All Products
Search
Document Center

Cloud Firewall:ModifyControlPolicy

Last Updated:Jun 10, 2026

Modifies the configurations of an access control policy.

Operation description

This operation modifies the configurations of an access control policy that allows, denies, or monitors traffic passing through Cloud Firewall.

QPS limit

Each user can call this operation up to 10 times per second. If the limit is exceeded, API calls are throttled. This may affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:ModifyControlPolicy

update

*ControlPolicy

acs:cloudfirewall::{#accountId}:controlpolicy/{#AclUuid}

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the request and response. Valid values:

  • zh (default): Chinese

  • en: English

zh

AclAction

string

No

The action that Cloud Firewall performs on the traffic. Valid values:

  • accept: allows the traffic.

  • drop: denies the traffic.

  • log: monitors the traffic.

accept

ApplicationName deprecated

string

No

The application type supported by the access control policy. The following application types are supported:

  • ANY

  • HTTP

  • HTTPS

  • MySQL

  • SMTP

  • SMTPS

  • RDP

  • VNC

  • SSH

  • Redis

  • MQTT

  • MongoDB

  • Memcache

  • SSL

Note

ANY indicates that the policy applies to all application types.

Note

Specify either ApplicationNameList or ApplicationName. You cannot leave both empty. If you specify both, ApplicationNameList takes precedence.

HTTP

Description

string

No

The description of the access control policy.

test

DestPort

string

No

The destination port in the access control policy.

80

Destination

string

No

The destination address in the access control policy.

  • If DestinationType is set to net, set Destination to a destination CIDR block. Example: 1.2.XX.XX/24

  • If DestinationType is set to group, set Destination to the name of a destination address book. Example: db_group

  • If DestinationType is set to domain, set Destination to a destination domain name. Example: *.aliyuncs.com

  • If DestinationType is set to location, set Destination to a destination location code. Example: ["BJ11", "ZB"]

192.0.XX.XX/24

DestinationType

string

No

The type of the destination address in the access control policy. Valid values:

  • net: destination CIDR block

  • group: destination address book

  • domain: destination domain name

  • location: destination region

net

Direction

string

No

The direction of the traffic to which the access control policy applies. Valid values:

  • in: inbound traffic

  • out: outbound traffic

in

Proto

string

No

The protocol type of the traffic in the access control policy. Valid values:

  • ANY

  • TCP

  • UDP

  • ICMP

Note

ANY indicates that the policy applies to all protocol types.

Note

If the traffic direction is outbound and the destination is a domain name that belongs to a threat intelligence address book or a cloud service address book, you can set this parameter to TCP or ANY. If you set this parameter to TCP, you can set the application to HTTP, HTTPS, SMTP, SMTPS, or SSL. If you set this parameter to ANY, you must set the application to ANY.

TCP

Source

string

No

The source address in the access control policy.

  • If SourceType is set to net, set Source to a source CIDR block. Example: 1.2.XX.XX/24

  • If SourceType is set to group, set Source to the name of a source address book. Example: db_group

  • If SourceType is set to location, set Source to a source location code. Example: ["BJ11", "ZB"]

192.0.XX.XX/24

AclUuid

string

Yes

The unique ID of the access control policy.

Note

To modify an access control policy, provide the unique ID of the policy. Call the DescribeControlPolicy operation to obtain the ID.

00281255-d220-4db1-8f4f-c4df221ad84c

SourceType

string

No

The type of the source address in the access control policy. Valid values:

  • net: source CIDR block

  • group: source address book

  • location: source region

net

DestPortType

string

No

The type of the destination port in the access control policy. Valid values:

  • port: port

  • group: port address book

port

DestPortGroup

string

No

The name of the destination port address book in the access control policy.

my_port_group

Release

string

No

The status of the access control policy. Valid values:

  • true: The policy is enabled.

  • false: The policy is disabled.

true

ApplicationNameList

array

No

The list of application names.

Note

Specify either ApplicationNameList or ApplicationName. You cannot leave both empty. If you specify both, ApplicationNameList takes precedence.

string

No

The application name.

HTTP

RepeatType

string

No

The recurrence type for the policy validity period. Valid values:

  • Permanent (default): The policy is always valid.

  • None: The policy is valid only once.

  • Daily: The policy is valid daily.

  • Weekly: The policy is valid weekly.

  • Monthly: The policy is valid monthly.

Valid values:

  • Daily :

    Daily

  • Monthly :

    Monthly

  • Permanent :

    Always

  • Weekly :

    Weekly

  • None :

    One-time

Permanent

RepeatDays

array

No

The days of the week or month on which the policy is recurrent.

  • If RepeatType is set to Permanent, None, or Daily, leave this parameter empty. Example: []

  • If RepeatType is set to Weekly, you must specify this parameter. Example: [0, 6]

Note

If RepeatType is set to Weekly, the values in the array cannot be repeated.

  • If RepeatType is set to Monthly, you must specify this parameter. Example: [1, 31]

Note

If RepeatType is set to Monthly, the values in the array cannot be repeated.

integer

No

The day of the week or month on which the policy is recurrent.

Note

If RepeatType is set to Weekly, the valid values are 0 to 6. The week starts on Sunday. If RepeatType is set to Monthly, the valid values are 1 to 31.

1

RepeatStartTime

string

No

The start time of the recurrence. The time is in the HH:mm format and in 24-hour format. Example: 08:00.

Note

If RepeatType is set to Permanent or None, leave this parameter empty. If RepeatType is set to Daily, Weekly, or Monthly, you must specify this parameter.

08:00

RepeatEndTime

string

No

The end time of the recurrence. The time is in the HH:mm format and in 24-hour format. Example: 23:00.

Note

If RepeatType is set to Permanent or None, leave this parameter empty. If RepeatType is set to Daily, Weekly, or Monthly, you must specify this parameter.

23:30

StartTime

integer

No

The start time of the policy validity period. The value is a UNIX timestamp. The time must be on the hour or half hour, and at least 30 minutes earlier than the end time.

Note

If RepeatType is set to Permanent, leave this parameter empty. If RepeatType is set to None, Daily, Weekly, or Monthly, you must specify this parameter.

1694761200

EndTime

integer

No

The end time of the policy validity period. The value is a UNIX timestamp. The time must be on the hour or half hour, and at least 30 minutes later than the start time.

Note

If RepeatType is set to Permanent, leave this parameter empty. If RepeatType is set to None, Daily, Weekly, or Monthly, you must specify this parameter.

1694764800

DomainResolveType

string

No

The domain name resolution method for the access control policy. Valid values:

  • FQDN: FQDN-based resolution

  • DNS: DNS-based dynamic resolution

  • FQDN_AND_DNS: FQDN-based and DNS-based dynamic resolution

FQDN

Response elements

Element

Type

Description

Example

object

RequestId

string

The ID of the request.

CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D

Examples

Success response

JSON format

{
  "RequestId": "CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorParametersUid The aliUid parameter is invalid. The aliUid parameter is invalid.
400 ErrorParametersDirection The direction is invalid. The direction is invalid.
400 ErrorDBSelect An error occurred while querying database. An error occurred while querying database.
400 ErrorRecordLog An error occurred while updating the operation log. An error occurred while updating the operation log.
400 ErrorParameters Error Parameters The parameter is invalid.
400 ErrorParametersSource The source is invalid. The source is invalid.
400 ErrorParametersDestination The Destination parameter is invalid. The Destination parameter is invalid.
400 ErrorParametersFtpNotSupport domain destination not support ftp. FTP application is not supported when the policy destination is a domain name
400 ErrorAclDomainAnyCountExceed The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications. The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL.
400 ErrorAclNotExist The ACL does not exist. The ACL does not exist.
400 ErrorAclEffectiveTimeNonPermanent ACL rule is not allowed to update status when effective is not permanent. ACL rule is not allowed to update status when effective is not permanent.
400 ErrorAclExtendedCountExceed ACL or extended ACL rules are not matched. The quota for access control policies or extra access control policies is exhausted.
400 ErrorDBUpdate internal error: sql updat. An error occurred while updating the database.
400 ErrorDBInsert An error occurred while performing an insert operation in the database. An error occurred while performing an insert operation in the database.
400 ErrorMarshalJSON An error occurred while encoding JSON. An error occurred while encoding JSON.
400 ErrorParametersDestinationCount Exceeding the number of countries in a single ACL. Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs.
400 ErrorEmptyDomainResolveType Empty DomainResolveType only support HTTP/HTTPS/SSL/SMTP/SMTPS apps. Empty domain name resolution mode is not supported.
400 ErrorParametersApplicationName Specified parameter ApplicationName is not valid. Specified parameter ApplicationName is not valid.
400 ErrorParametersApplicationNameList Specified parameter ApplicationNameList is not valid. Specified parameter ApplicationNameList is not valid.
400 ErrorParametersAclUuid Specified parameter AclUuid is not valid. Specified parameter AclUuid is not valid.
400 ErrorAddressGroupNotExist The address group does not exist. The address group does not exist.
400 ErrorParametersProtoAppsMismatch The protocol and applicationName mismatch. The protocol and applicationName mismatch.
400 ErrorApplicationTemplateNotFound Application template not found. Application template does not exist
400 ErrorWebFilterTemplateNotFound Web filter template not found. Web filtering template does not exist

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.