All Products
Search
Document Center

Cloud Firewall:AddControlPolicy

Last Updated:Jun 17, 2026

Adds an access control policy.

Operation description

You can call this operation to create a policy that allows, denies, or monitors traffic that passes through Cloud Firewall.

Rate limit

The single-user queries per second (QPS) limit for this operation is 10. If the number of calls per second exceeds the limit, throttling is triggered. Throttling may affect your business. Call this operation as needed.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:AddControlPolicy

create

*ControlPolicy

acs:cloudfirewall::{#accountId}:controlpolicy/*

None None

Request parameters

Parameter

Type

Required

Description

Example

SourceIp deprecated

string

No

The source IP address of the request.

192.0.XX.XX

Lang

string

No

The language of the request and response. Valid values:

  • zh (default): Chinese

  • en: English.

zh

AclAction

string

Yes

The action that is set in the access control policy. Settings the method in which traffic passes through Cloud Firewall. Valid values:

  • accept: allows the access.

  • drop: deny the access.

  • log: monitors the traffic.

accept

ApplicationName deprecated

string

No

The application type supported by the access control policy. Valid values:

  • FTP

  • HTTP

  • HTTPS

  • Memcache

  • MongoDB

  • MQTT

  • MySQL

  • RDP

  • Redis

  • SMTP

  • SMTPS

  • SSH

  • SSL_No_Cert

  • SSL

  • VNC

  • ANY: all application types

Note

The valid values of ApplicationName depend on the value of the protocol type (Proto). If Proto is set to TCP, ApplicationName can be set to any of the preceding application types. If Proto is set to UDP, ICMP, or ANY, ApplicationName can be set only to ANY. You must specify either ApplicationNameList or ApplicationName. You cannot leave both of them empty.

ANY

Description

string

Yes

The description of the access control policy.

Release flow

DestPort

string

No

The destination port in the access control policy. Valid values:

  • If the protocol type is ICMP, the value of DestPort is empty.

Note

If the protocol type is ICMP, access control on the destination port is not supported.

  • If the protocol type is TCP, UDP, or ANY, and the destination port type (DestPortType) is group, the value of DestPort is empty.

Note

If the destination port type of the access control policy is set to group (port address book), you do not need to specify a destination port number. All ports that the access control policy manages are included in the port address book.

  • If the protocol type is TCP, UDP, or ANY, and the destination port type (DestPortType) is port, the value of DestPort is the destination port number.

80

Destination

string

Yes

The destination address in the access control policy.

Valid values:

  • If DestinationType is set to net, the value of Destination is a destination CIDR block.

    Example: 1.2.XX.XX/24

  • If DestinationType is set to group, the value of Destination is a destination address book name.

    Example: db_group

  • If DestinationType is set to domain, the value of Destination is a destination domain name.

    Example: *.aliyuncs.com

  • If DestinationType is set to location, the value of Destination is a destination region.

    Example: ["BJ11", "ZB"]

Note

If Destination is set to a destination region, for more information, see Region codes.

192.0.XX.XX/24

DestinationType

string

Yes

The type of the destination address in the access control policy. Valid values:

  • net: destination CIDR block

  • group: destination address book

  • domain: destination domain name

  • location: destination region.

net

Direction

string

Yes

The traffic direction of the access control policy. Valid values:

  • in: inbound traffic

  • out: outbound traffic.

in

Proto

string

Yes

The protocol type in the access control policy. Valid values:

  • ANY: any protocol

  • TCP

  • UDP

  • ICMP

Note

If the traffic direction is outbound and the destination address is a threat intelligence address book or cloud service address book of the domain name type, only TCP is supported. The application type can be set to HTTP, HTTPS, SMTP, SMTPS, or SSL.

ANY

Source

string

Yes

The source address in the access control policy. Valid values:

  • If SourceType is set to net, the value of Source is a source CIDR block.

    Example: 1.1.XX.XX/24

  • If SourceType is set to group, the value of Source is a source address book name.

    Example: db_group

  • If SourceType is set to location, the value of Source is a source region.

    Example: ["BJ11", "ZB"]

Note

If Source is set to a source region, for more information, see Region codes.

192.0.XX.XX/24

SourceType

string

Yes

The type of the source address in the access control policy. Valid values:

  • net: source CIDR block

  • group: source address book

  • location: source region.

net

NewOrder

string

Yes

The priority of the access control policy. The priority value starts from 1. A smaller value indicates a higher priority.

1

DestPortType

string

No

The type of the destination port in the access control policy.

Valid values:

  • port: port

  • group: port address book.

port

DestPortGroup

string

No

The name of the destination port address book in the access control policy.

Note

If DestPortType is set to group, you must specify the destination port address book name.

my_port_group

Release

string

No

Specifies whether to enable the access control policy. The policy is enabled by default after it is created. Valid values:

  • true: enables the access control policy.

  • false: disables the access control policy.

true

IpVersion

string

No

The IP address version supported.

Valid values:

  • 4: IPv4

  • 6: IPv6.

6

ApplicationNameList

array

No

The application types supported by the access control policy.

string

No

The application type supported by the access control policy. Valid values:

  • FTP

  • HTTP

  • HTTPS

  • Memcache

  • MongoDB

  • MQTT

  • MySQL

  • RDP

  • Redis

  • SMTP

  • SMTPS

  • SSH

  • SSL_No_Cert

  • SSL

  • VNC

  • ANY: all application types

Note

The valid values of ApplicationNameList depend on the value of the protocol type (Proto). If Proto is set to TCP, ApplicationNameList can be set to any of the preceding application types, in the format of ["HTTP","HTTPS",……]. If Proto is set to UDP, ICMP, or ANY, ApplicationNameList can be set only to ANY. You must specify either ApplicationNameList or ApplicationName. You cannot leave both of them empty. If both ApplicationNameList and ApplicationName are specified, the value of ApplicationNameList takes precedence.

["ANY"]

RepeatType

string

No

The recurrence type of the policy validity period for the access control policy. Valid values:

  • Permanent (default): The policy is always valid.

  • None: The policy is valid for a specified single time period.

  • Daily: The policy is valid on a daily basis.

  • Weekly: The policy is valid on a weekly basis.

  • Monthly: The policy is valid on a monthly basis.

Valid values:

  • Daily :

    daily.

  • Monthly :

    monthly.

  • Permanent :

    always.

  • Weekly :

    weekly.

  • None :

    specified single time period.

Permanent

RepeatDays

array

No

The days of the recurrence for the policy validity period of the access control policy.

  • If RepeatType is set to Permanent, None, or Daily, the value of RepeatDays is an empty array. Example: []

  • If RepeatType is set to Weekly, the value of RepeatDays must not be empty. Example: [0, 6]

Note

If RepeatType is set to Weekly, the values in RepeatDays cannot be repeated.

  • If RepeatType is set to Monthly, the value of RepeatDays must not be empty. Example: [1, 31]

Note

If RepeatType is set to Monthly, the values in RepeatDays cannot be repeated.

integer

No

The recurrence day of the policy validity period for the access control policy.

Note

If RepeatType is set to Weekly, the valid values are 0 to 6. The week starts on Sunday. If RepeatType is set to Monthly, the valid values are 1 to 31.

1

RepeatStartTime

string

No

The recurrence start time of the policy validity period for the access control policy. Example: 08:00. The value must be on the hour or on the half hour, and at least 30 minutes earlier than the recurrence end time.

Note

If RepeatType is set to Permanent or None, this parameter is left empty. If RepeatType is set to Daily, Weekly, or Monthly, this parameter is required. The time is in the HH:mm format (24-hour clock). Example: 08:00 or 23:30.

08:00

RepeatEndTime

string

No

The recurrence end time of the policy validity period for the access control policy. Example: 23:30. The value must be on the hour or on the half hour, and at least 30 minutes later than the recurrence start time.

Note

If RepeatType is set to Permanent or None, this parameter is left empty. If RepeatType is set to Daily, Weekly, or Monthly, this parameter is required. The time is in the HH:mm format (24-hour clock). Example: 08:00 or 23:30.

23:30

StartTime

integer

No

The start time of the policy validity period for the access control policy. The value is a UNIX timestamp in seconds. The value must be on the hour or on the half hour, and at least 30 minutes earlier than the end time.

Note

If RepeatType is set to Permanent, this parameter is left empty. If RepeatType is set to None, Daily, Weekly, or Monthly, this parameter is required.

1694761200

EndTime

integer

No

The end time of the policy validity period for the access control policy. The value is a UNIX timestamp in seconds. The value must be on the hour or on the half hour, and at least 30 minutes later than the start time.

Note

If RepeatType is set to Permanent, this parameter is left empty. If RepeatType is set to None, Daily, Weekly, or Monthly, this parameter is required.

1694764800

DomainResolveType

string

No

The domain name resolution method of the access control policy. Valid values:

  • FQDN: FQDN-based resolution

  • DNS: DNS-based dynamic resolution

  • FQDN_AND_DNS: FQDN-based and DNS-based dynamic resolution.

FQDN

Response elements

Element

Type

Description

Example

object

AclUuid

string

The unique identity ID of the access control policy for the Internet Border firewall.

00281255-d220-4db1-8f4f-c4df221ad84c

RequestId

string

The request ID.

CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D

Examples

Success response

JSON format

{
  "AclUuid": "00281255-d220-4db1-8f4f-c4df221ad84c",
  "RequestId": "CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorAddressCountExceed The maximum number of addresses is exceeded. The maximum number of address is exceeded.
400 ErrorParametersSource The source is invalid. The source is invalid.
400 ErrorDomainResolve An error occurred while resolving the domain. An error occurred while resolving the domain.
400 ErrorParametersDirection The direction is invalid. The direction is invalid.
400 ErrorDBSelect An error occurred while querying database. An error occurred while querying database.
400 ErrorParameterIpVersion The IP version is invalid. The IP version is invalid.
400 ErrorParametersDestination The Destination parameter is invalid. The Destination parameter is invalid.
400 ErrorParametersProto The protocol is invalid. The protocol is invalid.
400 ErrorParametersDestPort The dst_port is invalid. The dst_port is invalid.
400 ErrorParametersAction The action is invalid. The action is invalid.
400 ErrorParametersUid The aliUid parameter is invalid. The aliUid parameter is invalid.
400 ErrorAclDomainAnyCountExceed The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications. The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL.
400 ErrorParametersGroupPort The group port is invalid. The group port is invalid.
400 ErrorParametersFtpNotSupport domain destination not support ftp. FTP application is not supported when the policy destination is a domain name
400 ErrorAclExtendedCountExceed ACL or extended ACL rules are not matched. The quota for access control policies or extra access control policies is exhausted.
400 ErrorParametersDestinationCount Exceeding the number of countries in a single ACL. Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs.
400 ErrorSrcMand Source is mandatory for this action. This operation requires the specified source.
400 ErrorEmptyDomainResolveType Empty DomainResolveType only support HTTP/HTTPS/SSL/SMTP/SMTPS apps. Empty domain name resolution mode is not supported.
400 ErrorAddressGroupNotExist The address group does not exist. The address group does not exist.
400 ErrorParametersApplicationNameList Specified parameter ApplicationNameList is not valid. Specified parameter ApplicationNameList is not valid.
400 ErrorParametersApplicationName Specified parameter ApplicationName is not valid. Specified parameter ApplicationName is not valid.
400 ErrorApplicationTemplateNotFound Application template not found. Application template does not exist
400 ErrorWebFilterTemplateNotFound Web filter template not found. Web filtering template does not exist
400 ErrorParameters Parameters error. Parameter error.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.