Creates a network access control list (ACL).

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateNetworkAcl

The operation that you want to perform. Set the value to CreateNetworkAcl.

RegionId String Yes cn-hangzhou

The region ID of the network ACL. You can call DescribeRegions to query region IDs.

VpcId String Yes vpc-dsfd34356vdf****

The ID of the virtual private cloud (VPC) to which the network ACL belongs.

If a VPC contains one of the following instance types, you cannot create a network ACL for the VPC. The instances types include:

ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

To create a network ACL, you must upgrade the instance first. For more information, see Upgrade the subscription instances and Change the instance type of a pay-as-you-go instance.

Note If your VPC contains instances of the preceding instance types and you have created a network ACL, you must upgrade the instance specifications to ensure that the network ACL can function as expected.
NetworkAclName String No acl-1

The name of the network ACL.

The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-). The name must start with a letter and cannot start with http:// or https://.

Description String No This is my NetworkAcl.

The description of the network ACL.

The description must be 2 to 256 characters in length. The description must start with a letter but cannot start with http:// or https://.

ClientToken String No 0c593ea1-3bea-11e9-b96b-88e9fe637760

The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must ensure that it is unique among different requests. Only ASCII characters are allowed. The token can contain up to 64 ASCII characters.

Response parameters

Parameter Type Example Description
NetworkAclAttribute Struct

The attribute of the network ACL.

CreationTime String 2019-04-25 11:33:27

The time when the network ACL was created.

Description String This is my NetworkAcl.

The description of the network ACL.

EgressAclEntries Array

The outbound rules.

EgressAclEntry
Description String This is EgressAclEntries.

The description of the outbound rule.

DestinationCidrIp String 10.0.0.0/24

The destination CIDR block.

EntryType String custom

The type of rules. Valid values:

  • custom : custom rules.
  • system : system rules.
NetworkAclEntryId String nae-a2d447uw4tillxsdc****

The ID of the outbound rule.

NetworkAclEntryName String acl-2

The name of the outbound rule.

Policy String accept

The authorization policy. Valid values:

  • accept: access permissions granted.
  • drop: access permissions denied.
Port String -1/-1

The destination ports.

Protocol String all

The transport layer protocols. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all: All protocols are supported.
IngressAclEntries Array

The inbound rules.

IngressAclEntry
Description String This is IngressAclEntries.

The description of the inbound rule.

EntryType String custom

The type of the rule. Valid values:

  • custom : custom rules.
  • system : system rules.
NetworkAclEntryId String nae-a2dk86arlydmexscd****

The ID of the inbound rule.

NetworkAclEntryName String acl-3

The name of the inbound rule.

Policy String accept

The authorization policy. Valid values:

  • accept: access permissions granted.
  • drop: access permissions denied.
Port String -1/-1

The source ports.

Protocol String all

The transport layer protocols. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all: All protocols are supported.
SourceCidrIp String 10.0.0.0/24

The source CIDR block.

NetworkAclId String nacl-a2do9e413e0spdefr****

The ID of the network ACL.

NetworkAclName String acl-1

The name of the network ACL.

RegionId String cn-hangzhou

The region where the network ACL is deployed.

Resources Array

The resources that are associated with the network ACL.

Resource
ResourceId String vsw-bp1de348lntdwgthy****

The ID of the associated resource.

ResourceType String VSwitch

The type of the associated resource.

Status String BINDED

The status of the associated resource.

  • BINDED: The instance is bound to the network ACL.
  • BINDING: The instance is being bound to the network ACL.
  • UNBINDING: The instance is unbound from the network ACL.
Status String Modifying

The status of the network ACL.

  • Available: The network ACL is available for use.
  • Modifying : The network ACL is being configured.
VpcId String vpc-a2d33rfpl72k5xsscd****

The ID of the VPC that is associated with the network ACL.

NetworkAclId String nacl-a2do9e413e0spzasx****

The ID of the network ACL.

RequestId String 0ED8D006-F706-4D23-88ED-E11ED28DCAC0

The ID of the request.

Examples

Sample requests

https://vpc.aliyuncs.com/?Action=CreateNetworkAcl
&RegionId=cn-hangzhou
&VpcId=vpc-dsfd34356vdf****
&<Common request parameters>

Sample success responses

XML format

<CreateNetworkAclResponse>
  <NetworkAclAttribute>
        <CreationTime>2019-04-25 11:33:27</CreationTime>
        <EgressAclEntries>
              <EgressAclEntry>
                    <Port>-1/-1</Port>
                    <Policy>accept</Policy>
                    <NetworkAclEntryId>nae-a2d447uw4tillcdvf****</NetworkAclEntryId>
                    <DestinationCidrIp>0.0.0.0/0</DestinationCidrIp>
                    <Protocol>all</Protocol>
              </EgressAclEntry>
        </EgressAclEntries>
        <Status>Available</Status>
        <RegionId>cn-hangzhou</RegionId>
        <IngressAclEntries>
              <IngressAclEntry>
                    <SourceCidrIp>0.0.0.0/0</SourceCidrIp>
                    <Port>-1/-1</Port>
                    <Policy>accept</Policy>
                    <NetworkAclEntryId>nae-a2dk86arlydmecdvf****</NetworkAclEntryId>
                    <Protocol>all</Protocol>
              </IngressAclEntry>
        </IngressAclEntries>
        <NetworkAclId>nacl-a2do9e413e0spcdvf****</NetworkAclId>
        <VpcId>vpc-a2d33rfpl72k5cdvf****</VpcId>
        <Resources>
    </Resources>
  </NetworkAclAttribute>
  <RequestId>AEAC0891-1E52-4A46-A29C-175FB6356FE8</RequestId>
  <NetworkAclId>nacl-a2do9e413e0spcdvf****</NetworkAclId>
</CreateNetworkAclResponse>

JSON format

{
   "NetworkAclAttribute":    {
      "CreationTime": "2019-04-25 11:33:27",
      "EgressAclEntries": {"EgressAclEntry": [      {
         "Port": "-1/-1",
         "Policy": "accept",
         "NetworkAclEntryId": "nae-a2d447uw4tillcdvf****",
         "DestinationCidrIp": "0.0.0.0/0",
         "Protocol": "all"
      }]},
      "Status": "Available",
      "RegionId": "cn-hangzhou",
      "IngressAclEntries": {"IngressAclEntry": [      {
         "SourceCidrIp": "0.0.0.0/0",
         "Port": "-1/-1",
         "Policy": "accept",
         "NetworkAclEntryId": "nae-a2dk86arlydmecdvf****",
         "Protocol": "all"
      }]},
      "NetworkAclId": "nacl-a2do9e413e0spcdvf****",
      "VpcId": "vpc-a2d33rfpl72k5cdvf****",
      "Resources": {"Resource": []}
   },
   "RequestId": "AEAC0891-1E52-4A46-A29C-175FB6356FE8",
   "NetworkAclId": "nacl-a2do9e413e0spcdvf****"
}

Error codes

HttpCode Error code Error message Description
500 InternalError The request processing has failed due to some unknown error. The error message returned because unknown errors have occurred.

For a list of error codes, visit the API Error Center.