All Products
Search
Document Center

Cloud Firewall:CreateTrFirewallV2

Last Updated:Jun 02, 2026

Creates a VPC firewall for a transit router.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:CreateTrFirewallV2

create

*VpcCenTrFirewall

acs:yundun-cloudfirewall::{#accountId}:vpccentrfirewall/*

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the response message. Valid values:

  • zh (default): Chinese

  • en: English

zh

FirewallName

string

No

The name of the firewall.

vpc-firewall-test

RouteMode

string

No

The routing mode. Valid values:

  • managed: automatic mode

  • manual: manual mode

managed

TransitRouterId

string

No

The ID of the transit router instance.

tr-m5etmb2q7e0mxcur****

RegionNo

string

No

The region ID of the transit router instance.

cn-hangzhou

FirewallVpcCidr

string

No

The CIDR block of the firewall VPC in automatic mode.

10.0.0.0/16

FirewallSubnetCidr

string

No

The CIDR block of the vSwitch in the firewall VPC that hosts the firewall's elastic network interface (ENI). This parameter applies only in automatic mode.

10.0.1.0/24

TrAttachmentSlaveCidr

string

No

The CIDR block of the secondary vSwitch used to connect to the transit router. This parameter applies only in automatic mode.

10.0.0.16/28

TrAttachmentMasterCidr

string

No

The CIDR block of the primary vSwitch used to connect to the transit router. This parameter applies only in automatic mode.

10.0.3.0/24

CenId

string

No

The ID of the Cloud Enterprise Network (CEN) instance.

cen-4xbjup276au29r****

FirewallDescription

string

No

The description of the firewall.

vpc-firewall-description

FirewallVpcId

string

No

The ID of the VPC where the firewall ENI is created. This parameter applies only in manual mode.

vpc-wz9r5qvryn0lg3atb****

FirewallVswitchId

string

No

The ID of the vSwitch where the firewall ENI is created. This parameter applies only in manual mode.

vsw-uf6ydz3vqj77mr5l6****

TrAttachmentSlaveZone

string

No

The secondary zone for the vSwitch.

cn-chengdu-b

TrAttachmentMasterZone

string

No

The primary zone for the vSwitch.

cn-chengdu-a

Response elements

Element

Type

Description

Example

object

FirewallId

string

The ID of the VPC firewall instance.

vfw-tr-37e22bf0d9b34870****

RequestId

string

The ID of the request.

822B9125-6E1A-551C-8EAF-6E7AE7444B00

Examples

Success response

JSON format

{
  "FirewallId": "vfw-tr-37e22bf0d9b34870****",
  "RequestId": "822B9125-6E1A-551C-8EAF-6E7AE7444B00"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorTrResourceNotReady Transit Router has not been detected by cloud firewall
400 ErrorAliUid The aliuid is invalid. The aliuid is invalid.
400 ErrorParameters Error Parameters The parameter is invalid.
400 ErrorUserCenTrNotEnabled This account has not enabled CEN Transit Router Enterprise Edition Cloud Firewal. Please contact Cloud Firewall Support team. This account does not support CEN Enterprise Edition Cloud Firewall for the time being. Please contact the Cloud Firewall service team to add white before operation.
400 ErrorAuthentication authentication error The authentication failed.
400 ErrorUserCredentials User credentials failed. Unauthorized, not accessible, please first authorize firewall permissions.
400 ErrorCenTRAssociationNotFound CEN-TR attachment association not found. CEN-TR attachment association not found.
400 ErrorUserNotFound User not found The user does not exist.
400 ErrorDBSelectError A database select error occurred. The error message returned because an internal error has occurred in querying the database.
400 ErrorCenNotSupportTREnterpriseAutoMode VPC firewall does not support TR Enterprise Edition auto mode protection, please use manual mode protection VPC firewalls do not support the CEN-TR automatic mode.
400 ErrorVpcFirewallExist Vpc firewall already exist. The firewall is already configured and cannot be configured repeatedly.
400 ErrorInvalidTrFirewallType Firewall type is invalid. The firewall type cannot be identified.
400 ErrorVpcDoNotSupportSubnetRouting The VPC for which the firewall is created does not support subnet routing. Create a custom route table for the VPC to enable subnet routing first. The VPC for which the firewall is created does not support subnet routing. Create a custom route table for the VPC to enable subnet routing first.
400 ErrorVpcAndTrNotInTheSameAccount Vpc and transit router should in the account when create cloud firewall manual mode. When creating a cloud firewall in the cloud enterprise network manual mode, the VPC and forwarding router configured for the firewall must be under the same account.
400 ErrorCidrFormat Network segment CIDR format error, please select again The format of the specified CIDR block is invalid. Enter another value.
400 ErrorVswitchCidrIpNumNotEnough No enough private proxy IP in vswitch cidr. The firewall switch does not have enough private IP addresses.
400 ErrorTrFwVswCidrConflict Illegal tr firewall cidr configuration. Tr firewall configuration network segment is invalid.
400 ErrorDBNoRow No rows in database. No data found.
400 ErrorRecordLog record operation log error. Update operation log error.
400 ErrorVpcFirewallZoneId VPC firewall zone error. VPC firewall zone selection error
400 ErrorInvalidMemberUidStatus invalid member uid status. The status of the member account is invalid. This operation is not supported.
400 ErrorGeneralInstanceSpecFull Cloud Firewall instance specifications are full. Cloud Firewall instance specifications are full.
400 ErrorBandwidthPenalty Cloud Firewall bandwidth is being overused. Cloud Firewall bandwidth is being overused.
400 ErrorFirewallQuotaNotEmpty The quota for VPC firewalls is exceeded. The quota is insufficient. You cannot configure the VPC firewall. Increase the quota.
400 ErrorUserNotEnableTrService The user has not open transit router service. The forwarding router service is not enabled

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.