resources.

Step 1. Create the ACLs

Use the following CLI commands to create two ACLs, named my_web_subnet_acl and my_backend_subnet_acl:

ibmcloud is network-acl-create my-web-subnet-acl $vpc_id --source-acl-id $old_acl_id
ibmcloud is network-acl-create my-backend-subnet-acl $vpc_id --source-acl-id $old_acl_id

The response includes the newly created ACL IDs. Save the IDs of both ACLs to be used in later commands. You can use variables that are named webacl and bkacl, like this:

webacl="0738-ba9e785a-3e10-418a-811c-56cfe5669676"
bkacl="0738-a4e28308-8ee7-46ab-8108-9f881f22bdbf"

Step 2. Retrieve the default ACL rules

Before you add rules, retrieve the default inbound and outbound ACL rules so that you can insert new rules before them.

ibmcloud is network-acl-rules $webacl
ibmcloud is network-acl-rules $bkacl

The response shows the default inbound and outbound rules that allow all IPv4 traffic in all protocols.

Getting rules of network acl ba9e785a-3e10-418a-811c-56cfe5669676 under account Demo Account as user demouser...

inbound
ID                                     Name                                                          Action   IPv*   Protocol   Source      Destination   Created
0738-e2b30627-1a1d-447b-859f-ac9431986b6f   allow-all-inbound-rule-2d86bc3f-58e4-436a-8c1a-9b0a710556d6   allow    ipv4   all        0.0.0.0/0   0.0.0.0/0     2 months ago

outbound
ID                                     Name                                                         Action   IPv*   Protocol   Source      Destination   Created
0738-173a3492-0544-472e-91c0-7828cbcb62d4   allow-all-outbound-rule-2d86bc3f-58e4-436a-8c1a-9b0a710556d6   allow    ipv4   all        0.0.0.0/0   0.0.0.0/0     2 months ago

Save the IDs of both ACL rules as variables so you can use the values in later commands. For example, you can save the IDs in variables inrule and outrule:

inrule="0738-e2b30627-1a1d-447b-859f-ac9431986b6f"
outrule="0738-173a3492-0544-472e-91c0-7828cbcb62d4"

Step 3. Add new ACL rules as described

In this example, first add inbound rules and then add outbound rules.

Insert new inbound rules before the default inbound rule.

ibmcloud is network-acl-rule-add my_web_acl_rule200 $webacl deny inbound all 0.0.0.0/0 0.0.0.0/0 \
--before-rule-id $in-rule

At each step, save the ID of the ACL rule in a variable so the ID can be used in later commands. For example, you can use the variable acl200:

acl200="0738-90930627-1a1d-447b-859f-ac9431986b6f"

Now add the rule to acl200:

ibmcloud is network-acl-rule-add my_web_acl_rule100 $webacl allow inbound all 10.10.20.0/24 0.0.0.0/0 \
--before-rule-id $acl200

Add more rules until your ACL setup is complete, saving each ID as a variable.

acl100="0738-78340627-1a1d-447b-859f-ac9431986b6f"
ibmcloud is network-acl-rule-add my_web_acl_rule20 $webacl allow inbound tcp 0.0.0.0/0 0.0.0.0/0 \
--source-port-min 443 --source-port-max 443 --before-rule-id $acl100
acl20="32450627-1a1d-447b-859f-ac9431986b6f"
ibmcloud is network-acl-rule-add my_web_acl_rule10 $webacl allow inbound tcp 0.0.0.0/0 0.0.0.0/0 \
--source-port-max 80 --source-port-min 80 --before-rule-id $acl20

Insert new outbound rules before the default outbound rule.

ibmcloud is network-acl-rule-add my_web_acl_rule200e $webacl deny outbound all 0.0.0.0/0 0.0.0.0/0 \
--before-rule-id $outrule
acl200e="11110627-1a1d-447b-859f-ac9431986b6f"
ibmcloud is network-acl-rule-add my_web_acl_rule100e $webacl allow outbound all 0.0.0.0/0 10.10.20.0/24 \
--before-rule-id $acl200e
acl100e="22220627-1a1d-447b-859f-ac9431986b6f"
ibmcloud is network-acl-rule-add my_web_acl_rule20e $webacl allow outbound tcp 0.0.0.0/0 0.0.0.0/0 \
--source-port-max 443 --source-port-min 443 --before-rule-id $acl100e
acl20e="33330627-1a1d-447b-859f-ac9431986b6f"
ibmcloud is network-acl-rule-add my_web_acl_rule10e $webacl allow outbound tcp 0.0.0.0/0 0.0.0.0/0 \
--source-port-max 80 --source-port-min 80 --before-rule-id $acl20e

Step 4. Create the two subnets with the newly created ACL

Create two subnets so that each of your ACLs is associated with one of the new subnets.

ibmcloud is subnet-create my-web-subnet $vpc_id $zone --ipv4_cidr_block 10.10.10.0/24 \
 --network-acl-id $webacl
ibmcloud is subnet-create my-backend-subnet$vpc_id $zone --ipv4_cidr_block 10.10.20.0/24 \
--network-acl-id $bkacl

Command list cheat sheet

To show a complete list of the available VPC CLI commands for ACLs:

ibmcloud is network-acls

To see your ACL and its metadata, including rules:

ibmcloud is network-acl $webacl

To list all ACL rules:

ibmcloud is network-acl-rules $webacl

Example inbound ping rule

To add an ACL rule, here's an example command for adding a ping inbound rule before the default inbound rule:

Syntax:

ibmcloud is network-acl-rule-add ACL ACTION DIRECTION PROTOCOL SOURCE DESTINATION [--name NAME] [--icmp-type ICMP_TYPE] [--icmp-code ICMP_CODE] [--source-port-min PORT_MIN] [--source-port-max PORT_MAX] [--destination-port-min PORT_MIN] [--destination-port-max PORT_MAX] [--before-rule-id RULE_ID] [--output JSON] [-q, --quiet]

Example:

ibmcloud is network-acl-rule-add 72b27b5c-f4b0-48bb-b954-5becc7c1dcb3 allow inbound icmp 10.2.2.2 10.2.2.3 --icmp-type 8 --icmp-code 0