tencent cloud

Tencent Cloud Firewall

Rule List Quota Description

Download
포커스 모드
폰트 크기
마지막 업데이트 시간: 2026-07-08 16:53:18

Edition Default Quota

Current Access Control rules include the following types: Internet Border Rule, NAT Border Rule, VPC Border Rule, and Enterprise Security Group. Based on the purchased edition, the default quotas for different editions are shown in the following table:
Edition
Internet Boundary Rule
NAT Boundary Rule
VPC Border Rule
Enterprise Security Group
Premium Edition
1,000 entries
1,000 entries
-
100 entries
Enterprise Edition
2,000 entries
2,000 entries
2,000 entries
1,000 entries
Ultimate Edition
5,000 entries
5,000 entries
5,000 entries
2,000 entries

Occupied Quota Statistics Method

Access Control rule quotas are allocated holistically by firewall type, without distinction for region or direction.
Each rule in the list occupies a quota of 1. The number of occupied specifications refers to the cumulative sum of all added rules under your corresponding firewall type. For example, if there are 4 inbound and 3 outbound NAT Border Rules in the Guangzhou region, and 2 inbound and 1 outbound NAT Border Rules in the Shanghai region, then the quota occupied by NAT Border Rules is 4+3+2+1=10.

Rules Description

For rules distributed to the firewall, the configured ACL is split into multiple rules at the minimum granularity and distributed to the engine. Therefore, the rule count reported by the engine is not the list rule count, but the distributed rule count. For specifications related to the distributed rule count, refer to Distributed Rule Count Limit.
The rule expansion formula is as follows:
Number of distributed rules = number of source addresses × number of destination addresses × number of ports × number of protocols.
Note:
For source and destination addresses, each IP address, CIDR, IP address range, and domain/subdomain is counted as one minimal expansion unit.
For ports, each single port, contiguous port range, and all ports are counted as one minimal expansion unit.
For protocols, each individual protocol except for ANY is counted as one minimal expansion unit.
When both the access source and destination are IPs, the Layer 4 ANY protocol is treated as one minimal expansion unit.
When the access destination is a domain, the Layer 7 ANY protocol is treated as 6 minimal expansion units.
For example: The access source 0.0.0.0/0 is one CIDR, the access destination is a domain address template containing 2 domains, the destination ports 80 and 443/446 consist of one single port and one port range, and the protocol is the Layer 7 ANY protocol. Therefore, the number of distributed rules is 1*2*2*6=24.


Distributed Rule Count Limitation

When the engine reaches the maximum distributed rule quantity limit, you cannot configure additional ACL rules. Please manage your rules appropriately. The firewall distributed rule quantity limits are as follows:
NAT Firewall: Related to instance specifications, the number of distributed rules limit can be extended by upgrading instance specifications. See NAT Border Firewall Instance Specification.
Inter-VPC boundary firewall: Related to instance specifications, the number of distributed rules limit can be extended by upgrading instance specifications. See VPC Border Firewall Instance Specification.


도움말 및 지원

문제 해결에 도움이 되었나요?

피드백