All Products
Search
Document Center

Cloud Firewall:DescribeControlPolicy

Last Updated:Jun 10, 2026

Retrieves information about all access control policies.

Operation description

This operation performs a paged query for information about access control policies.

QPS limit

The queries per second (QPS) limit for this operation is 10 for a single user. If you exceed this limit, API calls are throttled. This may affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:DescribeControlPolicy

get

*ControlPolicyOrder

acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}/controlpolicyorder/{#Direction}

*ControlPolicy

acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the response message. Valid values:

  • zh (default): Chinese

  • en: English

zh

Lang

string

No

The language of the response message. Valid values:

  • zh (default): Chinese

  • en: English

zh

Direction

string

No

The traffic direction that the access control policy controls. Valid values:

  • in: Inbound traffic from an external source to an internal destination.

  • out: Outbound traffic from an internal source to an external destination.

Valid values:

  • in :

    Inbound traffic from an external source to an internal destination.

  • out :

    Outbound traffic from an internal source to an external destination.

in

CurrentPage

string

Yes

The number of the page to return.

Default value: 1.

1

PageSize

string

Yes

The number of entries to return on each page.

10

Source

string

No

The source address in the access control policy. Fuzzy queries are supported. The value of this parameter varies based on the value of the `SourceType` parameter.

  • If `SourceType` is `net`, the value of this parameter is a CIDR block. Example: 192.0.XX.XX/24.

  • If `SourceType` is `group`, the value of this parameter is the name of a source address book. Example: `db_group`. If you leave this parameter empty, all source addresses are queried.

  • If `SourceType` is `location`, the value of this parameter is a source region. Example: `Beijing` or `beijing`. You can use either the Chinese name or the English name for the query.

Note

If you do not set this parameter, all types of source addresses are queried.

192.0.XX.XX

Destination

string

No

The destination address in the access control policy. Fuzzy queries are supported. The value of this parameter varies based on the value of the `DestinationType` parameter.

  • If `DestinationType` is `net`, the value of this parameter is a CIDR block. Example: 10.0.3.0/24.

  • If `DestinationType` is `domain`, the value of this parameter is a domain name. Example: aliyun.

  • If `DestinationType` is `group`, the value of this parameter is the name of an address book. Example: db_group.

  • If `DestinationType` is `location`, the value of this parameter is a region name. For more information about region codes, see AddControlPolicy. Example: `["BJ11", "ZB"]`.

Note

If you do not set this parameter, all types of destination addresses are queried.

192.0.XX.XX

Description

string

No

The description of the access control policy. Fuzzy queries are supported.

Note

If you do not set this parameter, the descriptions of all policies are queried.

test

Proto

string

No

The protocol type of the traffic in the access control policy. Valid values:

  • TCP

  • UDP

  • ICMP

  • ANY (all protocol types)

Note

If you do not set this parameter, all protocol types are queried.

TCP

AclAction

string

No

The action that Cloud Firewall performs on the traffic. Valid values:

  • accept: Allow

  • drop: Deny

  • log: Monitor

Note

If you do not set this parameter, all action types are queried.

accept

Release

string

No

The status of the access control policy. Valid values:

  • true: The access control policy is enabled.

  • false: The access control policy is disabled.

true

AclUuid

string

No

The unique ID of the access control policy.

00281255-d220-4db1-8f4f-c4df221a****

IpVersion

string

No

The IP version supported. Valid values:

  • 4 (default): IPv4 address

  • 6: IPv6 address

Valid values:

  • 4 :

    IPv4

  • 6 :

    IPv6

6

RepeatType

string

No

The recurrence type for the policy validity period of the access control policy. Valid values:

  • Permanent (default): Always

  • None: One-time

  • Daily: Daily

  • Weekly: Weekly

  • Monthly: Monthly

Valid values:

  • Daily :

    Daily

  • Monthly :

    Monthly

  • Permanent :

    Always

  • Weekly :

    Weekly

  • None :

    One-time

Permanent

Response elements

Element

Type

Description

Example

object

PageNo

string

The page number of the returned page.

1

PageSize

string

The number of entries returned per page.

10

RequestId

string

The ID of the request.

CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2****

TotalCount

string

The total number of access control policies.

100

Policys

array<object>

The information about the access control policies.

object

The details of the access control policy.

Direction

string

The traffic direction of the access control policy. Valid values:

  • in: inbound traffic

  • out: outbound traffic

in

Order

integer

The priority of the access control policy.

The priority value starts from 1 and increases sequentially. A smaller value indicates a higher priority.

1

SourceType

string

The source address type in the access control policy. Valid values:

  • net: source CIDR block

  • group: source address book

  • location: source region

net

ApplicationName

string

The application type supported by the access control policy. Use `ApplicationNameList` instead. Valid values:

  • FTP

  • HTTP

  • HTTPS

  • Memcache

  • MongoDB

  • MQTT

  • MySQL

  • RDP

  • Redis

  • SMTP

  • SMTPS

  • SSH

  • SSL

  • VNC

  • ANY (all application types)

HTTP

HitTimes

integer

The number of hits for the access control policy.

100

Description

string

The description of the access control policy.

test

SourceGroupType

string

The type of the source address book in the access control policy. Valid values:

  • ip: An IP address book that contains one or more CIDR blocks.

  • tag: An ECS tag-based address book that contains the IP addresses of the ECS instances with one or more tags.

  • domain: A domain name address book that contains one or more domain names.

  • threat: A threat intelligence address book that contains one or more malicious IP addresses or domain names.

  • backsrc: An origin URL address book that contains the origin URLs of one or more Anti-DDoS or WAF instances.

ip

DnsResultTime

integer

The timestamp of the DNS resolution. The value is a UNIX timestamp. Unit: seconds.

1579261141

DnsResult deprecated

string

The result of the DNS resolution.

192.0.XX.XX,192.0.XX.XX

Proto

string

The protocol type of the traffic in the access control policy. Valid values:

  • ANY

  • TCP

  • UDP

  • ICMP

TCP

DestinationGroupType

string

The type of the destination address book in the access control policy. Valid values:

  • ip: An IP address book that contains one or more CIDR blocks.

  • tag: An ECS tag-based address book that contains the IP addresses of the ECS instances with one or more tags.

  • domain: A domain name address book that contains one or more domain names.

  • threat: A threat intelligence address book that contains one or more malicious IP addresses or domain names.

  • backsrc: An origin URL address book that contains the origin URLs of one or more Anti-DDoS or WAF instances.

ip

Destination

string

The destination address in the access control policy. The value of this parameter varies based on the value of the `DestinationType` parameter. Valid values:

  • If DestinationType is net, the destination address is a CIDR block. Example: 192.0.XX.XX/24.

  • If DestinationType is domain, the destination address is a domain name. Example: aliyuncs.com.

  • If DestinationType is group, the destination address is the name of an address book. Example: db_group.

  • If DestinationType is location, the destination address is a region name. For more information about region codes, see AddControlPolicy. Example: ["BJ11", "ZB"].

192.0.XX.XX/24

HitLastTime

integer

The timestamp of the last hit. The value is a UNIX timestamp. Unit: seconds.

1579261141

DestPortGroup

string

The name of the destination port address book for the traffic in the access control policy.

my_port_group

AclUuid

string

The unique ID of the access control policy.

00281255-d220-4db1-8f4f-c4df221a****

DestPortType

string

The destination port type for the traffic in the access control policy. Valid values:

  • port: port

  • group: port address book

port

Source

string

The source address in the access control policy. Valid values:

  • If SourceType is net, the source address is a CIDR block. Example: 192.0.XX.XX/24.

  • If SourceType is group, the source address is the name of a source address book. Example: db_group.

  • If SourceType is location, the source address is a region. For more information about region codes, see AddControlPolicy. Example: ["BJ11", "ZB"].

192.0.XX.XX/24

DestinationType

string

The destination address type in the access control policy. Valid values:

  • net: destination CIDR block

  • group: destination address book

  • domain: destination domain name

  • location: destination region

net

DestPort

string

The destination port for the traffic in the access control policy.

80

IpVersion

integer

The IP version supported. Valid values:

  • 4: IPv4 address

  • 6: IPv6 address

6

AclAction

string

The action that Cloud Firewall performs on the traffic. Valid values:

  • accept: Allow

  • drop: Deny

  • log: Monitor

accept

Release

string

The status of the access control policy. The policy is enabled by default after it is created. Valid values:

  • true: The access control policy is enabled.

  • false: The access control policy is disabled.

true

ApplicationId

string

The application ID for the traffic in the access control policy.

10***

DestinationGroupCidrs

array

The list of CIDR blocks in the destination address book of the access control policy.

string

The CIDR block in the destination address book of the access control policy.

192.0.XX.XX/24

DestPortGroupPorts

array

The list of ports in the destination port address book.

string

The port in the destination port address book.

80/80

SourceGroupCidrs

array

The list of CIDR blocks in the source address book of the access control policy.

string

The CIDR block in the source address book of the access control policy.

192.0.XX.XX/24

ApplicationNameList

array

The list of application names.

string

The list of application types supported by the access control policy. Valid values:

  • FTP

  • HTTP

  • HTTPS

  • Memcache

  • MongoDB

  • MQTT

  • MySQL

  • RDP

  • Redis

  • SMTP

  • SMTPS

  • SSH

  • SSL

  • VNC

  • ANY (all application types)

HTTP

SpreadCnt

integer

The number of specification entries that the access control policy consumes. This is the sum of entries consumed by each policy. The number of entries for a single policy is calculated as: Number of source addresses (CIDR blocks or regions) × Number of destination addresses (CIDR blocks, regions, or domain names) × Number of port ranges × Number of applications.

10000

CreateTime

integer

The time when the policy was created. The value is a UNIX timestamp. Unit: seconds.

1761062400

ModifyTime

integer

The time when the policy was last modified. The value is a UNIX timestamp. Unit: seconds.

1761062400

RepeatType

string

The recurrence type for the policy validity period of the access control policy. Valid values:

  • Permanent (default): Always

  • None: One-time

  • Daily: Daily

  • Weekly: Weekly

  • Monthly: Monthly

Valid values:

  • Daily :

    Daily

  • Monthly :

    Monthly

  • Permanent :

    Always

  • Weekly :

    Weekly

  • None :

    One-time

Permanent

RepeatDays

array

The collection of recurring dates for the policy validity period of the access control policy.

  • If `RepeatType` is `Permanent`, `None`, or `Daily`, `RepeatDays` is an empty collection. Example: []

  • If `RepeatType` is `Weekly`, `RepeatDays` cannot be empty. Example: [0, 6]

Note

If `RepeatType` is set to `Weekly`, `RepeatDays` cannot contain duplicate values.

  • If `RepeatType` is `Monthly`, `RepeatDays` cannot be empty. Example: [1, 31]

Note

If `RepeatType` is set to `Monthly`, `RepeatDays` cannot contain duplicate values.

integer

The recurring date for the policy validity period of the access control policy.

Note

If `RepeatType` is set to `Weekly`, the value range is 0 to 6. The week starts on Sunday. If `RepeatType` is set to `Monthly`, the value range is 1 to 31.

1

RepeatStartTime

string

The recurring start time for the policy validity period of the access control policy. Example: `08:00`. The time must be on the hour or half-hour, and at least 30 minutes earlier than the recurring end time.

Note

If `RepeatType` is `Permanent` or `None`, `RepeatStartTime` is empty. If `RepeatType` is `Daily`, `Weekly`, or `Monthly`, this parameter is required. The time is in the HH:mm format (24-hour). Examples: `08:00` and `23:30`.

08:00

RepeatEndTime

string

The recurring end time for the policy validity period of the access control policy. Example: `23:30`. The time must be on the hour or half-hour, and at least 30 minutes later than the recurring start time.

Note

If `RepeatType` is `Permanent` or `None`, `RepeatEndTime` is empty. If `RepeatType` is `Daily`, `Weekly`, or `Monthly`, this parameter is required. The time is in the HH:mm format (24-hour). Examples: `08:00` and `23:30`.

23:30

StartTime

integer

The start time of the policy validity period for the access control policy. The value is a UNIX timestamp. The time must be on the hour or half-hour, and at least 30 minutes earlier than the end time.

Note

If `RepeatType` is `Permanent`, `StartTime` is empty. If `RepeatType` is `None`, `Daily`, `Weekly`, or `Monthly`, this parameter is required.

1694761200

EndTime

integer

The end time of the policy validity period for the access control policy. The value is a UNIX timestamp. The time must be on the hour or half-hour, and at least 30 minutes later than the start time.

Note

If `RepeatType` is `Permanent`, `EndTime` is empty. If `RepeatType` is `None`, `Daily`, `Weekly`, or `Monthly`, this parameter is required.

1694764800

DomainResolveType

string

The domain name resolution method of the access control policy. Valid values:

  • FQDN: FQDN-based

  • DNS: DNS-based dynamic resolution

  • FQDN_AND_DNS: FQDN- and DNS-based dynamic resolution

FQDN

Examples

Success response

JSON format

{
  "PageNo": "1",
  "PageSize": "10",
  "RequestId": "CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2****",
  "TotalCount": "100",
  "Policys": [
    {
      "Direction": "in",
      "Order": 1,
      "SourceType": "net",
      "ApplicationName": "HTTP",
      "HitTimes": 100,
      "Description": "test",
      "SourceGroupType": "ip",
      "DnsResultTime": 1579261141,
      "DnsResult": "192.0.XX.XX,192.0.XX.XX",
      "Proto": "TCP",
      "DestinationGroupType": "ip",
      "Destination": "192.0.XX.XX/24",
      "HitLastTime": 1579261141,
      "DestPortGroup": "my_port_group",
      "AclUuid": "00281255-d220-4db1-8f4f-c4df221a****",
      "DestPortType": "port",
      "Source": "192.0.XX.XX/24",
      "DestinationType": "net",
      "DestPort": "80",
      "IpVersion": 6,
      "AclAction": "accept",
      "Release": "true",
      "ApplicationId": "10***",
      "DestinationGroupCidrs": [
        "192.0.XX.XX/24"
      ],
      "DestPortGroupPorts": [
        "80/80"
      ],
      "SourceGroupCidrs": [
        "192.0.XX.XX/24"
      ],
      "ApplicationNameList": [
        "HTTP"
      ],
      "SpreadCnt": 10000,
      "CreateTime": 1761062400,
      "ModifyTime": 1761062400,
      "RepeatType": "Permanent",
      "RepeatDays": [
        1
      ],
      "RepeatStartTime": "08:00",
      "RepeatEndTime": "23:30",
      "StartTime": 1694761200,
      "EndTime": 1694764800,
      "DomainResolveType": "FQDN"
    }
  ]
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorParametersUid The aliUid parameter is invalid. The aliUid parameter is invalid.
400 ErrorParametersPageSizeOrNo Either pageSize or pageNo is invalid. Either pageSize or pageNo is invalid.
400 ErrorParameterIpVersion The IP version is invalid. The IP version is invalid.
400 ErrorParametersDirection The direction is invalid. The direction is invalid.
400 ErrorDBSelect An error occurred while querying database. An error occurred while querying database.
400 ErrorUnmarshalJSON An error occurred while parsing JSON. An error occurred while decoding JSON.
400 ErrorUUIDNew The UUID is invalid. The UUID is invalid.
400 ErrorParametersAppId The AppId parameter is incorrect. The AppId parameter is invalid.
400 ErrorParametersSource The source is invalid. The source is invalid.
400 ErrorDomainResolve An error occurred while resolving the domain. An error occurred while resolving the domain.
400 ErrorParametersDestination The Destination parameter is invalid. The Destination parameter is invalid.
400 ErrorParametersProto The protocol is invalid. The protocol is invalid.
400 ErrorParametersDestPort The dst_port is invalid. The dst_port is invalid.
400 ErrorParametersAction The action is invalid. The action is invalid.
400 ErrorParameters Parameters error. Parameter error.
400 ErrorMarshalJSON An error occurred while encoding JSON. An error occurred while encoding JSON.
400 ErrorParametersAclUuid Specified parameter AclUuid is not valid. Specified parameter AclUuid is not valid.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.