All Products
Search

This Product

    Cloud Firewall:CLI integration example

    Document Center

    Cloud Firewall:CLI integration example

    Last Updated:Mar 31, 2026

    Alibaba Cloud CLI is a command-line tool built on the OpenAPI Specification. Use it to automate Cloud Firewall resource management without leaving your terminal.

    This topic uses the DescribeNatFirewallList operation as an example to show how to call Cloud Firewall API operations from the CLI. DescribeNatFirewallList queries the details of NAT firewalls.

    Prerequisites

    Before you begin, ensure that you have:

    Install Alibaba Cloud CLI

    Install Alibaba Cloud CLI for your operating system:

    Alternatively, use Cloud Shell to run and debug CLI commands directly in your browser without a local installation. For details, see What is Cloud Shell?

    Configure Alibaba Cloud CLI

    Important

    An Alibaba Cloud account has full access to all API operations, which poses security risks. Instead, create a Resource Access Management (RAM) identity, grant it the minimum required permissions, and use it to call API operations. For the policies supported by Cloud Firewall, see System policies and Custom policies.

    Alibaba Cloud CLI requires identity credentials and a region ID. This example uses AccessKey pairs as credentials. For other supported credential types, see Credential types.

    1. Create a RAM user and generate an AccessKey pair for it. See Create a RAM user and Create an AccessKey pair.

    2. Attach the AliyunYundunCloudFirewallReadOnlyAccess policy to the RAM user to grant read-only access to Cloud Firewall. See Grant permissions to a RAM user.

    3. Get the region ID for the region where you want to make API calls. For supported regions, see Endpoints.

      Note

      Use the --region option to specify a region at the command level. When set, it overrides any region defined in your default credentials or environment variables. For details, see Command line options.

    4. Configure the AccessKey pair as identity credentials in the _AkProfile_ configuration file. See Configuration examples.

    Generate a sample CLI command

    Use OpenAPI Explorer to get a ready-to-run CLI command for any Cloud Firewall API operation.

    1. Open DescribeNatFirewallList in OpenAPI Explorer.

    2. On the Parameters tab, fill in the parameters. Then click the CLI Example tab to view the generated command.

    3. Copy or run the command:

      • Click image to copy the command to your clipboard. Paste it into your local shell to run it.

      • Click image to open Cloud Shell and debug the command in your browser.

      Note

      OpenAPI Explorer adds the --region option to generated commands by default. When you run the command locally, this overrides your default credential region. Keep or remove the option based on your needs. For parameter format requirements, see Parameter formats.

    image

    Call Cloud Firewall API operations

    Example 1: List available API operations

    Use the --help option to see all API operations supported by Cloud Firewall.

    aliyun cloudfw --help

    The output lists all available operations and their descriptions. For the complete list, see List of operations by function.

    image

    Example 2: Query NAT firewall details

    Use the DescribeNatFirewallList operation to retrieve details of your NAT firewalls.

    1. Run the following command:

      aliyun cloudfw DescribeNatFirewallList \
  --region cn-hangzhou \
  --Lang zh \
  --PageNo 1 \
  --PageSize 10 \
  --ProxyId 'proxy-nat97a******' \
  --RegionNo 'cn-hangzhou'

    2. Verify the output. A successful response contains a RequestId and a NatFirewallList array:

      {
  "TotalCount": 10,
  "RequestId": "15FCCC52-1E23-57AE-B5EF-3E00A3******",
  "NatFirewallList": [
    {
      "MemberUid": 0,
      "AliUid": 0,
      "ProxyId": "proxy-nat97a******",
      "ProxyName": "Test NAT firewall",
      "ProxyStatus": "normal",
      "RegionId": "cn-hangzhou",
      "NatGatewayId": "ngw-uf6tnblxip4qcxg******",
      "NatGatewayName": "Test NAT gateway",
      "VpcId": "vpc-2ze26ya******",
      "VpcName": "Test VPC",
      "ErrorDetail": "Failed to create the firewall",
      "StrictMode": 0,
      "NatRouteEntryList": [
        {
          "RouteTableId": "vtb-bp18o0gb******",
          "NextHopId": "ngw-2ze0s284r9atg5******",
          "NextHopType": "NatGateway",
          "DestinationCidr": "0.0.0.0/0"
        }
      ]
    }
  ]
}

    Troubleshooting

    If an API call returns an error, check your input parameters and values against the error code.

    For self-service diagnostics, use Alibaba Cloud OpenAPI Diagnostic Platform with the RequestId from the error response.

    What's next