diff --git a/pages/vpc/how-to/use-network-acl.mdx b/pages/vpc/how-to/use-network-acl.mdx new file mode 100644 index 0000000000..ac6c14f5ca --- /dev/null +++ b/pages/vpc/how-to/use-network-acl.mdx @@ -0,0 +1,82 @@ +--- +title: How to use Network ACLs +description: This page explains how to use network access control lists (ACLs) to manage and secure traffic using routing rules for Scaleway Virtual Private Cloud. +tags: network acl access control list filter block secure traffic +dates: + validation: 2026-05-19 + posted: 2026-05-19 +--- + +import Requirements from '@macros/iam/requirements.mdx' + +A Network **A**ccess **C**ontrol **L**ist (ACL) is a list of stateless rules that allow you to control traffic between the different Private Networks of a VPC. By default, the list is empty, and traffic is therefore unrestricted. + +Read more about the features and behavior of Network ACLs in our [dedicated reference content](/vpc/reference-content/understanding-nacls/). + + + +- A Scaleway account logged into the [console](https://console.scaleway.com) +- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization + +## How to create a rule + + +Network ACL rules can target either IPv4 or IPv6 traffic, and are evaluated separately. To apply the same rule to both IPv4 and IPv6 traffic, you must create two separate rules. + + +1. Click **VPC** in the **Network** section of the [Scaleway console](https://console.scaleway.com/organization) side menu. A listing of your VPCs displays. + +2. Use the **region selector** at the top of the page to filter for the region of the VPC you want to configure, then click its name in the listing. + +3. Click the **Network ACL** tab. A listing of the current rules displays. + +4. Click **Edit rules** to enter edit mode. + +5. Click **+ Add IPv4 rule** or **+ Add IPv6 rule** depending on the type of traffic you want to filter. A creation wizard displays. + +6. Fill in the following fields to define your rule: + - **Protocol**: Select the protocol the rule applies to (`All`, `TCP`, `UDP`, or `ICMP`). + - **Source**: Enter the **IP address or range** (in CIDR notation) and the **Port or range** of the traffic source. Tick **All IPs** and/or **All ports** to match any value. + - **Destination**: Enter the **IP address or range** (in CIDR notation) and the **Port or range** of the traffic destination. Tick **All IPs** and/or **All ports** to match any value. + - **Action**: Select **Allow** to permit matching traffic, or **Deny** to block it. + - **Description** (optional): Enter a short description to help identify the rule. + - **Position in list**: Select **Add to top** or **Add to bottom** to set the rule's priority. Rules are evaluated from top to bottom, and the first matching rule applies. + - **Create inverse rule** (optional): Tick this box to automatically create a second rule with the source and destination swapped, to cover return traffic. + +7. Click **Add** to create the rule. The new rule displays in the listing. + +8. Click **Save changes** to apply your modifications. + +## How to manage rules + +1. Click **VPC** in the **Network** section of the [Scaleway console](https://console.scaleway.com/organization) side menu. A listing of your VPCs displays. + +2. Use the **region selector** at the top of the page to filter for the region of the VPC you want to configure, then click its name in the listing. + +3. Click the **Network ACL** tab. A listing of the current rules displays. + +4. Click **Edit rules** to enter edit mode. + +5. Use the up and down arrows to arrange the rules as necessary. Rules are evaluated from top to bottom, and the first matching rule applies. + +6. Click **Save changes** once finished. + +Modifications to rules and rule ordering take effect immediately. + + +Remember to apply the same rule to the other IP version if required. + + +## How to delete a rule + +1. Click **VPC** in the **Network** section of the [Scaleway console](https://console.scaleway.com/organization) side menu. A listing of your VPCs displays. + +2. Use the **region selector** at the top of the page to filter for the region of the VPC you want to configure, then click its name in the listing. + +3. Click the **Network ACL** tab. A listing of the current rules displays. + +4. Click **Edit rules** to enter edit mode. + +5. Click the icon next to the rule you want to delete. + +6. Click **Save changes** to confirm. \ No newline at end of file diff --git a/pages/vpc/menu.ts b/pages/vpc/menu.ts index fe1ffd56fe..6a3c7d17c2 100644 --- a/pages/vpc/menu.ts +++ b/pages/vpc/menu.ts @@ -38,6 +38,10 @@ export const vpcMenu = { label: 'Manage routing on a VPC', slug: 'manage-routing', }, + { + label: 'Use Network ACLs', + slug: 'use-network-acl', + }, { label: 'Delete a Private Network', slug: 'delete-private-network', diff --git a/pages/vpc/reference-content/understanding-nacls.mdx b/pages/vpc/reference-content/understanding-nacls.mdx index 08aa2383e4..46715ff3b7 100644 --- a/pages/vpc/reference-content/understanding-nacls.mdx +++ b/pages/vpc/reference-content/understanding-nacls.mdx @@ -1,7 +1,7 @@ --- title: Understanding Network ACLs -description: Learn how to Network Access Control Lists (NACL) to filter inbound and outbound traffic between the different Private Networks of your VPC. Understand concepts, best practices, and key use cases. -tags: vpc nacl network-access-control-list default-rule stateless inbound outbound port +description: Learn how to use Network Access Control Lists (network ACL) to filter inbound and outbound traffic between the different Private Networks of your VPC. Understand concepts, best practices, and key use cases. +tags: vpc nacl network access control list default rule stateless inbound outbound port dates: validation: 2025-06-09 posted: 2025-03-26 @@ -10,46 +10,41 @@ import image from './assets/scaleway-nacl-diag-simple.webp' import image2 from './assets/scaleway-nacl-diag-detail.webp' import image3 from './assets/scaleway-nacl-example.webp' +Every VPC has a network **A**ccess **C**ontrol **L**ist (network ACL). This list is composed of stateless rules to control the flow of traffic between the Private Networks of the VPC. By default, the list contains no rules, and therefore traffic is allowed to flow without restriction. You can add rules to restrict traffic flow according to your requirements. - -NACLs are currently in Public Beta, and configurable only via the [VPC API](https://www.scaleway.com/en/developers/api/vpc/) and developer tools. This feature will be coming soon to the Scaleway console. - - -Every VPC has a Network **A**ccess **C**ontrol **L**ist (NACL). This list is composed of stateless rules to control the flow of traffic between the Private Networks of the VPC. By default, at first, the list contains no rules, and therefore traffic is allowed to flow unrestrictedly. You can add rules to restrict traffic flow according to your requirements. - -This document sets out general information and best practices about Scaleway VPC NACLs. +This document sets out general information and best practices about Scaleway VPC Network ACLs. To learn how to use Network ACLs, refer to the [dedicated how-to page](/vpc/how-to/use-network-acl/). ## Network ACL overview Every Scaleway VPC has a Network ACL. In its initial state, it contains no rules. Thanks to [managed routing](/vpc/reference-content/understanding-routing/), which automatically routes traffic between Private Networks, traffic is freely routed between the Private Networks of the VPC. -When you start adding rules to your NACL, traffic flow is restricted between certain sources and destinations within the VPC, according to the rules you set. A default rule is added to the NACL, which dictates the action to take on traffic that does not match any rules in the list: it can either be **allowed** or **denied**. +When you start adding rules to your network ACL, traffic flow is restricted between certain sources and destinations within the VPC, according to the rules you set. A default rule is added to the network ACL, which dictates the action to take on traffic that does not match any rules in the list: it can either be **allowed** or **denied**. - + -NACL rules are stateless, meaning that the state of connections is not tracked, and return traffic is not automatically allowed just because the outbound request was allowed. Explicit rules are required for each direction of traffic. - -NACLs only control traffic as it enters or exits the Private Network(s) of a VPC. They do not: +Network ACLs only control traffic as it enters or exits the Private Network(s) of a VPC. They do not: - Filter traffic between resources attached to the same Private Network - Filter traffic from/to the public internet (for this, use [security groups](/instances/how-to/use-security-groups/) for Instances, or equivalent features for [other resource types](/ipam/reference-content/)). -The diagram below shows how a NACL allows an Instance on Private Network A to send a packet to an Instance on Private Network B. +The diagram below shows how a network ACL allows an Instance on Private Network A to send a packet to an Instance on Private Network B. However, an Instance on Private Network B is blocked from sending a packet to an Instance on Private Network A, because no specific rules allow it to do so, and the default rule is set to `Deny`. - + + +## Network ACL rule configuration -## NACL rule configuration +When defining a network ACL rule, you must enter the following settings: -When defining a NACL rule, you must enter the following settings: +- **IP version**: Either IPv4 or IPv6. The rule applies only to traffic matching this IP version, meaning that in effect, each VPC has two network ACLs: one for IPv4 and one for IPv6. If you want to create an equivalent rule for the other IP version, you must do so separately. -- **IP version**: Either IPv4 or IPv6. The rule will apply only to traffic matching this IP version, meaning that in effect, each VPC has two NACLs: one for IPv4 and one for IPv6. If you want to create an equivalent rule for the other IP version, you must do so separately. +- **Protocol**: Either `TCP`, `UDP`, or `ICMP`. The rule applies only to traffic matching this protocol. Alternatively, you can choose to apply it to traffic matching any protocol. -- **Protocol**: Either `TCP`, `UDP`, or `ICMP`. The rule will apply only to traffic matching this protocol. Alternatively, you can choose to apply it to traffic matching any protocol. +- **Source** and **destination**: The rule applies to traffic originating from this source and being sent to this destination. For both, enter an IP range in [CIDR format](/vpc/concepts/#cidr-block), and a port or port range. Alternatively, you can opt for the rule to apply to all IPs and/or all ports. -- **Source** and **destination**: The rule will apply to traffic originating from this source and being sent to this destination. For both, enter an IP range in [CIDR format](/vpc/concepts/#cidr-block), and a port or port range. Alternatively, you can opt for the rule to apply to all IPs and/or all ports. +- **Action**: The network ACL either **allows** (accepts) or **denies** (drops) traffic that matches the rule. -- **Action**: The NACL will either **Allow** (accept) or **Deny** (drop) traffic that matches the rule. +- **Position in list**: You can choose to add your rule to the **top**, or to the **bottom** of the list. Rules are evaluated from top to bottom, and can be rearranged. ## Rule priority and application @@ -57,35 +52,35 @@ The Network Access Control List should be read from top to bottom. Rules closer ## Statelessness -**NACL rules are stateless**. This means the state of connections is not tracked, and inbound and outbound traffic is filtered separately. Return traffic is not automatically allowed just because the outbound request was allowed. Explicit rules are required for each direction of traffic. +**Network ACL rules are stateless**. This means the state of connections is not tracked, and inbound and outbound traffic is filtered separately. Return traffic is not automatically allowed just because the outbound request was allowed. Explicit rules are required for each direction of traffic. Therefore, if you create a rule to allow traffic in one direction, you may also need a separate rule to allow the response in the opposite direction. ## Default rule -Each NACL must have a default rule, which applies its action to all traffic that did not match any other rules in the list. +Each network ACL must have a default rule, which applies its action to all traffic that did not match any other rules in the list. Best practice is to set your default rule to **Deny**, and use the **Allow** action for all other rules. This way, you have fine-grained control over the traffic allowed to flow, and all other traffic is blocked by default. -Nonetheless, you can choose to set your default rule to **Allow** if you wish. In this case, all other rules in the list should use the **Deny** action, to filter out the specific traffic you want to block. All other traffic will be permitted by the default rule. +Nonetheless, you can choose to set your default rule to **Allow** if you wish. In this case, all other rules in the list should use the **Deny** action, to filter out the specific traffic you want to block. All other traffic is permitted by the default rule. -## NACL example +## Network ACL example -The table below shows an example of a NACL for IPv4 traffic: +The table below shows an example of a network ACL for IPv4 traffic: - + - A number of TCP rules allow connections to the specific ports necessary for SSH, HTTP, and HTTPS traffic. These rules allow all IPv4 sources within the VPC to connect to these ports, for all IPv4 destinations. - An ICMP rule allows all ICMP traffic from/to all IPv4 addresses on all ports, effectively permitting all ping requests within the VPC to function. -- A TCP rule allows PostgreSQL access on port 5432 from one Private Network (172.16.2.0.5/22) to another Private Network (172.16.8.0/22). An **inverse rule** also allows PostgreSQL access from Private Network B to A. +- A TCP rule allows PostgreSQL access on port 5432 from one Private Network (172.16.20.5/22) to another Private Network (172.16.8.0/22). An **inverse rule** also allows PostgreSQL access from Private Network B to A. - A TCP rule allows connections from all IPv4 sources to all IPv4 destinations on the port range `32768-65535`, effectively allowing all return (incoming) traffic towards ephemeral ports. - The default rule blocks all traffic not explicitly allowed by one of the rules above. -## NACL limitations +## Network ACL limitations Network ACLs cannot be used to block or filter the traffic to or from the following: @@ -95,13 +90,13 @@ Network ACLs cannot be used to block or filter the traffic to or from the follow - Kubernetes Kapsule task metadata endpoints - License activation for Windows installation on Elastic Metal or Instances -NACLs have the same resource limitations as [VPC routing](/vpc/reference-content/understanding-routing/#limitations). +Network ACLs have the same resource limitations as [VPC routing](/vpc/reference-content/understanding-routing/#limitations). -NACLs are currently available only via the Scaleway API and developer tools. They are not yet available in the Scaleway console. +Network ACLs are currently available only via the Scaleway API and developer tools. They are not yet available in the Scaleway console. -## NACL quotas +## Network ACL quotas -NACL quotas are as follows: +Network ACL quotas are as follows: - A maximum of 255 rules for IPv4 (per VPC) - A maximum of 255 rules for IPv6 (per VPC)