CreateVpcFirewallCenConfigure - Cloud Firewall - Alibaba Cloud Documentation Center

Creates a virtual private cloud (VPC) firewall to protect traffic between a specified VPC and a network instance that is attached to a Cloud Enterprise Network (CEN) instance.

Operation description

You can call the CreateVpcFirewallCenConfigure operation to create a VPC firewall. The VPC firewall protects mutual access traffic between a specified VPC and a network instance that is attached to a CEN instance. The network instance can be a VPC, a virtual border router (VBR), or a Cloud Connect Network (CCN) instance. The VPC firewall cannot protect mutual access traffic between VBRs, between CCN instances, or between VBRs and CCN instances. For more information, see VPC firewall limits.

Limits

You can call this operation up to 10 times per second per account. If the number of the calls per second exceeds the limit, throttling is triggered. As a result, your business may be affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
yundun-cloudfirewall:CreateVpcFirewallCenConfigure	Write	All Resources *	none	none

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Valid values: zh: Chinese (default) en: English	zh
VpcFirewallName	string	Yes	The instance name of the VPC firewall.	Test instance
NetworkInstanceId	string	Yes	The ID of the VPC for which you want to create the VPC firewall.	vpc-bp10zlifxh6j0232w****
VpcRegion	string	Yes	The ID of the region to which the VPC belongs. Note For more information about the regions, see Supported regions.	cn-hangzhou
FirewallSwitch	string	Yes	Specifies whether to enable the VPC firewall. Valid values: open: After you create the VPC firewall, the VPC firewall is automatically enabled. This is the default value. close: After you create the VPC firewall, the VPC firewall is disabled. You can call the ModifyVpcFirewallCenSwitchStatus operation to manually enable the VPC firewall.	open
CenId	string	Yes	The ID of the CEN instance.	cen-x5jayxou71ad73****
MemberUid	string	No	The UID of the member that is managed by your Alibaba Cloud account.	258039427902****
VSwitchId	string	No	The ID of the vSwitch that is used to associate with the elastic network interface (ENI) required by the VPC firewall.	vsw-qzeaol304m***
FirewallVpcCidrBlock	string	No	The CIDR block of the VPC that is automatically created for the VPC firewall. You must specify a CIDR block for the Cloud_Firewall_VPC VPC that is automatically created for the VPC firewall for traffic redirection. The subnet mask of the CIDR block must be less than or equal to 28 bits in length. If you do not specify a value, the CIDR block 10.0.0.0/8 is automatically allocated. Note This parameter takes effect only when you create a VPC firewall for the first time in the current CEN instance and region.	10.0.0.0/8
FirewallVpcZoneId	string	No	The ID of the zone to which the vSwitch belongs. If your service is latency-sensitive, you can specify the same zone for the vSwitch of the firewall and the vSwitch of your business VPC to minimize latency. If you do not specify a value, a zone is automatically assigned for the vSwitch. Note This parameter takes effect only when you create a VPC firewall for the first time in the current CEN instance and region. For more information about zones that are supported by each region, see Query zones.	cn-hangzhou-a
FirewallVSwitchCidrBlock	string	No	The CIDR block of the vSwitch that is automatically created for the VPC firewall. You must specify a CIDR block for the Cloud_Firewall_VSWITCH VPC that is automatically created for the VPC firewall for traffic redirection. The CIDR block does not conflict with your network plan. The subnet mask of the CIDR block must be less than or equal to 29 bits in length. The CIDR block of the vSwitch must be within the network segment of the VPC. If you do not specify a value, the CIDR block 10.219.219.216/29 is automatically allocated. Note This parameter takes effect only when you create a VPC firewall for the first time in the current CEN instance and region.	10.0../28

Response parameters

Parameter	Type	Description	Example
	object
VpcFirewallId	string	The instance ID of the VPC firewall.	vfw-m5e7dbc4y****
RequestId	string	The ID of the request.	850A84D6-0DE4-4797-A1E8-00090125h4j6

Examples

Sample success responses

JSONformat

{
  "VpcFirewallId": "vfw-m5e7dbc4y****",
  "RequestId": "850A84D6-0DE4-4797-A1E8-00090125h4j6"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorAliUid	The aliuid is invalid.	The aliuid is invalid.
400	ErrorVpcFirewallExist	The firewall has been configured and cannot be created repeatedly.	The firewall is configured and cannot be repeatedly created.
400	ErrorVpcId	The VPC ID is invalid.	The VPC ID is invalid.
400	ErrorRegionNoError	The region is invalid.	The region is invalid.
400	ErrorVpcFirewallNotFound	The specified VPC firewall does not exist. Please select again.	The specified VPC firewall does not exist. Enter another value.
400	ErrorDBSelectError	A database select error occurred.	The error message returned because an internal error has occurred in querying the database.
400	ErrorDBTxError	A database transaction error occurred.	The error message returned because an internal error has occurred in the database transaction.
400	ErrorDBUpdateError	A database update error occurred.	A database update error occurred.
400	ErrorRecordLog	An error occurred while updating the operation log.	An error occurred while updating the operation log.
400	ErrorCenVbrNotSupport		The firewall cannot be enabled for VBRs that are attached to CEN instances.
400	ErrorCenNotSupportCCN		The VPC firewall cannot be enabled for CCN instances that are attached to CEN instances.
400	ErrorCenNotSupportMultipleAccounts	The current version of Cloud Firewall does not support multiple accounts when it uses VPC Firewall to protect Cloud Enterprise Network. Upgrade the specifications and try again.	The current edition of Cloud Firewall does not support multiple accounts when it uses VPC Firewall to protect CEN. Upgrade the specifications and try again.
400	ErrorFirewallStatus	Firewall status error, please try again later.	The status of the firewall is invalid. Try again later.
400	ErrorFirewallQuotaNotEmpty	quota is not enough, unable to configure VPC firewall, please increase quota first.	-
400	ErrorHubvpcCannotCreate		You are not allowed to create a firewall for a HUB VPC.
400	ErrorCenVpcEcConflict	The VPC of the cloud enterprise network conflicts with the VPC of the high-speed channel, and the firewall cannot be opened. Please select again	Conflicts occur between the VPC of CEN and the VPC of Express Connect. You cannot enable the firewall. Specify another value.
400	ErrorRegionNoDisable	There are unsupported regions, please reselect	Some regions are not supported. Specify supported regions.
400	ErrorCenFirewallVpcNumInvalid		The number of VPCs that are attached to the CEN instance is insufficient. The VPC firewall cannot be enabled.
400	ErrorDestCidrError	The target network segment is wrong. Please configure the target network segment correctly.	The specified destination CIDR block is invalid. Enter another value.
400	ErrorVpcCustomRouteTableWithVswitch		You are not allowed to create a VPC firewall for a VPC in which custom route tables exist and vSwitches are associated with the custom route tables.
400	ErrorCenNotSupportTREnterpriseAutoMode	VPC firewall does not support TR Enterprise Edition auto mode protection, please use manual mode protection	VPC firewalls do not support the CEN-TR automatic mode.

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2023-06-13

The Error code has changed. The request parameters of the API has changed

see changesets

Change item	Change content
Error Codes	The Error code has changed.
	delete Error Codes: 400
Input Parameters	The request parameters of the API has changed.
	Added Input Parameters: FirewallVpcCidrBlock
	Added Input Parameters: FirewallVpcZoneId
	Added Input Parameters: FirewallVSwitchCidrBlock