ModifyControlPolicy - Cloud Firewall - Alibaba Cloud Documentation Center

Modifies the configurations of an access control policy.

Operation description

You can call this operation to modify the configurations of an access control policy that allows, denies, or monitors traffic that passes through Cloud Firewall.

QPS limit

The queries per second (QPS) limit for a single user is 10. If the number of calls to the API operation per second exceeds this limit, throttling is triggered. This may affect your business. We recommend that you take this limit into account when you call this operation.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:ModifyControlPolicy

update

*ControlPolicy

acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}

None

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the content within the request and response. Valid values: zh (default): Chinese en: English	zh
AclAction	string	No	The action that Cloud Firewall performs on the traffic. Valid values: accept: allows the traffic. drop: denies the traffic. log: monitors the traffic.	accept
ApplicationName `deprecated`	string	No	The application type supported by the access control policy. The following application types are supported: ANY HTTP HTTPS MySQL SMTP SMTPS RDP VNC SSH Redis MQTT MongoDB Memcache SSL Note ANY indicates that the policy is applied to all application types. Note You must specify ApplicationNameList or ApplicationName. You cannot leave both parameters empty. If you specify both ApplicationNameList and ApplicationName, ApplicationNameList takes precedence.	HTTP
Description	string	No	The description of the access control policy.	test
DestPort	string	No	The destination port in the access control policy.	80
Destination	string	No	The destination address in the access control policy. If DestinationType is set to net, the value of Destination is a destination CIDR block. Example: 1.2.XX.XX/24 If DestinationType is set to group, the value of Destination is the name of a destination address book. Example: db_group If DestinationType is set to domain, the value of Destination is a destination domain name. Example: .aliyuncs.com If DestinationType* is set to location, the value of Destination is a destination region. For more information about the regions, see the following text. Example: ["BJ11", "ZB"]	192.0.XX.XX/24
DestinationType	string	No	The type of the destination address in the access control policy. Valid values: net: destination CIDR block group: destination address book domain: destination domain name location: destination region	net
Direction	string	No	The direction of the traffic to which the access control policy applies. Valid values: in: inbound traffic out: outbound traffic	in
Proto	string	No	The protocol type in the access control policy. The following protocol types are supported: ANY TCP UDP ICMP Note ANY indicates that the policy is applied to all protocol types. Note If the traffic direction is outbound and the destination address is a domain name that is included in a threat intelligence address book or a cloud service address book, you can set the protocol type to TCP or ANY. If you set the protocol type to TCP, you can set the application type to HTTP, HTTPS, SMTP, SMTPS, or SSL. If you set the protocol type to ANY, you can set the application type to ANY.	TCP
Source	string	No	The source address in the access control policy. If SourceType is set to net, the value of Source is a source CIDR block. Example: 1.2.XX.XX/24 If SourceType is set to group, the value of Source is the name of a source address book. Example: db_group If SourceType is set to location, the value of Source is a source region. For more information about the regions, see the following text. Example: ["BJ11", "ZB"]	192.0.XX.XX/24
AclUuid	string	Yes	The unique ID of the access control policy. Note To modify an access control policy, you must provide the unique ID of the policy. You can call the DescribeControlPolicy operation to query the ID.	00281255-d220-4db1-8f4f-c4df221ad84c
SourceType	string	No	The type of the source address in the access control policy. Valid values: net: source CIDR block group: source address book location: source region	net
DestPortType	string	No	The type of the destination port in the access control policy. Valid values: port: port group: port address book	port
DestPortGroup	string	No	The name of the destination port address book in the access control policy.	my_port_group
Release	string	No	The status of the access control policy. Valid values: true: The policy is enabled. false: The policy is disabled.	true
ApplicationNameList	array	No	The list of application names. Note You must specify ApplicationNameList or ApplicationName. You cannot leave both parameters empty. If you specify both ApplicationNameList and ApplicationName, ApplicationNameList takes precedence.
	string	No	The application name.	HTTP
RepeatType	string	No	The recurrence type for the policy to take effect. Valid values: Permanent (default): The policy is always in effect. None: The policy is in effect for a specified period of time. Daily: The policy is in effect on a daily basis. Weekly: The policy is in effect on a weekly basis. Monthly: The policy is in effect on a monthly basis.	Permanent
RepeatDays	array	No	The days of a week or of a month on which the policy takes effect. If RepeatType is set to`Permanent`, `None`, or `Daily`, RepeatDays is an empty set. Example: [] If RepeatType is set to Weekly, RepeatDays cannot be an empty set. Example: [0, 6] Note If RepeatType is set to Weekly, the values in RepeatDays cannot be repeated. If RepeatType is set to`Monthly`, RepeatDays cannot be an empty set. Example: [1, 31] Note If RepeatType is set to Monthly, the values in RepeatDays cannot be repeated.
	integer	No	The day of a week or of a month on which the policy takes effect. Note If RepeatType is set to Weekly, the value can be 0 to 6. A week starts on Sunday. If RepeatType is set to Monthly, the value can be 1 to 31.	1
RepeatStartTime	string	No	The start time of the recurrence. Example: 08:00. The value must be on the hour or on the half hour, and must be at least 30 minutes earlier than the end time. Note If RepeatType is set to Permanent or None, RepeatStartTime is empty. If RepeatType is set to Daily, Weekly, or Monthly, you must specify this parameter.	08:00
RepeatEndTime	string	No	The end time of the recurrence. Example: 23:30. The value must be on the hour or on the half hour, and must be at least 30 minutes later than the start time. Note If RepeatType is set to Permanent or None, RepeatEndTime is empty. If RepeatType is set to Daily, Weekly, or Monthly, you must specify this parameter.	23:30
StartTime	integer	No	The start time of the policy validity period. The value is a UNIX timestamp. The value must be on the hour or on the half hour, and must be at least 30 minutes earlier than the end time. Note If RepeatType is set to Permanent, StartTime is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, you must specify this parameter.	1694761200
EndTime	integer	No	The end time of the policy validity period. The value is a UNIX timestamp. The value must be on the hour or on the half hour, and must be at least 30 minutes later than the start time. Note If RepeatType is set to Permanent, EndTime is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, you must specify this parameter.	1694764800
DomainResolveType	string	No	The domain name resolution method of the access control policy. Valid values: FQDN: FQDN DNS: DNS dynamic resolution FQDN_AND_DNS: FQDN and DNS dynamic resolution	FQDN

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request.	CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D

Examples

Success response

JSON format

{
  "RequestId": "CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorParametersUid	The aliUid parameter is invalid.	The aliUid parameter is invalid.
400	ErrorParametersDirection	The direction is invalid.	The direction is invalid.
400	ErrorDBSelect	An error occurred while querying database.	An error occurred while querying database.
400	ErrorRecordLog	An error occurred while updating the operation log.	An error occurred while updating the operation log.
400	ErrorParameters	Error Parameters	The parameter is invalid.
400	ErrorParametersSource	The source is invalid.	The source is invalid.
400	ErrorParametersDestination	The Destination parameter is invalid.	The Destination parameter is invalid.
400	ErrorParametersFtpNotSupport	domain destination not support ftp.	FTP application is not supported when the policy destination is a domain name
400	ErrorAclDomainAnyCountExceed	The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications.	The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL.
400	ErrorAclNotExist	The ACL does not exist.	The ACL does not exist.
400	ErrorAclEffectiveTimeNonPermanent	ACL rule is not allowed to update status when effective is not permanent.	ACL rule is not allowed to update status when effective is not permanent.
400	ErrorAclExtendedCountExceed	ACL or extended ACL rules are not matched.	The quota for access control policies or extra access control policies is exhausted.
400	ErrorDBUpdate	internal error: sql updat.	An error occurred while updating the database.
400	ErrorDBInsert	An error occurred while performing an insert operation in the database.	An error occurred while performing an insert operation in the database.
400	ErrorMarshalJSON	An error occurred while encoding JSON.	An error occurred while encoding JSON.
400	ErrorParametersDestinationCount	Exceeding the number of countries in a single ACL.	Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs.
400	ErrorEmptyDomainResolveType	Empty DomainResolveType only support HTTP/HTTPS/SSL/SMTP/SMTPS apps.	Empty domain name resolution mode is not supported.
400	ErrorParametersApplicationName	Specified parameter ApplicationName is not valid.	Specified parameter ApplicationName is not valid.
400	ErrorParametersApplicationNameList	Specified parameter ApplicationNameList is not valid.	Specified parameter ApplicationNameList is not valid.
400	ErrorParametersAclUuid	Specified parameter AclUuid is not valid.	Specified parameter AclUuid is not valid.
400	ErrorAddressGroupNotExist	The address group does not exist.	The address group does not exist.
400	ErrorParametersProtoAppsMismatch	The protocol and applicationName mismatch.	The protocol and applicationName mismatch.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.