All Products
Search

This Product

    Cloud Firewall:CreateVpcFirewallCenConfigure

    Document Center

    Cloud Firewall:CreateVpcFirewallCenConfigure

    Last Updated:Oct 13, 2025

    Creates a VPC firewall to protect traffic between network instances in a Cloud Enterprise Network (CEN) and a specified VPC.

    Operation description

    You can call this operation to create a VPC firewall that protects traffic between a specified VPC and other network instances in a Cloud Enterprise Network (CEN). The network instances can be virtual private clouds (VPCs), Virtual Border Routers (VBRs), and Cloud Connect Network (CCN) instances. The VPC firewall does not protect traffic between VBRs, between CCN instances, or between VBRs and CCN instances. For more information, see Limits on VPC firewalls.

    QPS limits

    This operation is limited to 10 queries per second (QPS) per account. If you exceed this limit, API calls are throttled. This may affect your business. Plan your calls accordingly.

    Try it now

    Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

    Test

    RAM authorization

    The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

    • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

    • API: The API that you can call to perform the action.

    • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

    • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

      • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

      • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

    • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

    • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

    Action

    Access level

    Resource type

    Condition key

    Dependent action

    yundun-cloudfirewall:CreateVpcFirewallCenConfigure

    create

    *VpcFirewallCen

    acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcen/*

    		 None None

    Request parameters

    Parameter

    Type

    Required

    Description

    Example
    Lang

    string

    No

    The language of the content within the request and response. Valid values:

    • zh (default): Chinese.

    • en: English.

    zh
    VpcFirewallName

    string

    Yes

    The name of the VPC firewall.

    测试用实例
    NetworkInstanceId

    string

    Yes

    The ID of the VPC for which you want to create the VPC firewall.

    vpc-bp10zlifxh6j0232w****
    VpcRegion

    string

    Yes

    The region ID of the VPC.

    Note

    For more information about the regions where Cloud Firewall is supported, see Supported regions.

    cn-hangzhou
    FirewallSwitch

    string

    Yes

    The status of the VPC firewall. Valid values:

    • open (default): The VPC firewall is enabled after it is created.

    • close: The VPC firewall is disabled after it is created. You can call the ModifyVpcFirewallCenSwitchStatus operation to enable the firewall.

    open
    CenId

    string

    Yes

    The ID of the CEN instance.

    cen-x5jayxou71ad73****
    MemberUid

    string

    No

    The UID of the member account.

    258039427902****
    VSwitchId

    string

    No

    The ID of the vSwitch that is used to create the Cloud Firewall interface.

    vsw-qzeaol304m***
    FirewallVpcCidrBlock

    string

    No

    The CIDR block of the VPC for the firewall. Specify a CIDR block with a subnet mask of 28 bits or less. The system uses this CIDR block to automatically create a secure VPC named Cloud_Firewall_VPC for traffic redirection.

    If you do not specify this parameter, the system automatically allocates the 10.0.0.0/8 CIDR block.

    Note

    This parameter takes effect only when you create a VPC firewall for the CEN instance in the current region for the first time.

    10.0.0.0/8
    FirewallVpcZoneId

    string

    No

    The ID of the primary zone for the firewall. If your service is sensitive to latency, specify the same zone for the firewall and the vSwitch of your service VPC to reduce latency.

    If you do not specify this parameter, the system automatically allocates a zone for the firewall.

    Note

    This parameter takes effect only when you create a VPC firewall for the CEN instance in the current region for the first time.

    cn-hangzhou-a
    FirewallVSwitchCidrBlock

    string

    No

    The CIDR block of the vSwitch used by the firewall. Specify a CIDR block with a subnet mask of 29 bits or less that does not conflict with your network plan. The system uses this CIDR block to automatically create a vSwitch named Cloud_Firewall_VSWITCH in the secure VPC for traffic redirection. The vSwitch CIDR block must be a subnet of the firewall's VPC CIDR block.

    If you do not specify this parameter, the system automatically allocates the 10.219.219.216/29 CIDR block.

    Note

    This parameter takes effect only when you create a VPC firewall for the CEN instance in the current region for the first time.

    10.0.*.*/28
    FirewallVpcStandbyZoneId

    string

    No

    The ID of the secondary zone for the firewall. The firewall automatically switches to the secondary zone if the primary zone becomes unavailable.

    If you do not specify this parameter, the system automatically allocates a secondary zone for the firewall.

    Note

    This parameter takes effect only when you create a VPC firewall for the CEN instance in the current region for the first time.

    cn-hangzhou-b

    Response elements

    Element

    Type

    Description

    Example

    object

    VpcFirewallId

    string

    The ID of the VPC firewall.

    vfw-m5e7dbc4y****
    RequestId

    string

    The ID of the request.

    850A84D6-0DE4-4797-A1E8-00090125h4j6

    Examples

    Success response

    JSON format

    {
  "VpcFirewallId": "vfw-m5e7dbc4y****",
  "RequestId": "850A84D6-0DE4-4797-A1E8-00090125h4j6"
}

    Error codes

    HTTP status code

    Error code

    Error message

    Description
    400 ErrorAliUid The aliuid is invalid. The aliuid is invalid.
    400 ErrorVpcFirewallExist The firewall has been configured and cannot be created repeatedly. The firewall is configured and cannot be repeatedly created.
    400 ErrorVpcId The VPC ID is invalid. The VPC ID is invalid.
    400 ErrorRegionNoError The region is invalid. The region is invalid.
    400 ErrorVpcFirewallNotFound The specified VPC firewall does not exist. Please select again. The specified VPC firewall does not exist. Enter another value.
    400 ErrorDBSelectError A database select error occurred. The error message returned because an internal error has occurred in querying the database.
    400 ErrorDBTxError A database transaction error occurred. The error message returned because an internal error has occurred in the database transaction.
    400 ErrorDBUpdateError A database update error occurred.
    400 ErrorRecordLog An error occurred while updating the operation log. An error occurred while updating the operation log.
    400 ErrorCenVbrNotSupport 云企业网vbr不支持开防火墙
    400 ErrorCenNotSupportCCN VPC防火墙云企业网CCN实例, 不支持开启VPC防火墙
    400 ErrorCenNotSupportMultipleAccounts The current version of Cloud Firewall does not support multiple accounts when it uses VPC Firewall to protect Cloud Enterprise Network. Upgrade the specifications and try again. The current edition of Cloud Firewall does not support multiple accounts when it uses VPC Firewall to protect CEN. Upgrade the specifications and try again.
    400 ErrorFirewallStatus Firewall status error, please try again later. The status of the firewall is invalid. Try again later.
    400 ErrorFirewallQuotaNotEmpty quota is not enough, unable to configure VPC firewall, please increase quota first.
    400 ErrorHubvpcCannotCreate HUB VPC不允许创建防火墙
    400 ErrorCenVpcEcConflict The VPC of the cloud enterprise network conflicts with the VPC of the high-speed channel, and the firewall cannot be opened. Please select again Conflicts occur between the VPC of CEN and the VPC of Express Connect. You cannot enable the firewall. Specify another value.
    400 ErrorRegionNoDisable There are unsupported regions, please reselect Some regions are not supported. Specify supported regions.
    400 ErrorCenFirewallVpcNumInvalid 云企业网vpc数量不足, 无法开启VPC边界防火墙
    400 ErrorDestCidrError The target network segment is wrong. Please configure the target network segment correctly. The specified destination CIDR block is invalid. Enter another value.
    400 ErrorVpcCustomRouteTableWithVswitch VPC存在自定义路由表且关联了vswitch, 不允许创建VPC防火墙
    400 ErrorCenNotSupportTREnterpriseAutoMode VPC firewall does not support TR Enterprise Edition auto mode protection, please use manual mode protection VPC firewalls do not support the CEN-TR automatic mode.
    400 ErrorInvalidMemberUid Member uid is invalid The member is invalid.
    400 ErrorFirewallName Firewall name invalid. Firewall name error, please re-enter.
    400 ErrorFirewallSwitch The firewall enabling parameter is incorrect. Please select again. The specified switch of the firewall is invalid. Enter another value.
    400 ErrorNetworkInstanceIdError Network InstanceId ID is invalid The ID of the network instance is invalid.
    400 ErrorCenId CEN ID is error The ID of the CEN instance is invalid.
    400 ErrorCidrFormat Cidr ip format error. CIDR format error, please re-select
    400 ErrorDestCidrEmpty The target network segment is empty and cannot be created The destination CIDR block is not specified. The firewall cannot be created.
    400 ErrorOwnerId owner id invalid. The account is incorrect, please re-enter.
    400 ErrorCenManualFirewallExist VPC firewall in manual mode already exists in this CEN network. You are not allowed to create a VPC firewall in automatic mode. This CEN already has a VPC firewall in manual mode. You cannot create a VPC firewall in automatic mode.
    400 ErrorFirewallExistDeleting There is a VPC firewall that is being deleted, and it is not allowed to create. The VPC firewall being deleted is not allowed to be created.
    400 ErrorSameCidrIp The same network segment cannot be configured repeatedly. Please reselect the network segment. The CIDR block is already in use. Specify another CIDR block.
    400 ErrorCenRouteMapExist cen route map is exist. Creating a VPC perimeter firewall is not allowed RouteMap it already exists. Please contact the cloud firewall after-sales technical support.
    400 ErrorUserCredentials User credentials failed. Unauthorized, not accessible, please first authorize firewall permissions.
    400 ErrorDBNoRow No rows in database. No data found.
    400 ErrorVpcFirewallVpcNumLimit The number of vpcs in this region is limited to open the vpc firewall. The VPC boundary firewall cannot be enabled because of the limited number of VPCs in this region.
    400 ErrorCenExistPublicCidr cen domain route exist public route. There is a public network segment in the cloud enterprise network, and the VPC boundary firewall is not supported.
    400 ErrorCenExistTrRoute Cen VPC route exist tr route. The VPC in the cloud enterprise network has a route whose next hop is TR, and the VPC boundary firewall is not supported.
    400 ErrorCenTRAssociationCustomRouteTable CEN-TR association custom route table. The VPC boundary firewall does not support the custom route table associated with the CEN-TR network instance connection, and the VPC boundary firewall cannot be enabled.
    400 ErrorDBInsertError A database insert error occurred. An error occurred while performing an insert operation in the database.
    400 ErrorVpcFirewallZoneId VPC firewall zone error. VPC firewall zone selection error
    400 ErrorInvalidMemberUidStatus invalid member uid status. The status of the member account is invalid. This operation is not supported.
    400 ErrorBandwidthPenalty Cloud Firewall bandwidth is being overused. Cloud Firewall bandwidth is being overused.
    400 ErrorGeneralInstanceSpecFull Cloud Firewall instance specifications are full. Cloud Firewall instance specifications are full.

    See Error Codes for a complete list.

    Release notes

    See Release Notes for a complete list.