feat(vpc): started nacl doc

RoRoJ · RoRoJ · commit 408b7d3c2d83 · 2025-02-05T18:01:18.000+01:00
diff --git a/pages/vpc/concepts.mdx b/pages/vpc/concepts.mdx
@@ -62,6 +62,10 @@ Internet Protocol Version 6 is the most recent version of the IP protocol used f
 
 When an IPv6-compatible resource is attached to a Private Network, it has a private IPv6 address on that network. Scaleway Private Networks' [DHCP](#dhcp) functionality assigns this private IPv6 address when the resource joins the network. Alternatively you can reserve and attach an IP address of your choice with [IPAM](/ipam/how-to/reserve-ip/).
 
+## Network ACL
+
+A VPC's Network **A**ccess **C**ontrol **L**ist is composed of stateless rules to control the flow of traffic between Private Networks. By default, the list contains no rules and therefore traffic is allowed to flow unrestrictedly between the VPC's Private Networks. [Add rules](TODO) to the list to start creating restrictions.
+
 ## Private IP address
 
 A [private IP address](/vpc/how-to/attach-resources-to-pn/#how-to-view-the-resources-ip-address) identifies a resource on a Private Network. When you attach a resource (e.g. an Instance) to the network, you can either [use a reserved IP address](/ipam/how-to/reserve-ip/), or let [DHCP](#dhcp) assign one IPv4 and (if the resource is IPv6-compatible) one IPv6 address from the designated [CIDR blocks](#cidr-block) to that resource.
diff --git a/pages/vpc/how-to/manage-nacl.mdx b/pages/vpc/how-to/manage-nacl.mdx
@@ -0,0 +1,67 @@
+---
+meta:
+  title: How to manage Network ACLs
+  description: Learn how to configure and manage Network Access Control Lists (NACLs) for your Scaleway VPC, to control traffic flow between Private Networks with customizable rules.
+content:
+  h1: How to manage Network ACLs
+  paragraph: Learn how to configure and manage Network Access Control Lists (NACLs) for your Scaleway VPC, to control traffic flow between Private Networks with customizable rules.
+tags: private-network vpc routing route-table routes default-route local-route subnet
+dates:
+  validation: 2025-02-05
+  posted: 2025-02-05
+categories:
+  - network
+---
+
+Every VPC has a Network **A**ccess **C**ontrol **L**ist (NACL). This list is composed of stateless rules to control the flow of traffic between the Private Networks fo the VPC. By default, at first the list contains no rules and therefore traffic is allowed to flow unrestrictedly. This documentation explains how to add and manage rules to effectively control traffic flow.
+
+<Message type="tip">
+You cannot use NACLs to restrict traffic flow over resources' public network interfaces. NACLs only filter traffic between the Private Networks of a given VPC. To filter public internet traffic, use [security groups](/instances/how-to/use-security-groups/) for Instances, or equivalent features for [other resource types](/ipam/reference-content/public-connectivity-best-practices/#implementing-security-controls).
+</Message>
+
+## How to view a VPC's NACL
+
+1. Click **VPC** in the **Network** section of the [Scaleway console](https://console.scaleway.com/) side menu. The list of your VPCs displays.
+
+2. Click the VPC whose NACL you want to view. The VPC's **Overview** page displays.
+
+        TODO SCREENSHOT WITH Network ACL tab highlighted.
+
+3. Click on the **Network ACL** tab.
+
+    - If the list is empty, then no rules have been set and there is currently no restriction on traffic flow within the VPC:
+
+    TODO SCREENSHOT
+
+    - If you have already added rules to the list, then traffic flow is controlled according to the restrictions they set:
+
+    TODO SCREENSHOT
+
+## How to read and interpet a VPC's NACL
+
+TODO SCREENSHOT
+
+The following guidance applies when reading a VPC's NACL.
+
+- **IPv4 and IPv6 traffic is filtered separately**. In effect, each VPC therefore has two distinct NACLs: one for IPv4 and one for IPv6. Use the toggle to switch between these lists. You must manage and create rules for each list separately.
+
+- **Read the list from from top to bottom**. Rules closer to the top of the list are applied first. If traffic matches an NACL rule for an **Allow** or **Deny** action, the action is applied immediately. The traffic is not subject to any further filtering or any further actions by any rules that follow. 
+
+- **NACL rules are stateless**. This means the state of connections is not tracked and inbound and outbound traffic is filtered separately. Explicit rules are therefore required for each direction of traffic.
+
+- **A default DENY rule is auto-generated at the end of the list** This rule is generated at the moment you first start to edit your NACL. It denies all traffic flow that is not explicitly permitted by the rules above. You can modify or delete this rule if you wish, but if you do then any traffic not explicitly denied by your NACL rules will be allowed to pass.
+
+## How to add rules to a NACL
+
+1. Click **VPC** in the **Network** section of the [Scaleway console](https://console.scaleway.com/) side menu. The list of your VPCs displays.
+
+2. Click the VPC whose NACL you want to view, then click the **Network ACL** tab.
+
+3. If you are creating your first NACL rule, click **Add rule**, otherwise to add a rule to an existing list, click **Edit rules**.
+
+    The NACL list moves into edit mode.
+
+4. Click **Add rule**
+
+
+
