Rule List Quota Description
Download
Mode fokus
Ukuran font
Edition Default Quota
Current Access Control rules include the following types: Internet Border Rule, NAT Border Rule, VPC Border Rule, Enterprise Security Group (new). Based on the purchased edition, different editions have default quotas as shown in the table below:
Edition | Internet Boundary Rule | NAT Boundary Rule | VPC Border Rule | Enterprise Security Group (new) |
Premium Edition | 1,000 entries | 1,000 entries | - | 100 entries |
Enterprise Edition | 2,000 entries | 2,000 entries | 2,000 entries | 1,000 entries |
Ultimate Edition | 5000 entries | 5000 entries | 5000 entries | 2,000 entries |
Occupied Quota Statistics Method
Access Control rule quotas are holistically allocated based on firewall type, regardless of region or direction.
Each rule in the list consumes a quota of 1 entry. The number of occupied quotas refers to the sum total of all rules added under your corresponding firewall type.
Note:
For example, you have 4 entries for NAT Border Rule (Guangzhou) Inbound Rule, 3 entries for NAT Border Rule (Guangzhou) Outbound Rule, 2 entries for NAT Border Rule (Shanghai) Inbound Rule, and 1 entry for NAT Border Rule (Shanghai) Outbound Rule; then the NAT Border Rule quota occupancy is 4+3+2+1=10 entries.
Rules Description
For NAT Firewall and VPC Firewall, the configured ACL is split into multiple rules at the minimum granularity and distributed to the engine. Therefore, the rule count reported by the engine is not the list rule count, but the distributed rule count. The specifications for the distributed rule count can be referred to in Instance Specification.
The rule expansion formula is as follows:
Number of distributed rules = number of source addresses × number of destination addresses × number of ports × number of protocols.
Note:
For source and destination addresses, each IP address, CIDR, IP address range, and domain/subdomain is counted as one minimal expansion unit.
For ports, each single port, contiguous port range, and all ports are counted as one minimal expansion unit.
For protocols, each individual protocol except for ANY is counted as one minimal expansion unit.
When both the access source and destination are IPs, the Layer 4 ANY protocol is treated as one minimal expansion unit.
When the access destination is a domain, the Layer 7 ANY protocol is treated as 6 minimal expansion units.
For example: the access source 0.0.0.0/0 is one CIDR, the access destination is a domain address template containing 2 domains, the destination ports are 80 and 443/446 (one single port and one port range), and the protocol is Layer 7 ANY protocol; therefore, the number of distributed rules = 1*2*2*6=24 entries.
Distributed Rule Count Limitation
When the engine reaches the maximum distributed rule count limit, it will be unable to configure additional ACL rules. Please manage rules appropriately. The specific firewall distributed rule count limits are as follows:
Internet boundary bypass firewall: A single tenant supports a maximum of 10,000 distributed rules. This limit cannot be extended. Please optimize rules appropriately.
NAT Firewall: Related to instance specifications, the number of distributed rules limit can be extended by upgrading instance specifications. See NAT Border Firewall Instance Specification.
Inter-VPC boundary firewall: Related to instance specifications, the number of distributed rules limit can be extended by upgrading instance specifications. See VPC Border Firewall Instance Specification.
Bantuan dan Dukungan
Apakah halaman ini membantu?
Anda juga dapat Menghubungi Penjualan atau Mengirimkan Tiket untuk meminta bantuan.
masukan