Alibaba Cloud CLI (Alibaba Cloud Command Line Interface) is a general-purpose command-line tool built on OpenAPI. You can use Alibaba Cloud CLI to automate the management and maintenance of Cloud Firewall. This topic uses the DescribeNatFirewallList API operation as an example to show how to use Alibaba Cloud CLI to call Cloud Firewall API operations and query nat firewall details.
Before you begin
Familiarize yourself with Alibaba Cloud CLI. For more information, see What is Alibaba Cloud CLI?.
Install Alibaba Cloud CLI
To use Alibaba Cloud CLI, you must first install it. Alibaba Cloud CLI supports Windows, Linux, and macOS. Select the installation method based on your operating system.
-
Windows: Install Alibaba Cloud CLI on Windows.
You can also use Cloud Shell to run and debug Alibaba Cloud CLI commands. For more information about Cloud Shell, see What is Cloud Shell?.
Configure Alibaba Cloud CLI
An Alibaba Cloud account has full permissions to manage and access the APIs of all Alibaba Cloud services, which poses a high security risk. We recommend creating a RAM identity, grant permissions to the RAM identity based on the principle of least privilege, and then use the RAM identity to call API operations. For more information about the permission policies supported by Cloud Firewall, see System permission policy reference for Cloud Firewall and Custom permission policy reference for Cloud Firewall.
You must configure your identity credentials and a region ID. Alibaba Cloud CLI supports multiple types of identity credentials. For more information, see Configure and manage credentials. This topic uses AccessKey-based credentials as an example. Follow these steps:
-
Create a RAM user and create an AccessKey pair for the user. You will use the AccessKey pair to configure credentials. For more information, see Create a RAM user and Create an AccessKey pair.
-
Grant permissions to the RAM user. For this example, you must grant the RAM user read-only access to Cloud Firewall by attaching the
AliyunYundunCloudFirewallReadOnlyAccesspermission policy. For more information, see Grant permissions to a RAM user. -
Obtain an available region ID. The CLI sends API requests to your specified region. For details about the regions where Cloud Firewall is available, see Endpoints.
NoteWhen you use Alibaba Cloud CLI, you can add the
--regionoption to a command to specify a region for the request. This option overrides the region configured in your default credentials and environment variables. For more information, see Command-line options for OpenAPI. -
Use the AccessKey pair of the RAM user to configure your credentials. Name the configuration profile
AkProfile. For more information, see Configure and manage credentials.
Generate a sample CLI command
-
In OpenAPI Explorer, open the DescribeNatFirewallList API operation.
-
On the Parameters tab, enter the request parameter values and click the CLI Example tab to view the sample command.
-
Copy the sample command or run it directly in Cloud Shell:
-
Click the Run Command
button to open Cloud Shell and quickly debug the command. -
Click the Copy
button to copy the sample command to the clipboard. You can then paste it into your local shell to run.Note-
When you copy the CLI example to a local shell for debugging, make sure that the parameters follow the required format. For more information, see Parameter format.
-
By default, the sample command generated by OpenAPI Explorer includes the
--regionoption. When you run the command locally, Alibaba Cloud CLI uses the region specified by this option and ignores the region configured in your default credentials and environment variables. You can remove this option to use the region configured in your default credentials.
-
-
Call Cloud Firewall APIs
Example 1: List Cloud Firewall APIs
The following example shows how to use the --help option to list the supported Cloud Firewall API operations. You can also view all supported API operations in the API overview.
-
Run the command.
aliyun cloudfw --help -
Sample output:
Product: Cloudfw (Cloud Firewall) Version: 2017-12-07 Available Api List: AddAddressBook Adds an address book, including an IP address book, an ECS tag address book, a port address book, and a domain name address book. AddControlPolicy Adds an access control policy. AddInstanceMembers Adds member accounts to Cloud Firewall. BatchCopyVpcFirewallControlPolicy Copies all policies from a source VPC firewall policy group to a destination VPC firewall policy group. BatchDeleteVpcFirewallControlPolicy CreateDownloadTask CreateNatFirewallControlPolicy Adds an access control policy for a nat firewall. CreateSecurityProxy CreateSlsLogDispatch CreateTrFirewallV2 Creates a transit router (TR) firewall.
Example 2: Query NAT firewall details
The following example shows how to use Alibaba Cloud CLI to call the Cloud Firewall DescribeNatFirewallList API operation to query nat firewall details.
-
Run the command.
aliyun cloudfw DescribeNatFirewallList \ --region cn-hangzhou \ --Lang zh \ --PageNo 1 \ --PageSize 10 \ --ProxyId 'proxy-nat97a******' \ --RegionNo 'cn-hangzhou' -
Sample output:
{ "TotalCount": 10, "RequestId": "15FCCC52-1E23-57AE-B5EF-3E00A3******", "NatFirewallList": [ { "MemberUid": 0, "AliUid": 0, "ProxyId": "proxy-nat97a******", "ProxyName": "nat-firewall-test", "ProxyStatus": "normal", "RegionId": "cn-hangzhou", "NatGatewayId": "ngw-uf6tnblxip4qcxg******", "NatGatewayName": "NAT-gateway-test", "VpcId": "vpc-2ze26ya******", "VpcName": "vpc-test-instance", "ErrorDetail": "Failed to create the firewall.", "StrictMode": 0, "NatRouteEntryList": [ { "RouteTableId": "vtb-bp18o0gb******", "NextHopId": "ngw-2ze0s284r9atg5******", "NextHopType": "NatGateway", "DestinationCidr": "0.0.0.0/0" } ] } ] }NoteIf an API call to Cloud Firewall returns an error, use the returned error code to validate your request parameters and their values.
You can also record the RequestId from the response or the SDK error message and use Alibaba Cloud OpenAPI Diagnostics to diagnose the issue.