All Products
Search
Document Center

Cloud Firewall:CreateVpcFirewallConfigure

Last Updated:Jun 18, 2026

Creates a virtual private cloud (VPC) firewall that protects traffic between two VPCs connected through Express Connect.

Operation description

This operation is used to create a VPC firewall. This virtual private cloud (VPC) firewall protects traffic between two VPCs connected through Express Connect. This VPC firewall does not support protection for cross-region traffic, cross-account traffic, or traffic between a VPC and a virtual border router (VBR). For more information, see VPC firewall limits.

Rate limit

The single-user QPS limit for this operation is 10 calls per second. If this limit is exceeded, the API invocations are throttled, which may affect your business. Manage your invocations appropriately.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:CreateVpcFirewallConfigure

create

*VpcFirewall

acs:cloudfirewall::{#accountId}:vpcfirewall/*

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the request and response. Valid values:

  • zh (default): Chinese.

  • en: English.

zh

VpcFirewallName

string

Yes

The instance name of the virtual private cloud (VPC) firewall.

test-vpc-firewall

LocalVpcId

string

Yes

The instance ID of the local VPC.

vpc-8vbwbo90rq0anm6t****

LocalVpcRegion

string

Yes

The region ID of the local VPC.

Note

For more information about the regions supported by Cloud Firewall, see Supported regions.

cn-hangzhou

PeerVpcId

string

Yes

The instance ID of the peer VPC.

vpc-wb8vbo90rq0anm6t****

PeerVpcRegion

string

Yes

The region ID of the peer VPC.

Note

For more information about the regions supported by Cloud Firewall, see Supported regions.

cn-shanghai

FirewallSwitch

string

Yes

Settings for the enabling status of the virtual private cloud (VPC) firewall after it is created. Valid values:

  • open (default): Protection is automatically enabled after the VPC firewall is created.

  • close: Protection is not automatically enabled after the VPC firewall is created. You can invoke the ModifyVpcFirewallSwitchStatus operation to enable protection.

open

LocalVpcCidrTableList

string

Yes

The CIDR block list of the local VPC, in JSON format. This parameter contains the following fields:

  • RouteTableId: the route table ID of the local VPC.

  • RouteEntryList: specified in JSON format. This field contains DestinationCidr (the destination CIDR block of the local VPC) and NextHopInstanceId (the next hop instance ID of the local VPC).

[{"RouteTableId":"vtb-1234","RouteEntryList":[{"DestinationCidr":"192.168.XX.XX/24","NextHopInstanceId":"vrt-m5eb5me6c3l5sezae****"}]},{"RouteTableId":"vtb-1235","RouteEntryList":[{"DestinationCidr":"192.168.XX.XX/24","NextHopInstanceId":"vrt-m5eb5me6c3l5sezae****"}]}]

PeerVpcCidrTableList

string

Yes

The CIDR block list of the peer VPC, in JSON format. This parameter contains the following fields:

  • RouteTableId: the route table ID of the peer VPC.

  • RouteEntryList: specified in JSON format. This field contains DestinationCidr (the destination CIDR block of the peer VPC) and NextHopInstanceId (the next hop instance ID of the peer VPC).

[{"RouteTableId":"vtb-1234","RouteEntryList":[{"DestinationCidr":"192.168.XX.XX/24","NextHopInstanceId":"vrt-m5eb5me6c3l5sezae****"}]},{"RouteTableId":"vtb-1235","RouteEntryList":[{"DestinationCidr":"192.168.XX.XX/24","NextHopInstanceId":"vrt-m5eb5me6c3l5sezae****"}]}]

MemberUid

string

No

The UID of the Alibaba Cloud member account.

258039427902****

Response elements

Element

Type

Description

Example

object

VpcFirewallId

string

The instance ID of the virtual private cloud (VPC) firewall.

vfw-m5e7dbc4y****

RequestId

string

The request ID.

850A84D6-0DE4-4797-A1E8-00090125h4j6

Examples

Success response

JSON format

{
  "VpcFirewallId": "vfw-m5e7dbc4y****",
  "RequestId": "850A84D6-0DE4-4797-A1E8-00090125h4j6"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorAliUid Aliuid invalid. The aliuid is invalid.
400 ErrorInvalidMemberUid Member uid is invalid The member is invalid.
400 ErrorFirewallName Firewall name invalid. Firewall name error, please re-enter.
400 ErrorVpcFirewallExist Vpc firewall already exist. The firewall is already configured and cannot be configured repeatedly.
400 ErrorVpcIdError Vpc ID invalid. The VPC is incorrectly selected. Select another VPC.
400 ErrorRegionNoError Region invalid. Region selection error, please re-enter.
400 ErrorDestCidrError The destination CIDR block is invalid. The specified destination CIDR block is invalid. Enter another value.
400 ErrorDestCidrEmpty The target network segment is empty and cannot be created The destination CIDR block is not specified. The firewall cannot be created.
400 ErrorSameCidrIp The same network segment cannot be configured repeatedly. Please reselect the network segment. The CIDR block is already in use. Specify another CIDR block.
400 ErrorDBSelectError A database select error occurred. The error message returned because an internal error has occurred in querying the database.
400 ErrorCidrFormat Cidr ip format error. CIDR format error, please re-select
400 ErrorCidrIpAddress cidr ip error. The destination network segment is incorrect, please select again.
400 ErrorCustomRouteEntryMax custom route exceeds maximum limit. The number of target CIDR blocks exceeds the maximum number. Reduce the number of CIDR blocks.
400 ErrorVpcFirewallNotFound Vpc firewall not found. The specified VPC firewall does not exist. Select another one.
400 ErrorInvalidMemberUidStatus invalid member uid status. The status of the member account is invalid. This operation is not supported.
400 ErrorGeneralInstanceSpecFull Cloud Firewall instance specifications are full. Cloud Firewall instance specifications are full.
400 ErrorBandwidthPenalty Cloud Firewall bandwidth is being overused. Cloud Firewall bandwidth is being overused.
400 ErrorCenVpcEcConflict The cloud enterprise network VPC conflicts with the Express Connect VPC. The cloud enterprise network VPC conflicts with the Express Connect VPC and the firewall cannot be enabled. Please select
400 ErrorFirewallQuotaNotEmpty The quota for VPC firewalls is exceeded. The quota is insufficient. You cannot configure the VPC firewall. Increase the quota.
400 ErrorRouteTableIdNotFound Route table id not found. Routing table ID not found

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.