All Products
Search
Document Center

Cloud Firewall:CreateSecurityProxy

Last Updated:Jun 26, 2026

Creates a NAT firewall.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:CreateSecurityProxy

get

*All Resource

*

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the content within the response. Valid values:

  • zh (default): Chinese

  • en: English.

zh

ProxyName

string

Yes

The name of the NAT firewall. The name can contain uppercase and lowercase letters, Chinese characters, digits, and underscores (_). The name must be 4 to 50 characters in length and cannot start with an underscore.

nat-firewall

RegionNo

string

Yes

The region ID of the VPC.

Note

For more information about the regions supported by Cloud Firewall, see Supported regions.

cn-hangzhou

VpcId

string

Yes

The VPC-connected instance ID.

vpc-uf6b5lyul0x******

NatGatewayId

string

Yes

The ID of the NAT gateway.

ngw-bp1okz6k7******

VswitchAuto

string

No

Specifies whether to use the automatic vSwitch mode. Valid values:

  • true: automatic mode

  • false: manual mode.

true

VswitchId

string

No

The vSwitch ID. This parameter is required when the vSwitch is in manual mode.

vsw-bp1sqg9w******

NatRouteEntryList

array<object>

Yes

The list of routes to be switched for the NAT gateway.

object

No

The list of destination addresses for security protection.

NextHopId

string

Yes

The next hop address of the original NAT gateway.

ngw-bp1okz6******

DestinationCidr

string

Yes

The destination CIDR block of the default route.

0.0.0.0/0

NextHopType

string

Yes

The network type of the next hop. Valid values: NatGateway.

NatGateway

RouteTableId

string

Yes

The route table that contains the default route of the NAT gateway.

vtb-2ze1******

FirewallSwitch

string

No

The security protection switch. Valid values:

  • open: enabled

  • close: disabled.

close

StrictMode

integer

No

Specifies whether to enable strict mode.

  • 1: Enable strict mode.

  • 0: Disable strict mode.

0

VswitchCidr

string

No

The CIDR block of the vSwitch. This parameter is required when the vSwitch is in automatic mode.

0.0.0.0/0

FwVswitchZoneId

string

No

The zone of the firewall vSwitch.

cn-beijing-b

Response elements

Element

Type

Description

Example

object

ProxyId

string

The NAT firewall ID.

proxy-nat97a******

RequestId

string

The request ID.

15FCCC52-1E23-57AE-B5EF-3E00A3******

Examples

Success response

JSON format

{
  "ProxyId": "proxy-nat97a******",
  "RequestId": "15FCCC52-1E23-57AE-B5EF-3E00A3******"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorAliUid Aliuid invalid. The aliuid is invalid.
400 ErrorParamProxyNameError proxy name invalid. Invalid NAT firewall name.
400 ErrorRegionNoError Region is error, please reselect The specified region is invalid. Enter another value.
400 ErrorVpcIdError Vpc ID invalid. The VPC is incorrectly selected. Select another VPC.
400 ErrorDnatNotSupport Secure proxy does not support DNAT entries. NAT firewall does not support DNAT.
400 ErrorProxySnatIpEmpty SNAT entry is empty. SNAT entry is empty.
400 ErrorSnatIpQuotaExceed The number of SNAT IP exceeds the specification. The number of NAT Gateway EIPs exceeds the specifications supported by a single NAT firewall.
400 ErrorDBSelectError A database select error occurred. The error message returned because an internal error has occurred in querying the database.
400 ErrorDefaultRouteConflicts Default route conflicts. A default route already exists in the routing table bound to the selected switch.
400 ErrorUserCredentials User credentials failed. Unauthorized, not accessible, please first authorize firewall permissions.
400 ErrorVpcOpenApi vpc open api failed Failed to call the VPC API.
400 ErrorVswitchNotFound vswitch not found The vSwitch does not exist. Select another vSwitch.
400 ErrorProxyRouteEntryConflicts Proxy custom route table Nat Gateway and Attachment route entry conflict. The custom route table of the NAT gateway has a route entry with the next hop of NatGateway and Attachment.
400 ErrorVswitchNoAvailableCidr No available CIDR to create a vswitch. There is no free CIDR block in the VPC to create a VSwitch.
400 ErrorCidrFormat Network segment CIDR format error, please select again The format of the specified CIDR block is invalid. Enter another value.
400 ErrorInternal internal error An internal error occurred.
400 ErrorVswitchCidrNotInVpc Vswitch CIDR address not in vpc. The CIDR block address of the switch does not belong to the current VPC.
400 ErrorVswitchRouteConflict vswitch route conflict. The entered VSwitch CIDR block conflicts with the existing VSwitch CIDR block.
400 ErrorVswitchCidrIpNumNotEnough No enough private proxy IP in vswitch cidr. The firewall switch does not have enough private IP addresses.
400 ErrorRouteEntryNotFound route entry not found. The route entry does not exist.
400 ErrorUserNotFound User not found The user does not exist.
400 ErrorProxyVpcNotSupportAdvFeature This vpc advanced feature is not supported. The VPC contains ECS instances that do not support advanced features of VPC.
400 ErrorDBInsertError A database insert error occurred. An error occurred while performing an insert operation in the database.
400 ErrorProxyNumQuotaTop Proxy num reaches maximum. Insufficient quota.
400 ErrorProxyClusterNotAvailable Can not find available cluster for nat firewall. Failed to assign cluster for nat firewall.
400 ErrorDBTxError A database transaction error occurred. The error message returned because an internal error has occurred in the database transaction.
400 ErrorRecordLog record operation log error. Update operation log error.
400 ErrorBandwidthPenalty Cloud Firewall bandwidth is being overused. Cloud Firewall bandwidth is being overused.
400 ErrorGeneralInstanceSpecFull Cloud Firewall instance specifications are full. Cloud Firewall instance specifications are full.
400 ErrorNatVpnRouteEntryQuotaLimit The number of VPN routes has reached the quota. VPN route arrival specification limit
400 ErrorVpcRouteTableQuotaLimit The number of VPC routing tables has reached the specification limit. The number of VPC route tables reaches the maximum specification
400 ErrorNatCustomRouteEntryDifferent The custom route entries in the routing tables are inconsistent. The custom route entries in the routing tables are inconsistent.
400 ErrorSnatEntryQuotaExceed SNAT entry quota exceeded. The number of SNAT entries reaches the specification limit

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.