network acl concepts CLOUDSTACK-2806

docs/en-US/configure-acl.xml

@@ -25,6 +25,53 @@
     default, all incoming and outgoing traffic to the guest networks is blocked. To open the ports,
     you must create a new network ACL. The network ACLs can be created for the tiers only if the
     NetworkACL service is supported.</para>
+  <section id="network-acl">
+    <title>About Network ACL Lists</title>
+    <para>In &PRODUCT; terminology, Network ACL is a group of Network ACL items. Network ACL items
+      are nothing but numbered rules that are evaluated in order, starting with the lowest numbered
+      rule. These rules determine whether traffic is allowed in or out of any tier associated with
+      the network ACL. You need to add the Network ACL items to the Network ACL, then associate the
+      Network ACL with a tier. Network ACL is associated with a VPC and can be assigned to multiple
+      VPC tiers within a VPC. A Tier is associated with a Network ACL at all the times. Each tier
+      can be associated with only one ACL.</para>
+    <para>The default Network ACL is used when no ACL is associated. Default behavior is all the
+      incoming and outgoing traffic is blocked to the tiers. Default network ACL cannot be removed
+      or modified. Contents of the default Network ACL is:</para>
+    <informaltable>
+      <tgroup cols="5" align="left" colsep="1" rowsep="1">
+        <colspec colnum="1" colname="c1" colwidth="31.5pt"/>
+        <colspec colnum="2" colname="c2" colwidth="58.5pt"/>
+        <colspec colnum="3" colname="c3" colwidth="66.0pt"/>
+        <colspec colnum="4" colname="c4" colwidth="48.0pt"/>
+        <colspec colnum="5" colname="c5" colwidth="58.5pt"/>
+        <thead>
+          <row>
+            <entry><para>Rule</para></entry>
+            <entry><para>Protocol</para></entry>
+            <entry><para>Traffic type</para></entry>
+            <entry><para>Action</para></entry>
+            <entry><para>CIDR</para></entry>
+          </row>
+        </thead>
+        <tbody>
+          <row>
+            <entry><para>1</para></entry>
+            <entry><para>All</para></entry>
+            <entry><para>Ingress</para></entry>
+            <entry><para>Deny</para></entry>
+            <entry><para>0.0.0.0/0</para></entry>
+          </row>
+          <row>
+            <entry><para>2</para></entry>
+            <entry><para>All</para></entry>
+            <entry><para>Egress</para></entry>
+            <entry><para>Deny</para></entry>
+            <entry><para>0.0.0.0/0</para></entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </informaltable>
+  </section>
   <section id="acl-list">
     <title>Creating ACL Lists</title>
     <orderedlist>
@@ -122,6 +169,10 @@
         <para>To add an ACL rule, fill in the following fields to specify what kind of network
           traffic is allowed in the VPC. </para>
         <itemizedlist>
+          <listitem>
+            <para><emphasis role="bold">Rule Number</emphasis>: The order in which the rules are
+              evaluated.</para>
+          </listitem>
           <listitem>
             <para><emphasis role="bold">CIDR</emphasis>: The CIDR acts as the Source CIDR for the
               Ingress rules, and Destination CIDR for the Egress rules. To accept traffic only from
@@ -129,6 +180,10 @@
               comma-separated list of CIDRs. The CIDR is the base IP address of the incoming
               traffic. For example, 192.168.0.0/22. To allow all CIDRs, set to 0.0.0.0/0.</para>
           </listitem>
+          <listitem>
+            <para><emphasis role="bold">Action</emphasis>: What action to be taken. Allow traffic or
+              block.</para>
+          </listitem>
           <listitem>
             <para><emphasis role="bold">Protocol</emphasis>: The networking protocol that sources
               use to send traffic to the tier. The TCP and UDP protocols are typically used for data
@@ -154,7 +209,8 @@
               sent.</para>
           </listitem>
           <listitem>
-            <para><emphasis role="bold">Action</emphasis>: What action to be taken. </para>
+            <para><emphasis role="bold">Traffic Type</emphasis>: The type of traffic: Incoming or
+              outgoing.</para>
           </listitem>
         </itemizedlist>
       </listitem>
@@ -181,7 +237,9 @@
         <para>Create a tier in the VPC.</para>
         <para>Select the desired ACL list while creating a tier.</para>
       </listitem>
-      <listitem><para>Click OK.</para></listitem>
+      <listitem>
+        <para>Click OK.</para>
+      </listitem>
     </orderedlist>
   </section>
   <section id="assign-acl-tier">
@@ -205,17 +263,23 @@
       <listitem>
         <para>Select the tier for which you want to assign the custom ACL.</para>
       </listitem>
-      <listitem><para>Click the Replace ACL List icon.<inlinemediaobject>
-        <imageobject>
-          <imagedata fileref="./images/replace-acl-icon.png"/>
-        </imageobject>
-        <textobject>
+      <listitem>
+        <para>Click the Replace ACL List icon.<inlinemediaobject>
+            <imageobject>
+              <imagedata fileref="./images/replace-acl-icon.png"/>
+            </imageobject>
+            <textobject>
               <phrase>replace-acl-icon.png: button to replace an ACL list</phrase>
             </textobject>
-      </inlinemediaobject></para>
-      <para>The Replace ACL List dialog is displayed.</para></listitem>
-      <listitem><para>Select the desired ACL list.</para></listitem>
-      <listitem><para>Click OK.</para></listitem>
+          </inlinemediaobject></para>
+        <para>The Replace ACL List dialog is displayed.</para>
+      </listitem>
+      <listitem>
+        <para>Select the desired ACL list.</para>
+      </listitem>
+      <listitem>
+        <para>Click OK.</para>
+      </listitem>
     </orderedlist>
   </section>
 </section>