All Products
Search
Document Center

Cloud Firewall:CreateNatFirewallControlPolicy

Last Updated:Jun 08, 2026

Add an access control policy to a NAT firewall.

Operation description

This API creates a policy to allow, deny, or observe traffic through the NAT Firewall.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:CreateNatFirewallControlPolicy

create

*NatFirewallControlPolicy

acs:yundun-cloudfirewall::{#accountId}:natfirewallcontrolpolicy/*

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the response messages.

Valid values:

  • zh: Chinese (default)

  • en: English

zh

AclAction

string

Yes

The action that Cloud Firewall performs on traffic that matches the access control policy.

Valid values:

  • accept: Allows the traffic.

  • drop: Drops the traffic.

  • log: Logs the traffic.

log

ApplicationNameList

array

Yes

The list of applications to which the access control policy applies.

string

No

An application to which the access control policy applies.

ANY

Description

string

Yes

The description of the access control policy.

放行流量

DestPort

string

No

The destination port for the traffic. The value of this parameter depends on the Proto and DestPortType parameters.

  • If Proto is ICMP, leave this parameter empty.

Note

Access control cannot be configured based on the destination port for ICMP traffic.

  • If the destination port type (DestPortType) is group, leave this parameter empty.

Note

If DestPortType is set to group, you do not need to specify a destination port because the required ports are defined in the selected port address book.

  • If the protocol is TCP, UDP, or ANY and the destination port type (DestPortType) is port, specify the destination port number.

80

Destination

string

Yes

The destination address in the access control policy.

The value of this parameter varies based on the value of DestinationType:

  • If DestinationType is net, set this parameter to the destination CIDR.

    Example: 1.2.XX.XX/24

  • If DestinationType is group, set this parameter to the name of the destination address book.

    Example: db_group

  • If DestinationType is domain, set this parameter to the destination domain.

    Example: *.aliyuncs.com

  • If DestinationType is location, set this parameter to the destination location.

    Example: ["BJ11", "ZB"]

XX.XX.XX.XX/24

DestinationType

string

Yes

The type of the destination address in the access control policy.

Valid values:

  • net: Destination CIDR

  • group: Destination address book

  • domain: Destination domain

net

NatGatewayId

string

Yes

The instance ID of the NAT Gateway.

ngw-2vc2ustolqn6sr0******

Proto

string

Yes

The protocol for the traffic in the access control policy.

Valid values:

  • ANY: all protocols

  • TCP

  • UDP

  • ICMP

Note

If the destination is a domain, a threat intelligence address book, or a cloud service address book, you can only set this parameter to TCP. The supported application types are HTTP, HTTPS, SMTP, SMTPS, and SSL.

ANY

Source

string

Yes

The source address in the access control policy.

The value of this parameter varies based on the value of SourceType:

  • If SourceType is net, set this parameter to the source CIDR.

    Example: 10.2.4.0/24

  • If SourceType is group, set this parameter to the name of the source address book.

    Example: db_group

192.168.0.25/32

SourceType

string

Yes

The type of the source address in the access control policy.

Valid values:

  • net: Source CIDR

  • group: Source address book

net

NewOrder

string

Yes

The priority of the access control policy. Values start from 1. A smaller value indicates a higher priority.

1

DestPortType

string

No

The type of the destination port.

  • port: Port or port range

  • group: Port address book

port

DestPortGroup

string

No

The name of the destination port address book.

Note

This parameter is required if DestPortType is set to group.

my_port_group

Release

string

No

Specifies whether the access control policy is enabled. By default, policies are enabled upon creation. Valid values:

  • true: Enables the policy.

  • false: Disables the policy.

true

DomainResolveType

integer

No

The domain name resolution method. Valid values:

  • 0: FQDN-based resolution

  • 1: Dynamic DNS-based resolution

  • 2: FQDN-based and dynamic DNS-based resolution

Note

If the resolution method includes FQDN, you can set the protocol only to TCP. The supported applications are HTTP, HTTPS, SMTP, SMTPS, and SSL.

0

IpVersion

string

No

The IP version for the access control policy. Valid values:

  • 4 (default): IPv4

4

Direction

string

Yes

The traffic direction for the access control policy. Valid values:

  • out: outbound traffic

out

RepeatType

string

No

The recurrence type for the policy validity period. Valid values:

  • Permanent (default): The policy is always active.

  • None: The policy runs once for a specified duration.

  • Daily: The policy recurs daily.

  • Weekly: The policy recurs weekly within a specified time range.

  • Monthly: The policy recurs monthly within a specified time range.

Valid values:

  • Daily :

    Daily

  • Monthly :

    Monthly

  • Permanent :

    Always

  • Weekly :

    Weekly

  • None :

    One-time

Permanent

RepeatDays

array

No

The days of the week or month on which the policy recurs.

  • If RepeatType is set to Permanent, None, or Daily, leave this parameter empty. Example: []

  • If RepeatType is Weekly, this parameter is required. Example: [0, 6]

Note

If RepeatType is Weekly, the values in RepeatDays must be unique.

  • If RepeatType is Monthly, this parameter is required. Example: [1, 31]

Note

If RepeatType is Monthly, the values in RepeatDays must be unique.

integer

No

The day of recurrence.

Note

If RepeatType is Weekly, valid values range from 0 to 6. The week starts on Sunday. If RepeatType is Monthly, valid values range from 1 to 31.

1

RepeatStartTime

string

No

The start time of the recurrence. The time must be on the hour or half-hour, and must be at least 30 minutes earlier than the end time.

Note

This parameter is required if RepeatType is set to Daily, Weekly, or Monthly. If RepeatType is Permanent or None, leave this parameter empty. The time is in the HH:mm format (24-hour). For example, 08:00 or 23:30.

08:00

RepeatEndTime

string

No

The end time of the recurrence. The time must be on the hour or half-hour, and must be at least 30 minutes later than the start time.

Note

This parameter is required if RepeatType is set to Daily, Weekly, or Monthly. If RepeatType is Permanent or None, leave this parameter empty. The time is in the HH:mm format (24-hour). For example, 08:00 or 23:30.

23:30

StartTime

integer

No

The start time of the policy's validity period, specified as a Unix timestamp. The time must be on the hour or half-hour and be at least 30 minutes before the end time.

Note

This parameter is required if RepeatType is None, Daily, Weekly, or Monthly. If RepeatType is Permanent, leave this parameter empty.

1694761200

EndTime

integer

No

The end time of the policy's validity period, specified as a Unix timestamp. The time must be on the hour or half-hour and be at least 30 minutes after the start time.

Note

This parameter is required if RepeatType is None, Daily, Weekly, or Monthly. If RepeatType is Permanent, leave this parameter empty.

1694764800

Response elements

Element

Type

Description

Example

object

AclUuid

string

The unique ID of the access control policy.

Note

To modify an access control policy, you must provide its unique ID. You can call the DescribeNatFirewallControlPolicy operation to obtain this ID.

6504d2fb-ab36-49c3-92a6-*****

RequestId

string

The ID of the request.

0DC783F1-B3A7-578D-8A63-*****

Examples

Success response

JSON format

{
  "AclUuid": "6504d2fb-ab36-49c3-92a6-*****",
  "RequestId": "0DC783F1-B3A7-578D-8A63-*****"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorParametersUid The aliUid parameter is invalid. The aliUid parameter is invalid.
400 ErrorUUIDNew The UUID is invalid. The UUID is invalid.
400 ErrorParametersSource The source is invalid. The source is invalid.
400 ErrorParametersDestination The Destination parameter is invalid. The Destination parameter is invalid.
400 ErrorParametersProto The protocol is invalid. The protocol is invalid.
400 ErrorParametersDestPort The dst_port is invalid. The dst_port is invalid.
400 ErrorParametersAction The action is invalid. The action is invalid.
400 ErrorDBSelect An error occurred while querying database. An error occurred while querying database.
400 ErrorParameters A parameter error occurred. A parameter error occurred.
400 ErrorAddressCountExceed The maximum number of addresses is exceeded. The maximum number of address is exceeded.
400 ErrorParametersNewOrder The newOrder is invalid. The newOrder is invalid.
400 ErrorDBInsert An error occurred while performing an insert operation in the database. An error occurred while performing an insert operation in the database.
400 ErrorDBDelete An error occurred while deleting the database. An error occurred while deleting the database.
400 ErrorRecordLog An error occurred while updating the operation log. An error occurred while updating the operation log.
400 ErrorAclDomainAnyCountExceed The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications. The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL.
400 ErrorParametersNatGatewayId Invalid parameters NatGatewayId. The request parameter NatGatewayId is invalid or does not exist.
400 ErrorParameterIpVersion The IP version is invalid. The IP version is invalid.
400 ErrorParametersDirection The direction is invalid. The direction is invalid.
400 ErrorDomainResolve An error occurred while resolving the domain. An error occurred while resolving the domain.
400 ErrorParametersPageSizeOrNo Either pageSize or pageNo is invalid. Either pageSize or pageNo is invalid.
400 ErrorMarshalJSON An error occurred while encoding JSON. An error occurred while encoding JSON.
400 ErrorParametersDestinationCount Exceeding the number of countries in a single ACL. Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs.
400 ErrorStartTimeOrEndTime The start time or end time is invalid. The time must be the hour or half hour, and the start time must be 30 minutes earlier than the end time. The start time or end time is invalid. The time must be an hour or half an hour, and the start time must be 30 minutes earlier than the end time.
400 ErrorParametersFtpNotSupport domain destination not support ftp. FTP application is not supported when the policy destination is a domain name
400 ErrorAclExtendedCountExceed ACL or extended ACL rules are not matched. The quota for access control policies or extra access control policies is exhausted.
400 ErrorAddressGroupNotExist The address group does not exist. The address group does not exist.
400 ErrorParametersApplicationNameList Specified parameter ApplicationNameList is not valid. Specified parameter ApplicationNameList is not valid.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.