Perhaps I should have phrased my explanation a bit differently. IN or OUT is determined from the perspective of the switch/router interface on which the acl is to be applied. So from the perspective of the vlan 20 interface is this traffic coming into the interface or going out of the interface? That determines whether to apply in or out. And in this case the right answer is out.

Oh ok, yes now I understand, Thanks! yes the traffic is going from VLAN20 to other vlans, so I want to block all traffic from vlan 20 to all other VLANS except for host on vlan10 with specific port.

It looks like we are making good progress and that now you have a solution that works and that you understand for the acl and for applying access-group. I want to clarify one thing. So far we have been talking about vlan to vlan traffic, and have a working solution to control that vlan to vlan traffic. We have not talked about whether hosts in vlan 20 need to communicate with anything outside of vlan 20 (especially whether these hosts need access to the Internet) or are they all only for communication within vlan 20? If all their communication is internal to vlan 20 then things are complete. But if they need access to external resources then we need to add some things to the acl.

Oh, yes I need a host in VLAN20 to be accessible to the internet, because later on I'm gonna do a port forwarding on my firewall to the host on VLAN20

Thanks for the clarification. This introduces a new dimension to the discussion. So far the acl allows vlan 20 to that specific host/port. We begin with that statement and then we need to add:

- statements that will deny traffic sourced from vlan 20 and destinations in the other vlans. The original post says you have vlans 10 and 20 and other vlans. One approach would be to have separate deny statements for each of the other vlan subnets. Or you might just deny traffic with source of vlan 20 and destination of 10.0.0.0 0.255.255.255, or of 172.16.0.0 0.15.255.255, or of 192.168.0.0 0.0.255.255.

- then a statement that will permit traffic sourced from vlan 20 and destination of any.

isn't all the traffic denied after the permit command by default? 

how will the commands order be then?

You have asked several follow up questions. Here are my responses:

1) "isn't all the traffic denied after the permit command by default?" Yes there is an implied deny any after the last line of the acl. So if the acl had a single line with permit then all other traffic would be denied.

2) We seem to have contradictory statements. You say "I'm trying to have one-way direction from a host in VLAN20 to a host in VLAN10, and all other packets to be dropped." But you also say "I need a host in VLAN20 to be accessible to the internet" which is it? If all you want is vlan 20 to vlan 10 then an acl with a single entry is good enough. But if you also want Internet access then you need multiple lines in the acl.

3) "how will the commands order be then?" The order of the commands would be

- first the statement permitting vlan 20 to vlan 10 host and port.

- then statements denying vlan 20 to other vlans in your network.

- then a permit any statement to allow access to Internet.

ohh ok, thanks!!, so my commands would be:

ip access-list extended 100

permit tcp 172.16.20.0 0.0.0.255 host 172.16.10.2 eq 443

deny ip 172.16.20.0 0.0.0.255 172.16.0.0 0.0.255.255

permit ip 172.16.20.0 0.0.0.255 any

and then apply this access list to Vlan20 on OUT

You are on the right track. A possible detail would be the IP addressing of all of the other vlans. Clearly vlan 10 uses 172.16.10.0. You mention that there are other vlans. Do they all use subnets that begin with 172.16.x.0? 

The main issue is that when you apply the acl it should be in and not out.

Yes all other vlans uses 172.16.x.0

Concerning the IN or OUT, why it should be IN? I want all the traffic from vlan 20 to have the ACL applied to, so shouldn't it be OUT on the vlan 20 interface?

Thanks!

I always confuse with IN OUT for VACL 
until I see this photo.

Yeah but my vlan interfaces are on the Coreswitch, and I'm doing the acl on the coreswitch

Same concept, both are l3 device with vlan svi.