All Products
Search
Document Center

Cloud Firewall:ModifyNatFirewallControlPolicy

Last Updated:Jun 10, 2026

Modify a NAT Firewall security access control policy.

Operation description

This API modifies the configuration of an access control policy that allows, denies, or observes traffic passing through a NAT Firewall.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:ModifyNatFirewallControlPolicy

update

*NatFirewallControlPolicy

acs:cloudfirewall::{#accountId}:natfirewallcontrolpolicy/{#AclUuid}

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the request and response. Valid values:

  • zh (default): Chinese

  • en: English

zh

AclAction

string

No

The action that you want to perform on traffic. Valid values:

  • accept: allows the traffic.

  • drop: denies the traffic.

  • log: monitors the traffic.

log

Description

string

No

The description of the access control policy. Fuzzy match is supported.

Note

If you do not specify this parameter, the descriptions of all policies are queried.

test description

DestPort

string

No

The destination port in the access control policy.

Note

This parameter is required when you set DestPortType to port.

80

Destination

string

No

The destination address in the access control policy.

  • If DestinationType is net, specify a destination CIDR block. Example: 1.2.3.4/24.

  • If DestinationType is group, specify a destination address book. Example: db_group.

  • If DestinationType is domain, specify a destination domain name. Example: *.aliyuncs.com.

  • If DestinationType is location, specify a destination location. For more information about location codes, see AddIpamPoolCidr. Example: ["BJ11", "ZB"].

x.x.x.x/32

DestinationType

string

No

The type of the destination address in the access control policy. Valid values:

  • net: destination CIDR block

  • group: destination address book

  • domain: destination domain name

  • location: destination location

net

NatGatewayId

string

Yes

The ID of the NAT gateway.

ngw-xxxxxx

Proto

string

No

The protocol type in the access control policy. Valid values:

  • ANY

  • TCP

  • UDP

  • ICMP

Note

ANY indicates that the policy applies to all protocol types.

Note

If the destination is a domain name-based address book that contains a threat intelligence address book or a cloud service address book, you can select TCP. If you select TCP, you can select HTTP, HTTPS, SMTP, SMTPS, or SSL.

TCP

Source

string

No

The source address in the access control policy. Valid values:

  • When SourceType is net, Source is the source CIDR address, for example, 10.2.XX.XX/24.

  • If SourceType is group, specify a source address book. Example: db_group.

10.2.XX.XX/24

AclUuid

string

Yes

The UUID of the access control policy.

To modify an access control policy, you must provide the UUID of the policy. You can call the DescribeNatFirewallControlPolicy operation to query the UUIDs of access control policies.

63ab1c02-926a-4d1b-9ef7-*****

Direction

string

No

The direction of the traffic to which the access control policy applies. Valid values:

  • out: outbound traffic

out

SourceType

string

No

The type of the source address in the access control policy. Valid values:

  • net: source CIDR block

  • group: source address book

net

DestPortType

string

No

The type of the destination port in the access control policy. Valid values:

  • port: port

  • group: port address book

port

DestPortGroup

string

No

The name of the destination port address book in the access control policy.

my_dest_port_group

Release

string

No

The status of the access control policy. Valid values:

  • true: enabled

  • false: disabled

true

ApplicationNameList

array

No

The application names.

string

No

The application types supported by the access control policy.

ANY

DomainResolveType

string

No

The DNS resolution method of the domain name. Valid values:

  • 0: FQDN

  • 1: dynamic DNS

  • 2: FQDN and dynamic DNS

Note

If the domain name is resolved in FQDN mode, you can select only the TCP protocol. The supported applications are HTTP, HTTPS, SMTP, SMTPS, SSL, IMAPS, and POPS.

0

RepeatType

string

No

The recurrence type for the policy to take effect. Valid values:

  • Permanent (default): The policy is always in effect.

  • None: The policy takes effect for a specified period of time.

  • Daily: The policy takes effect daily.

  • Weekly: The policy takes effect weekly.

  • Monthly: The policy takes effect monthly.

Valid values:

  • Daily :

  • Monthly :

  • Permanent :

  • Weekly :

  • None :

Permanent

RepeatDays

array

No

The days of a week or a month on which the policy recurs.

  • If you set RepeatType to Permanent, None, or Daily, leave this parameter empty. Example: [].

  • If you set RepeatType to Weekly, this parameter is required. Example: [0, 6].

Note

When RepeatType is set to Weekly, RepeatDays does not allow duplicates.

  • When RepeatType is Monthly, RepeatDays cannot be empty. For example: [1, 31]

Note

When RepeatType is set to Monthly, RepeatDays cannot contain duplicate values.

integer

No

The recurring days of the effective period for the access control policy.

Note

If RepeatType is set to Weekly, the value range is 0 to 6. The week starts on Sunday. If RepeatType is set to Monthly, the value range is 1 to 31.

1

RepeatStartTime

string

No

The start time of the repeat cycle. Use the 24-hour HH:mm format, such as 08:00. The time must be on the hour or half-hour and at least 30 minutes before the repeat end time.

Note

This parameter is not used if RepeatType is set to Permanent or None. This parameter is required if RepeatType is set to Daily, Weekly, or Monthly.

08:00

RepeatEndTime

string

No

The end time of the policy's recurrence period. The time must be in the 24-hour HH:mm format, such as 23:30, be on the hour or half-hour, and be at least half an hour later than the recurrence start time.

Note

When RepeatType is Permanent or None, RepeatEndTime is empty. When RepeatType is Daily, Weekly, or Monthly, you must set RepeatEndTime to specify the end time for the repetition.

23:30

StartTime

integer

No

The start time of the effective period for the access control policy is specified in the Unix timestamp format. It must be on the hour or half-hour and at least half an hour earlier than the end time.

Note

When RepeatType is Permanent, StartTime is empty. When RepeatType is None, Daily, Weekly, or Monthly, StartTime is required.

1694761200

EndTime

integer

No

The end time of the effective period for the access control policy. The time is a Unix timestamp. The time must be on the hour or half-hour and be at least 30 minutes after the start time.

Note

If RepeatType is Permanent, EndTime is empty. If RepeatType is None, Daily, Weekly, or Monthly, EndTime is required.

1694764800

Response elements

Element

Type

Description

Example

object

RequestId

string

The ID of the request.

3768197C-E6E8-52CD-8358-*****

Examples

Success response

JSON format

{
  "RequestId": "3768197C-E6E8-52CD-8358-*****"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorParametersUid The aliUid parameter is invalid. The aliUid parameter is invalid.
400 ErrorDBSelect An error occurred while querying database. An error occurred while querying database.
400 ErrorParametersSource The source is invalid. The source is invalid.
400 ErrorParametersProto The protocol is invalid. The protocol is invalid.
400 ErrorParametersDestination The Destination parameter is invalid. The Destination parameter is invalid.
400 ErrorParametersDestPort The dst_port is invalid. The dst_port is invalid.
400 ErrorParametersAction The action is invalid. The action is invalid.
400 ErrorAddressCountExceed The maximum number of addresses is exceeded. The maximum number of address is exceeded.
400 ErrorAclNotExist The ACL does not exist. The ACL does not exist.
400 ErrorRecordLog An error occurred while updating the operation log. An error occurred while updating the operation log.
400 ErrorParametersDestinationCount Exceeding the number of countries in a single ACL. Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs.
400 ErrorAclExtendedCountExceed ACL or extended ACL rules are not matched. The quota for access control policies or extra access control policies is exhausted.
400 ErrorAclEffectiveTimeNonPermanent ACL rule is not allowed to update status when effective is not permanent. ACL rule is not allowed to update status when effective is not permanent.
400 ErrorParametersNatGatewayId Invalid parameters NatGatewayId. The request parameter NatGatewayId is invalid or does not exist.
400 ErrorUUIDNew The UUID is invalid. The UUID is invalid.
400 ErrorParameterIpVersion The IP version is invalid. The IP version is invalid.
400 ErrorParametersDirection The direction is invalid. The direction is invalid.
400 ErrorDomainResolve An error occurred while resolving the domain. An error occurred while resolving the domain.
400 ErrorParameters Parameters error. Parameter error.
400 ErrorDBInsert An error occurred while performing an insert operation in the database. An error occurred while performing an insert operation in the database.
400 ErrorDBUpdate internal error: sql updat. An error occurred while updating the database.
400 ErrorParametersFtpNotSupport domain destination not support ftp. FTP application is not supported when the policy destination is a domain name
400 ErrorAddressGroupNotExist The address group does not exist. The address group does not exist.
400 ErrorParametersApplicationNameList Specified parameter ApplicationNameList is not valid. Specified parameter ApplicationNameList is not valid.
400 ErrorParametersAclUuid Specified parameter AclUuid is not valid. Specified parameter AclUuid is not valid.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.