CreateCenRouteMap - Cloud Enterprise Network - Alibaba Cloud Documentation Center

Creates a routing policy. A routing policy filters routing information and facilitates network management.

Operation description

Routing policies are sorted by priority. A smaller value indicates a higher priority. Each routing policy is a collection of conditional statements and execution statements. Starting from the routing policy with the highest priority, the system matches routes against the match conditions specified by routing policies. If a route meets all the match conditions of a routing policy, the system permits or denies the route based on the action specified in the routing policy. You can also modify the attributes of permitted routes. By default, the system permits routes that meet none of the match conditions. For more information, see Routing policy overview.

CreateCenRouteMap is an asynchronous operation. After you send a request, the routing policy ID is returned but the operation is still being performed in the system background. You can call DescribeCenRouteMaps to query the status of a routing policy.

If a routing policy is in the Creating state, the routing policy is being created. In this case, you can query the routing policy but cannot perform other operations.
If a routing policy is in the Active state, the routing policy is created.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a RAM policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

cen:CreateCenRouteMap

create

*CenInstance

acs:cen:*:{#accountId}:ceninstance/{#ceninstanceId}

None

Request parameters

Parameter	Type	Required	Description	Example
CenId	string	Yes	The ID of the CEN instance.	cen-7qthudw0ll6jmc****
CenRegionId	string	Yes	The ID of the region in which the routing policy is applied. You can call the DescribeChildInstanceRegions operation to query the most recent region list.	cn-hangzhou
TransmitDirection	string	Yes	The direction in which the routing policy is applied. Valid values: RegionIn: Routes are advertised to the gateways in the regions that are connected by the CEN instance. For example, routes are advertised from network instances deployed in the current region or other regions to the gateway deployed in the current region. RegionOut: Routes are advertised from the gateways in the regions that are connected by the CEN instance. For example, routes are advertised from the gateway deployed in the current region to network instances deployed in the same region, or to gateways deployed in other regions.	RegionIn
Description	string	No	The description of the routing policy. This parameter is optional. If you enter a description, it must be 1 to 256 characters in length and cannot start with http:// or https://.	desctest
Priority	integer	Yes	The priority of the routing policy. Valid values: 1 to 100. A smaller value indicates a higher priority. Note You cannot specify the same priority for routing policies that apply in the same region and direction. The system matches routes against the match conditions of routing policies in descending order of priority. A smaller value indicates a higher priority. You must set the priorities to proper values.	3
MapResult	string	Yes	The action to be performed on a route that meets all the match conditions. Valid values: Permit: the route is permitted. Deny: the route is denied.	Permit
NextPriority	integer	No	The priority of the routing policy that you want to associate with the current one. This parameter takes effect only when the MapResult parameter is set to Permit. This way, the permitted route is matched against the next routing policy. The region and direction of the routing policy to be associated must be the same as those of the current routing policy. The priority of the next routing policy must be lower than the priority of the current routing policy.	20
CidrMatchMode	string	No	The match method that is used to match routes against the prefix list. Valid values: Include: fuzzy match. A route is a match if the route prefix is included in the match conditions. For example, if you set the match condition to 1.1.0.0/16 and fuzzy match is applied, the route whose prefix is 1.1.1.0/24 meets the match condition. Complete: exact match. A route is a match only if the route prefix is the same as the prefix specified in the match condition. For example, if you set the match condition to 1.1.0.0/16 and exact match is applied, only the route whose prefix is 1.1.0.0/16 meets the match condition.	Include
AsPathMatchMode	string	No	The match method that is used to match routes based on the AS path. Valid values: Include: fuzzy match. A route is a match if the AS path of the route overlaps with the AS path in the match conditions. Complete: exact match. A route is a match only if the AS path of the route matches the AS path in the match conditions.	Include
CommunityMatchMode	string	No	The match method that is used to match routes based on the community. Valid values: Include: fuzzy match. A route is a match if the community of the route overlaps with the community in the match conditions. Complete: exact match. A route is a match only if the community of the route matches the community in the match conditions.	Include
CommunityOperateMode	string	No	The action to be performed on the community. Valid values: Additive: adds the community to the route. Replace: replaces the original community of the route. This parameter specifies the action to be performed when a route meets the match condition.	Additive
Preference	integer	No	The new priority of the route. Valid values: 1 to 100. The default priority is 50. A smaller value indicates a higher priority. This parameter specifies the action to be performed when a route meets the match condition.	50
SourceInstanceIdsReverseMatch	boolean	No	Specifies whether to exclude source instance IDs. Valid values: false (default): A route is a match if the source instance ID is included in the list specified by SourceInstanceIds.N. true: A route is a match if the source network instance ID is not in the list specified by SourceInstanceIds.N.	false
DestinationInstanceIdsReverseMatch	boolean	No	Specifies whether to exclude destination instance IDs. Valid values: false (default): A route is a match if the destination instance ID is included in the list specified by SourceInstanceIds.N. true: A route is a match if the destination network instance ID is not in the list specified by SourceInstanceIds.N.	false
MatchAddressType	string	No	The type of IP address in the match condition. Valid values: IPv4: IPv4 address IPv6: IPv6 address This parameter can be empty. If no value is specified, all types of IP address are a match.	IPv4
TransitRouterRouteTableId	string	No	The ID of the route table of the transit router. If you do not specify a route table ID, the routing policy is automatically associated with the default route table of the transit router.	vtb-gw8nx3515m1mbd1z1****
SourceInstanceIds	array	No	The IDs of the source network instances to which the routes belong. The following network instance types are supported: Virtual private cloud (VPC) Virtual border router (VBR) Cloud Connect Network (CCN) instance Smart Access Gateway (SAG) instance The ID of the IPsec-VPN connection. You can enter at most 32 IDs.	vpc-adeg3544fdf34vf****
	string	No	The IDs of the source network instances to which the routes belong. The following network instance types are supported: VPC VBR CCN instance SAG instance The ID of the IPsec-VPN connection. You can enter at most 32 IDs.	vpc-adeg3544fdf34vf****
DestinationInstanceIds	array	No	The IDs of the destination network instances to which the routes belong. The following network instance types are supported: VPC VBR CCN instance SAG instance The ID of the IPsec-VPN connection. You can enter at most 32 IDs. Note The destination instance IDs take effect only when Direction is set to Export from Regional Gateway and the destination instances are deployed in the current region.	vpc-afrfs434465fdf****
	string	No	The IDs of the destination network instances to which the routes belong. The following network instance types are supported: VPC VBR CCN instance SAG instance The ID of the IPsec-VPN connection. You can enter at most 32 IDs. Note The destination instance IDs take effect only when Direction is set to Export from Regional Gateway and the destination instances are deployed in the current region.	vpc-afrfs434465fdf****
SourceRouteTableIds	array	No	The IDs of the source route tables from which routes are evaluated. You can enter at most 32 route table IDs.	vtb-adfr233vf34rvd4****
	string	No	The IDs of the source route tables from which routes are evaluated. You can enter at most 32 route table IDs.	vtb-adfr233vf34rvd4****
DestinationRouteTableIds	array	No	The IDs of the destination route tables to which routes are evaluated. You can enter at most 32 route table IDs. Note The destination route table IDs take effect only when Direction is set to Export from Regional Gateway and the destination route tables belong to network instances deployed in the current region.	vtb-adefrgtr144vf****
	string	No	The IDs of the destination route tables to which routes are evaluated. You can enter at most 32 route table IDs. Note The destination route table IDs take effect only when Direction is set to Export from Regional Gateway and the destination route tables belong to network instances deployed in the current region.	vtb-adefrgtr144vf****
SourceRegionIds	array	No	The IDs of the source regions from which routes are evaluated. You can enter at most 32 region IDs. You can call the DescribeChildInstanceRegions operation to query the most recent region list.	cn-beijing
	string	No	The IDs of the source regions from which routes are evaluated. You can enter at most 32 region IDs. You can call the DescribeChildInstanceRegions operation to query the most recent region list.	cn-beijing
SourceChildInstanceTypes	array	No	The types of source network instance to which the routes belong. The following types of network instances are supported: VPC: VPC VBR: VBR CCN: CCN instance VPN: VPN gateway or IPsec connection If the IPsec-VPN connection or SSL client is associated with a VPN gateway, the VPC associated with the VPN gateway must be connected to a transit router, and the VPN gateway must use BGP dynamic routing. Otherwise, this parameter cannot take effect. This parameter takes effect if the IPsec connection is directly connected to a transit router. You can specify one or more network instance types.	VPC
	string	No	The types of source network instance to which the routes belong. The following types of network instances are supported: VPC: VPC VBR: VBR CCN: CCN instance VPN :VPN gateway or IPsec-VPN connection If the IPsec-VPN connection or SSL client is associated with a VPN gateway, the VPC associated with the VPN gateway must be connected to a transit router, and the VPN gateway must use BGP dynamic routing. Otherwise, this parameter cannot take effect. This parameter takes effect if the IPsec connection is directly connected to a transit router. You can specify one or more network instance types.	VPC
DestinationChildInstanceTypes	array	No	The types of destination network instance to which the routes belong. The following types of network instances are supported: VPC: VPC VBR: VBR CCN: CCN instance VPN: IPsec connection Note This parameter does not take effect if the IPsec-VPN connection or SSL client is associated with a transit router through a VPN gateway and a VPC. This parameter takes effect only if the IPsec connection is directly connected to the transit router. You can specify one or more network instance types. Note The destination network instance types are valid only if the routing policy is applied to scenarios where routes are advertised from the gateway in the current region to network instances in the current region.	VPC
	string	No	The types of destination network instance to which the routes belong. The following types of network instances are supported: VPC: VPC VBR: VBR CCN: CCN instance VPN: IPsec connection Note This parameter does not take effect if the IPsec-VPN connection or SSL client is associated with a transit router through a VPN gateway and a VPC. This parameter takes effect only if the IPsec connection is directly connected to the transit router. You can specify one or more network instance types. Note The destination network instance types are valid only if the routing policy is applied to scenarios where routes are advertised from the gateway in the current region to network instances in the current region.	VPC
DestinationCidrBlocks	array	No	The prefix list against which routes are matched. Specify IP addresses in CIDR notations. You can specify at most 32 CIDR blocks. IPv4 and IPv4 addresses are supported.	10.10.10.0/24
	string	No	The prefix list against which routes are matched. Specify IP addresses in CIDR notations. You can specify at most 32 CIDR blocks. IPv4 and IPv4 addresses are supported.	10.10.10.0/24
RouteTypes	array	No	The type of route to be compared. Valid values: The following route types are supported: System: system routes that are automatically generated by the system. Custom: custom routes that are manually added. BGP: routes that are advertised over BGP. You can specify multiple route types.	System
	string	No	The type of route to be compared. Valid values: The following route types are supported: System: system routes that are automatically generated by the system. Custom: custom routes that are manually added. BGP: routes that are advertised over BGP. You can specify multiple route types.	System
MatchAsns	array	No	The AS paths based on which routes are compared. You can specify at most 32 AS numbers. Note Only the AS-SEQUENCE parameter is supported. The AS-SET, AS-CONFED-SEQUENCE, and AS-CONFED-SET parameters are not supported. In other words, only the AS number list is supported. Sets and sub-lists are not supported.	65501
	integer	No	The AS paths based on which routes are compared. You can specify at most 32 AS numbers. Note Only the AS-SEQUENCE parameter is supported. The AS-SET, AS-CONFED-SEQUENCE, and AS-CONFED-SET parameters are not supported. In other words, only the AS number list is supported. Sets and sub-lists are not supported.	65501
MatchCommunitySet	array	No	The community set based on which routes are compared. Specify the community in the format of n:m. Valid values of n and m: 1 to 65535. Each community must comply with the RFC 1997 standard. The RFC 8092 standard that defines Border Gateway Protocol (BGP) large communities is not supported. You can specify at most 32 communities. Note If the configurations of the communities are incorrect, routes may fail to be advertised to your data center.	65501:1
	string	No	The community set based on which routes are compared. Specify the community in the format of n:m. Valid values of n and m: 1 to 65535. Each community must comply with the RFC 1997 standard. The RFC 8092 standard that defines Border Gateway Protocol (BGP) large communities is not supported. You can specify at most 32 communities. Note If the configurations of the communities are incorrect, routes may fail to be advertised to your data center.	65501:1
OperateCommunitySet	array	No	The community set on which actions are performed. Specify the community in the format of n:m. Valid values of n and m: 1 to 65535. Each community must comply with RFC 1997. The RFC 8092 standard that defines BGP large communities is not supported. You can specify at most 32 communities. Note If the configurations of the communities are incorrect, routes may fail to be advertised to your data center.	65501:1
	string	No	The community set on which actions are performed. Specify the community in the format of n:m. Valid values of n and m: 1 to 65535. Each community must comply with RFC 1997. The RFC 8092 standard that defines BGP large communities is not supported. You can specify at most 32 communities. Note If the configurations of the communities are incorrect, routes may fail to be advertised to your data center.	65501:1
PrependAsPath	array	No	The AS paths that are prepended by using an action statement when regional gateways receive or advertise routes. The AS paths vary based on the direction in which the routing policy is applied: If AS paths are prepended to a routing policy that is applied in the inbound direction, you must specify source network instance IDs and the source region in the match condition. In addition, the source region must be the same as the region where the routing policy is applied. If AS paths are prepended to a routing policy that is applied in the outbound direction, you must specify destination network instance IDs in the match condition. This parameter specifies the action to be performed when a route meets the match condition. You can specify at most 32 AS numbers.	65501
	integer	No	The AS paths that are prepended by using an action statement when regional gateways receive or advertise routes. The AS paths vary based on the direction in which the routing policy is applied: If AS paths are prepended to a routing policy that is applied in the inbound direction, you must specify source network instance IDs and the source region in the match condition. In addition, the source region must be the same as the region where the routing policy is applied. If AS paths are prepended to a routing policy that is applied in the outbound direction, you must specify destination network instance IDs in the match condition. This parameter specifies the action to be performed when a route meets the match condition. You can specify at most 32 AS numbers.	65501
DestinationRegionIds	array	No	The destination region IDs of the route. You can specify at most 32 region IDs.
	string	No	The destination region IDs of the route. You can specify at most 32 region IDs.	cn-beijing

Response parameters

Parameter	Type	Description	Example
	object	The returned result.
RouteMapId	string	The ID of the routing policy.	cenrmap-w4yf7toozfol3q****
RequestId	string	The ID of the request.	62172DD5-6BAC-45DF-8D44-56SDF467BAC

Examples

Success response

JSON format

{
  "RouteMapId": "cenrmap-w4yf7toozfol3q****",
  "RequestId": "62172DD5-6BAC-45DF-8D44-56SDF467BAC"
}

Error codes

HTTP status code	Error code	Error message	Description
400	Forbidden.CenRouteMapExist	The specified CEN route map ID already exists.	The specified CEN route map ID already exists.
400	Invid.Parameter	When using PrependAsPath in the RegionIn, SourceRegionId must be local region Id.
400	InvalidOperation.NoEffictiveAction	No effective action be configured.	The error message returned because the specified action is invalid.
400	IncorrectStatus.TransitRouterInstance	The status of TransitRouter is incorrect.	The error message returned because the transit router is in an invalid state.
400	InvalidDescription	Description is invalid.	The error message returned because the description is invalid.
400	IllegalParam.ZoneId	The specified ZoneId is illegal.	The error message returned because the specified zone is invalid.
400	Forbidden.NoMedAuthorized	Med operation is unauthorized.	Unable to operate on the specified Med routing policy.
400	InvalidOperation.MedRouteMapExist	Operation is invalid because the default med route map already exist.	The operation is invalid because there is already a med routeMap with the next hop destination for this Ecr instance.
400	InvalidOperation.MedRouteMapNotAllowedOtherAction	Operation is invalid because the default med not allowed other action.	the med policy does not allow to configure other policies.
400	InvalidOperation.MedRouteMapActionMustPermit	Operation is invalid because the default med map result must be permit.	Operation is invalid because the default med map result must be permit.
400	InvalidParameter.MedRouteMapDestInstanceIds	Param DestInstanceIds must be ecr instance id.	The destination instance list of med routeMap must be ECR instance.
400	InvalidParameter.MedRouteMapDestInstanceType	Param DestChildInstanceTypes must be ecr.	The destination instance type of the med routeMap must be ECR.
400	InvalidParameter	Invalid parameter.	The error message returned because the parameter is set to an invalid value.
400	Unauthorized	The AccessKeyId is unauthorized.	The error message returned because you do not have the permissions to perform this operation.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.