All Products
Search
Document Center

Cloud Firewall:ModifyVpcFirewallControlPolicy

Last Updated:Jun 10, 2026

Modifies the configuration of an access control policy for a specified VPC firewall policy group.

Operation description

This operation modifies the configuration of an access control policy for a specified VPC firewall policy group. VPC firewall instances use different access control policies to protect Cloud Enterprise Network (CEN) instances and Express Connect circuits.

QPS limits

The queries per second (QPS) limit for this operation is 10 for a single user. If the number of calls to this operation per second exceeds the limit, rate limiting is triggered. This may affect your business. Plan your calls accordingly.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:ModifyVpcFirewallControlPolicy

update

*VpcFirewallControlPolicy

acs:yundun-cloudfirewall::{#accountId}:vpcfirewallcontrolpolicy/{#AclUuid}

None None

Request parameters

Parameter

Type

Required

Description

Example

Lang

string

No

The language of the response message.

Valid values:

  • zh: Chinese (default)

  • en: English

zh

AclAction

string

No

The action that is performed on traffic that hits the access control policy.

Valid values:

  • accept: allows the traffic.

  • drop: denies the traffic.

  • log: monitors the traffic.

accept

ApplicationName deprecated

string

No

The application type supported by the access control policy.

Valid values:

  • ANY (all application types)

  • FTP

  • HTTP

  • HTTPS

  • MySQL

  • SMTP

  • SMTPS

  • RDP

  • VNC

  • SSH

  • Redis

  • MQTT

  • MongoDB

  • Memcache

  • SSL

HTTP

Description

string

No

The description of the access control policy.

test

DestPort

string

No

The destination port in the access control policy.

80

Destination

string

No

The destination address in the access control policy.

  • If DestinationType is set to net, specify a destination CIDR block.

    Example: 10.2.3.0/24

  • If DestinationType is set to group, specify the name of a destination address book.

    Example: db_group

  • If DestinationType is set to domain, specify a destination domain name.

    Example: *.aliyuncs.com

10.2.X.X/XX

DestinationType

string

No

The type of the destination address in the access control policy.

Valid values:

  • net: destination CIDR block

  • group: destination address book

  • domain: destination domain name

net

VpcFirewallId

string

Yes

The ID of the VPC firewall instance. You can call the DescribeVpcFirewallAclGroupList operation to query the ID.

  • If the VPC firewall protects a CEN instance, the value of this parameter is the ID of the CEN instance.

    Example: cen-ervw0g12b5jbw****

  • If the VPC firewall protects an Express Connect circuit, the value of this parameter is the ID of the VPC firewall instance.

    Example: vfw-a42bbb7b887148c9****

vfw-a42bbb7b887148c9****

Proto

string

No

The protocol type for the traffic to which the access control policy applies.

Valid values:

  • ANY (all protocol types)

  • TCP

  • UDP

  • ICMP

TCP

Source

string

No

The source address in the access control policy.

Valid values:

  • If SourceType is set to net, specify a source CIDR block.

    Example: 10.2.4.0/24

  • If SourceType is set to group, specify the name of a source address book.

    Example: db_group

10.2.X.X/XX

AclUuid

string

Yes

The unique ID of the access control policy.

To modify an access control policy, you must provide the unique ID of the policy. You can call the DescribeVpcFirewallControlPolicy operation to query the ID.

00281255-d220-4db1-8f4f-c4df221a****

SourceType

string

No

The type of the source address in the access control policy.

Valid values:

  • net: source CIDR block

  • group: source address book

net

DestPortType

string

No

The type of the destination port for the traffic to which the access control policy applies.

  • port: port

  • group: port address book

port

DestPortGroup

string

No

The name of the destination port address book for the traffic to which the access control policy applies.

my_port_group

Release

string

No

The status of the access control policy. By default, an access control policy is enabled after it is created. Valid values:

  • true: enables the access control policy.

  • false: disables the access control policy.

true

ApplicationNameList

array

No

The list of application names.

string

No

The application name.

["ANY"]

RepeatType

string

No

The recurrence type for the policy to take effect. Valid values:

  • Permanent (default): The policy is always in effect.

  • None: The policy takes effect for a specific period of time.

  • Daily: The policy takes effect daily.

  • Weekly: The policy takes effect weekly.

  • Monthly: The policy takes effect monthly.

Valid values:

  • Daily :

    The policy takes effect daily.

  • Monthly :

    The policy takes effect monthly.

  • Permanent :

    The policy is always in effect.

  • Weekly :

    The policy takes effect weekly.

  • None :

    The policy takes effect for a specific period of time.

Permanent

RepeatDays

array

No

The days of a week or month on which the policy takes effect.

  • If RepeatType is set to `Permanent`, `None`, or `Daily`, this parameter is empty. Example: []

  • If RepeatType is set to `Weekly`, this parameter cannot be empty. Example: [0, 6]

Note

If RepeatType is set to `Weekly`, the elements in the array cannot be repeated.

  • If RepeatType is set to `Monthly`, this parameter cannot be empty. Example: [1, 31]

Note

If RepeatType is set to `Monthly`, the elements in the array cannot be repeated.

integer

No

The day of a week or month on which the policy takes effect.

Note

If RepeatType is set to `Weekly`, valid values are 0 to 6. The week starts on Sunday. If RepeatType is set to `Monthly`, valid values are 1 to 31.

1

RepeatStartTime

string

No

The start time of the recurrence. The time is in the HH:mm format. The time is on the hour or on the half hour, and is at least 30 minutes earlier than the end time. Example: 08:00.

Note

If RepeatType is set to `Permanent` or `None`, this parameter is empty. If RepeatType is set to `Daily`, `Weekly`, or `Monthly`, you must specify this parameter.

08:00

RepeatEndTime

string

No

The end time of the recurrence. The time is in the HH:mm format. The time is on the hour or on the half hour, and is at least 30 minutes later than the start time. Example: 23:30.

Note

If RepeatType is set to `Permanent` or `None`, this parameter is empty. If RepeatType is set to `Daily`, `Weekly`, or `Monthly`, you must specify this parameter.

23:30

StartTime

integer

No

The start time of the policy validity period. The value is a UNIX timestamp. The time is on the hour or on the half hour, and is at least 30 minutes earlier than the end time.

Note

If RepeatType is set to `Permanent`, this parameter is empty. If RepeatType is set to `None`, `Daily`, `Weekly`, or `Monthly`, you must specify this parameter.

1694761200

EndTime

integer

No

The end time of the policy validity period. The value is a UNIX timestamp. The time is on the hour or on the half hour, and is at least 30 minutes later than the start time.

Note

If RepeatType is set to `Permanent`, this parameter is empty. If RepeatType is set to `None`, `Daily`, `Weekly`, or `Monthly`, you must specify this parameter.

1694764800

DomainResolveType

string

No

The domain name resolution method for the access control policy. Valid values:

  • FQDN: based on Fully Qualified Domain Name (FQDN)

  • DNS: based on dynamic DNS resolution

  • FQDN_AND_DNS: based on FQDN and dynamic DNS resolution

FQDN

Response elements

Element

Type

Description

Example

object

RequestId

string

The ID of the request.

CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D

Examples

Success response

JSON format

{
  "RequestId": "CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D"
}

Error codes

HTTP status code

Error code

Error message

Description

400 ErrorParametersUid The aliUid parameter is invalid. The aliUid parameter is invalid.
400 ErrorDBSelect An error occurred while querying database. An error occurred while querying database.
400 ErrorParametersSource The source is invalid. The source is invalid.
400 ErrorParametersProto The protocol is invalid. The protocol is invalid.
400 ErrorParametersDestination The Destination parameter is invalid. The Destination parameter is invalid.
400 ErrorParametersDestPort The dst_port is invalid. The dst_port is invalid.
400 ErrorParametersAction The action is invalid. The action is invalid.
400 ErrorAddressCountExceed The maximum number of addresses is exceeded. The maximum number of address is exceeded.
400 ErrorAclNotExist The ACL does not exist. The ACL does not exist.
400 ErrorRecordLog An error occurred while updating the operation log. An error occurred while updating the operation log.
400 ErrorAclEffectiveTimeNonPermanent ACL rule is not allowed to update status when effective is not permanent. ACL rule is not allowed to update status when effective is not permanent.
400 ErrorUUIDNew The UUID is invalid. The UUID is invalid.
400 ErrorParameterIpVersion The IP version is invalid. The IP version is invalid.
400 ErrorParametersDirection The direction is invalid. The direction is invalid.
400 ErrorDomainResolve A domain resolution error occurred. An error occurred while resolving the domain.
400 ErrorParameters Parameters error. Parameter error.
400 ErrorAclExtendedCountExceed ACL or extended ACL rules are not matched. The quota for access control policies or extra access control policies is exhausted.
400 ErrorAclDomainAnyCountExceed The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications. The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL.
400 ErrorDBUpdate internal error: sql updat. An error occurred while updating the database.
400 ErrorDBInsert An error occurred while performing an insert operation in the database. An error occurred while performing an insert operation in the database.
400 ErrorParametersFtpNotSupport domain destination not support ftp. FTP application is not supported when the policy destination is a domain name
400 ErrorParametersApplicationName Specified parameter ApplicationName is not valid. Specified parameter ApplicationName is not valid.
400 ErrorParametersApplicationNameList Specified parameter ApplicationNameList is not valid. Specified parameter ApplicationNameList is not valid.
400 ErrorParametersAclUuid Specified parameter AclUuid is not valid. Specified parameter AclUuid is not valid.
400 ErrorAddressGroupNotExist The address group does not exist. The address group does not exist.
400 ErrorParametersVpcFirewallId Specified parameter VpcFirewallId is not valid. Specified parameter VpcFirewallId is not valid.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.