Call ModifyNatFirewallControlPolicy to update a NAT firewall access control policy - Cloud Firewall - Alibaba Cloud - Cloud Firewall

Modifies the configuration of a NAT Firewall access control policy.

Operation description

Use this API to modify an access control policy for traffic that passes through a NAT firewall. You can set the policy action to accept, deny, or observe.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:ModifyNatFirewallControlPolicy

update

*NatFirewallControlPolicy

acs:cloudfirewall::{#accountId}:natfirewallcontrolpolicy/{#AclUuid}

None

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the request and response. Valid values: zh (default): Chinese. en: English.	zh
AclAction	string	No	The action that Cloud Firewall takes on traffic that matches the access control policy. Valid values: accept: Allows traffic. drop: Drops traffic. log: Logs traffic.	log
Description	string	No	The description of the access control policy. Fuzzy match is supported. Note If you do not specify this parameter, the descriptions of all policies are queried.	test description
DestPort	string	No	The destination port in the access control policy. Note This parameter is required when DestPortType is set to `port`.	80
Destination	string	No	The destination address in the access control policy. If DestinationType is set to net, the value of this parameter is a destination CIDR block. Example: 1.2.3.4/24. If DestinationType is set to group, the value of this parameter is a destination address book. Example: db_group. If DestinationType is set to domain, the value of this parameter is a destination domain name. Example: .aliyuncs.com. If DestinationType* is set to location, the value of this parameter is a destination location. Example: ["BJ11", "ZB"].	x.x.x.x/32
DestinationType	string	No	The type of the destination address in the access control policy. Valid values: net: CIDR block group: address book domain: domain name location: location	net
NatGatewayId	string	Yes	The ID of the NAT gateway.	ngw-xxxxxx
Proto	string	No	The protocol type in the access control policy. Valid values: ANY TCP UDP ICMP Note If you set this parameter to ANY, the policy applies to all protocol types. Note If the destination is a domain name that is included in a threat intelligence address book or a cloud service address book, you can set the protocol type to TCP. If you set the protocol type to TCP, you can select an application, such as HTTP, HTTPS, SMTP, SMTPS, or SSL.	TCP
Source	string	No	The source address in the access control policy. Valid values: If SourceType is set to `net`, the value of this parameter is a source CIDR block. Example: 10.2.XX.XX/24. If SourceType is set to `group`, the value of this parameter is a source address book. Example: db_group.	10.2.XX.XX/24
AclUuid	string	Yes	The UUID of the access control policy. To modify an access control policy, you must provide the UUID of the policy. You can call the DescribeNatFirewallControlPolicy operation to query the UUIDs of access control policies.	63ab1c02-926a-4d1b-9ef7-*****
Direction	string	No	The direction of the traffic to which the access control policy applies. Valid value: out: outbound traffic	out
SourceType	string	No	The type of the source address in the access control policy. Valid values: net: source CIDR block group: source address book	net
DestPortType	string	No	The type of the destination port in the access control policy. Valid values: port: port group: port address book	port
DestPortGroup	string	No	The name of the destination port address book in the access control policy.	my_dest_port_group
Release	string	No	The status of the access control policy. Valid values: true: enabled false: disabled	true
ApplicationNameList	array	No	The application name.
	string	No	The application types supported by the access control policy.	ANY
DomainResolveType	string	No	The domain name resolution method of the access control policy. Valid values: 0: FQDN 1: dynamic DNS resolution 2: FQDN and dynamic DNS resolution Note If the domain name identification mode includes FQDN, you can only configure the TCP protocol and select HTTP/HTTPS/SMTP/SMTPS/SSL/IMAPS/POPS for the application.	0
RepeatType	string	No	The recurrence type for the policy to take effect. Valid values: Permanent (default): The policy always takes effect. None: The policy takes effect for only once. Daily: The policy takes effect on a daily basis. Weekly: The policy takes effect on a weekly basis. Monthly: The policy takes effect on a monthly basis. Valid values: Daily : Daily Monthly : Monthly Permanent : Permanent Weekly : Weekly None : One-time	Permanent
RepeatDays	array	No	The days of a week or a month on which the policy takes effect. This parameter is required when you set the RepeatType parameter to Weekly or Monthly. If you set the RepeatType parameter to Weekly, the value of this parameter is an array that consists of integers from 0 to 6. The integers 0 to 6 indicate Sunday to Saturday. Example: [0, 6]. Note If you set the RepeatType parameter to Weekly, this parameter cannot be an empty array. If you set the RepeatType parameter to Monthly, the value of this parameter is an array that consists of integers from 1 to 31. Example: [1, 31]. Note When `RepeatType` is set to `Monthly`, `RepeatDays` cannot contain duplicates.
	integer	No	The day on which the policy takes effect. Note When RepeatType is set to Weekly, the valid values are 0 to 6. The week starts on Sunday.	1
RepeatStartTime	string	No	The start time of the recurrence. The time is in the HH:mm format. The time must be a full hour or a half hour, and at least 30 minutes earlier than the end time. Example: 08:00. Note When RepeatType is Permanent or None, RepeatStartTime is empty. When RepeatType is Daily, Weekly, or Monthly, you must specify a value for RepeatStartTime.	08:00
RepeatEndTime	string	No	The end time of the recurrence. The time is in the HH:mm format. The time must be a full hour or a half hour, and at least 30 minutes later than the start time. Example: 23:30. Note When `RepeatType` is `Permanent` or `None`, `RepeatEndTime` is empty. When `RepeatType` is `Daily`, `Weekly`, or `Monthly`, you must specify a value for `RepeatEndTime`.	23:30
StartTime	integer	No	The start of the time range for the policy to take effect. The value is a UNIX timestamp. The time must be a full hour or a half hour, and at least 30 minutes earlier than the end time. Note If RepeatType is Permanent, you do not need to specify StartTime. If RepeatType is None, Daily, Weekly, or Monthly, you must specify StartTime.	1694761200
EndTime	integer	No	The end of the time range for the policy to take effect. The value is a UNIX timestamp. The time must be a full hour or a half hour, and at least 30 minutes later than the start time. Note When `RepeatType` is `Permanent`, `EndTime` is empty. When `RepeatType` is `None`, `Daily`, `Weekly`, or `Monthly`, `EndTime` is required and you must set an end time.	1694764800

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	3768197C-E6E8-52CD-8358-*****

Examples

Success response

JSON format

{
  "RequestId": "3768197C-E6E8-52CD-8358-*****"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorParametersUid	The aliUid parameter is invalid.	The aliUid parameter is invalid.
400	ErrorDBSelect	An error occurred while querying database.	An error occurred while querying database.
400	ErrorParametersSource	The source is invalid.	The source is invalid.
400	ErrorParametersProto	The protocol is invalid.	The protocol is invalid.
400	ErrorParametersDestination	The Destination parameter is invalid.	The Destination parameter is invalid.
400	ErrorParametersDestPort	The dst_port is invalid.	The dst_port is invalid.
400	ErrorParametersAction	The action is invalid.	The action is invalid.
400	ErrorAddressCountExceed	The maximum number of addresses is exceeded.	The maximum number of address is exceeded.
400	ErrorAclNotExist	The ACL does not exist.	The ACL does not exist.
400	ErrorRecordLog	An error occurred while updating the operation log.	An error occurred while updating the operation log.
400	ErrorParametersDestinationCount	Exceeding the number of countries in a single ACL.	Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs.
400	ErrorAclExtendedCountExceed	ACL or extended ACL rules are not matched.	The quota for access control policies or extra access control policies is exhausted.
400	ErrorAclEffectiveTimeNonPermanent	ACL rule is not allowed to update status when effective is not permanent.	ACL rule is not allowed to update status when effective is not permanent.
400	ErrorParametersNatGatewayId	Invalid parameters NatGatewayId.	The request parameter NatGatewayId is invalid or does not exist.
400	ErrorUUIDNew	The UUID is invalid.	The UUID is invalid.
400	ErrorParameterIpVersion	The IP version is invalid.	The IP version is invalid.
400	ErrorParametersDirection	The direction is invalid.	The direction is invalid.
400	ErrorDomainResolve	An error occurred while resolving the domain.	An error occurred while resolving the domain.
400	ErrorParameters	Parameters error.	Parameter error.
400	ErrorDBInsert	An error occurred while performing an insert operation in the database.	An error occurred while performing an insert operation in the database.
400	ErrorDBUpdate	internal error: sql updat.	An error occurred while updating the database.
400	ErrorParametersFtpNotSupport	domain destination not support ftp.	FTP application is not supported when the policy destination is a domain name
400	ErrorAddressGroupNotExist	The address group does not exist.	The address group does not exist.
400	ErrorParametersApplicationNameList	Specified parameter ApplicationNameList is not valid.	Specified parameter ApplicationNameList is not valid.
400	ErrorParametersAclUuid	Specified parameter AclUuid is not valid.	Specified parameter AclUuid is not valid.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.