feat(vpc): started nacl doc

Author: RoRoJ

pages/vpc/concepts.mdx

@@ -64,7 +64,7 @@ When an IPv6-compatible resource is attached to a Private Network, it has a priv
 
 ## Network ACL
 
-A VPC's Network **A**ccess **C**ontrol **L**ist is composed of stateless rules to control the flow of traffic between Private Networks. By default, the list contains no rules and therefore traffic is allowed to flow unrestrictedly between the VPC's Private Networks. [Add rules](TODO) to the list to start creating restrictions.
+A VPC's Network **A**ccess **C**ontrol **L**ist is composed of stateless rules to control the flow of traffic between Private Networks. By default, the list contains no rules and therefore traffic is allowed to flow unrestrictedly between the VPC's Private Networks. [Add rules](/vpc/how-to/manage-nacl/) to the list to start creating restrictions.
 
 ## Private IP address
 

pages/vpc/how-to/assets/scaleway-nacl-add-rule.webp

@@ -25,31 +25,47 @@ You cannot use NACLs to restrict traffic flow over resources' public network int
 
 2. Click the VPC whose NACL you want to view. The VPC's **Overview** page displays.
 
-        TODO SCREENSHOT WITH Network ACL tab highlighted.
+    <Lightbox src="scaleway-vpc-overview-nacl-highlight.webp" alt="A screenshot of the VPC Overview page in the Scaleway console highlights the Network ACL tab" />
 
 3. Click on the **Network ACL** tab.
 
     - If the list is empty, then no rules have been set and there is currently no restriction on traffic flow within the VPC:
 
-    TODO SCREENSHOT
+    <Lightbox src="scaleway-nacl-empty.webp" alt="A screenshot of the NACL tab in the Scaleway console shows the list has no rules." />
 
-    - If you have already added rules to the list, then traffic flow is controlled according to the restrictions they set:
+    - If you have already added rules to the list, then traffic flow is controlled according to the rules' restrictions:
 
-    TODO SCREENSHOT
+    <Lightbox src="scaleway-nacl-list.webp" alt="A screenshot of the NACL tab in the Scaleway console shows three rules: two with a DENY action, and then the final default rule for ALLOW." />
 
-## How to read and interpet a VPC's NACL
-
-TODO SCREENSHOT
+## How to read and interpret a NACL
 
 The following guidance applies when reading a VPC's NACL.
 
-- **IPv4 and IPv6 traffic is filtered separately**. In effect, each VPC therefore has two distinct NACLs: one for IPv4 and one for IPv6. Use the toggle to switch between these lists. You must manage and create rules for each list separately.
+### IPv4 and IPv6 
+
+<Lightbox src="scaleway-nacl-list-ip.webp" alt="A screenshot of the NACL tab in the Scaleway console highlights the IPv4-IPv6 toggle" />
+
+IPv4 and IPv6 traffic is filtered separately. Each VPC has two distinct NACLs: one for IPv4 and one for IPv6. Use the toggle to switch between these lists. You must manage and create rules for each list separately.
+
+### Rule priority and application 
+
+<Lightbox src="scaleway-nacl-list-prio.webp" alt="A screenshot of the NACL tab in the Scaleway console indicates that the topmost rule in the list has the highest priority" />
+
+**Read the list from from top to bottom**. Rules closer to the top of the list are applied first. If traffic matches an NACL rule for an **Allow** or **Deny** action, the action is applied immediately. That traffic is not then subject to any further filtering or any further actions by any rules that follow. 
+
+### Statelessness
+
+**NACL rules are stateless**. This means the state of connections is not tracked, and inbound and outbound traffic is filtered separately. Return traffic is not automatically allowed, just because the outbound request was allowed. Explicit rules are required for each direction of traffic.
+
+This means that if you create a rule to allow traffic in one direction, you may also need a separate rule to allow the response in the opposite direction. There is a functionality to auto-generate matching inverse rules for this purpose when creating a new rule.
+
+### NACL default rule
 
-- **Read the list from from top to bottom**. Rules closer to the top of the list are applied first. If traffic matches an NACL rule for an **Allow** or **Deny** action, the action is applied immediately. The traffic is not subject to any further filtering or any further actions by any rules that follow. 
+<Lightbox src="scaleway-nacl-list-default.webp" alt="A screenshot of the NACL tab in the Scaleway console highlights the default rule at the bottom of the list" />
 
-- **NACL rules are stateless**. This means the state of connections is not tracked and inbound and outbound traffic is filtered separately. Explicit rules are therefore required for each direction of traffic.
+**A default rule is auto-generated at the end of the list** This rule is generated at the moment you first start to edit your NACL. It carries out its action on all traffic that did not match any other rule in the list.
 
-- **A default DENY rule is auto-generated at the end of the list** This rule is generated at the moment you first start to edit your NACL. It denies all traffic flow that is not explicitly permitted by the rules above. You can modify or delete this rule if you wish, but if you do then any traffic not explicitly denied by your NACL rules will be allowed to pass.
+If you wish, you can modify the default rule to change its action from `DENY` to `ALLOW` (as in the screenshot above). In this case, it allows all traffic that did not match any other rule in the list, to pass.
 
 ## How to add rules to a NACL
 
@@ -59,9 +75,79 @@ The following guidance applies when reading a VPC's NACL.
 
 3. If you are creating your first NACL rule, click **Add rule**, otherwise to add a rule to an existing list, click **Edit rules**.
 
-    The NACL list moves into edit mode.
+    The NACL moves into edit mode.
+
+4. Click **Add rule**. A pop-up displays:
+
+    <Lightbox src="scaleway-nacl-add-rule.webp" alt="A screenshot of the Scaleway console shows the 'Add rule' dialog, which is explained in the steps below" />
+
+5. Define the rule to add:
+
+    - Select **IPv4** or **IPv6**. Rules for each protocol type must be defined separately (see [above](#how-to-read-and-interpret-a-vpcs-nacl)).
+
+    - Select a **protocol** from the drop-down this. Options are `TCP`, `UDP` or `ICMP`. The rule will apply only to traffic matching this protocol. Select `All` if you want it to apply to traffic matching any protocol.
+
+    - Define a traffic **source** and **destination**. The rule will apply to traffic originating from this source and being sent to this destination. For both, enter an IP range range in [CIDR format](/vpc/concepts/#cidr-block), and a port or port range. Select **All IPs** and/or **All ports** if you want the rule to apply to traffic to/from any IP or port.
+    
+        <Message type="tip">
+        - You **can** use a dash to define a range of ports: `80-100` ✅
+        - You **can** enter a single port: `80` ✅
+        - You **cannot** enter multiple distinct ports separated by commas: `80, 84, 99, 100` ❌
+        - If entering a single IPv4 address, use the `/32` prefix, e.g. `172.16.20.15/32`
+        - All sources and destinations should be within the Private Networks of the VPC. NACL rules cannot be used to filter traffic to or from a public IP destination.
+        </Message>
+      
+    - Select the **action** to take for traffic that matches this rule. Select **Allow** to permit traffic to proceed to its destination, or **Deny** to block traffic from the destination.
+
+    - Enter an optional **description** for the rule.
+
+    - Choose where to insert this rule into the existing NACL: **add to top** or **add to bottom**. Rules at the top take higher priority and are applied first. You will be able to adjust the position of the rule in the list later.
+
+    - Choose whether to **create an inverse rule**. If you tick this box, a matching rule for reverse traffic is auto-created and added to the NACL, where the source and destination are inversed.
+
+6. Click **Add** when you've finished creating your rule.
+
+    You are returned to the edit-mode list of your NACL, where the new rule now displays.
+
+7. Click **Save changes** to finalize rule creation. Alternatively, you can continue to add more rules or edit the list. In this case, make all necessary edits and then click **Save changes** when you are done.
+
+## How to edit a NACL
+
+You can edit a NACL at any time, to make the following types of modification:
+
+- Add rules
+- Delete rules (except the [default rule](#nacl-default-rule))
+- Modify existing rules
+- Change the order of rules in the list (except the [default rule](#nacl-default-rule))
+
+1. Click **VPC** in the **Network** section of the [Scaleway console](https://console.scaleway.com/) side menu. The list of your VPCs displays.
+
+2. Click the VPC whose NACL you want to edit, then click the **Network ACL** tab.
+
+3. Click **Edit rules**. The NACL moves into edit mode.
+
+4. Carry out your required action as follows:
+    - Click **+ Add rule** to add a new rule, and follow the steps [above](#how-to-add-rules-to-a-nacl).
+    - Click the delete icon <Icon name="delete" /> to delete a rule.
+    - Click the edit icon <Icon name="edit" /> to edit a rule. Make your edits, then click **Confirm**.
+    - Use the arrow buttons to [change the order](##rule-priority-and-application) of rules in the list.
+
+    <Message type="tip">
+    
+    After deleting a rule, but before saving your changes (step 5) you can use the **Restore rule** button to undo the deletion.
+    <Lightbox src="scaleway-nacl-restore.webp" alt="A screenshot from the Scaleway console shows the restore rule icon" />
+
+    </Message>
+
+5. Click **Save changes** to finalize the changes you have made.
+  
+
+
+
+
+
 
-4. Click **Add rule**
+