Add an access control policy to a NAT firewall.
Operation description
This API creates a policy to allow, deny, or observe traffic through the NAT Firewall.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
yundun-cloudfirewall:CreateNatFirewallControlPolicy |
create |
*NatFirewallControlPolicy
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| Lang |
string |
No |
The language of the response messages. Valid values:
|
zh |
| AclAction |
string |
Yes |
The action that Cloud Firewall performs on traffic that matches the access control policy. Valid values:
|
log |
| ApplicationNameList |
array |
Yes |
The list of applications to which the access control policy applies. |
|
|
string |
No |
An application to which the access control policy applies. |
ANY |
|
| Description |
string |
Yes |
The description of the access control policy. |
放行流量 |
| DestPort |
string |
No |
The destination port for the traffic. The value of this parameter depends on the
Note
Access control cannot be configured based on the destination port for ICMP traffic.
Note
If
|
80 |
| Destination |
string |
Yes |
The destination address in the access control policy. The value of this parameter varies based on the value of
|
XX.XX.XX.XX/24 |
| DestinationType |
string |
Yes |
The type of the destination address in the access control policy. Valid values:
|
net |
| NatGatewayId |
string |
Yes |
The instance ID of the NAT Gateway. |
ngw-2vc2ustolqn6sr0****** |
| Proto |
string |
Yes |
The protocol for the traffic in the access control policy. Valid values:
Note
If the destination is a domain, a threat intelligence address book, or a cloud service address book, you can only set this parameter to |
ANY |
| Source |
string |
Yes |
The source address in the access control policy. The value of this parameter varies based on the value of
|
192.168.0.25/32 |
| SourceType |
string |
Yes |
The type of the source address in the access control policy. Valid values:
|
net |
| NewOrder |
string |
Yes |
The priority of the access control policy. Values start from 1. A smaller value indicates a higher priority. |
1 |
| DestPortType |
string |
No |
The type of the destination port.
|
port |
| DestPortGroup |
string |
No |
The name of the destination port address book. Note
This parameter is required if |
my_port_group |
| Release |
string |
No |
Specifies whether the access control policy is enabled. By default, policies are enabled upon creation. Valid values:
|
true |
| DomainResolveType |
integer |
No |
The domain name resolution method. Valid values:
Note
If the resolution method includes FQDN, you can set the protocol only to TCP. The supported applications are HTTP, HTTPS, SMTP, SMTPS, and SSL. |
0 |
| IpVersion |
string |
No |
The IP version for the access control policy. Valid values:
|
4 |
| Direction |
string |
Yes |
The traffic direction for the access control policy. Valid values:
|
out |
| RepeatType |
string |
No |
The recurrence type for the policy validity period. Valid values:
Valid values:
|
Permanent |
| RepeatDays |
array |
No |
The days of the week or month on which the policy recurs.
Note
If
Note
If |
|
|
integer |
No |
The day of recurrence. Note
If |
1 |
|
| RepeatStartTime |
string |
No |
The start time of the recurrence. The time must be on the hour or half-hour, and must be at least 30 minutes earlier than the end time. Note
This parameter is required if |
08:00 |
| RepeatEndTime |
string |
No |
The end time of the recurrence. The time must be on the hour or half-hour, and must be at least 30 minutes later than the start time. Note
This parameter is required if |
23:30 |
| StartTime |
integer |
No |
The start time of the policy's validity period, specified as a Unix timestamp. The time must be on the hour or half-hour and be at least 30 minutes before the end time. Note
This parameter is required if |
1694761200 |
| EndTime |
integer |
No |
The end time of the policy's validity period, specified as a Unix timestamp. The time must be on the hour or half-hour and be at least 30 minutes after the start time. Note
This parameter is required if |
1694764800 |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| AclUuid |
string |
The unique ID of the access control policy. Note
To modify an access control policy, you must provide its unique ID. You can call the |
6504d2fb-ab36-49c3-92a6-***** |
| RequestId |
string |
The ID of the request. |
0DC783F1-B3A7-578D-8A63-***** |
Examples
Success response
JSON format
{
"AclUuid": "6504d2fb-ab36-49c3-92a6-*****",
"RequestId": "0DC783F1-B3A7-578D-8A63-*****"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | ErrorParametersUid | The aliUid parameter is invalid. | The aliUid parameter is invalid. |
| 400 | ErrorUUIDNew | The UUID is invalid. | The UUID is invalid. |
| 400 | ErrorParametersSource | The source is invalid. | The source is invalid. |
| 400 | ErrorParametersDestination | The Destination parameter is invalid. | The Destination parameter is invalid. |
| 400 | ErrorParametersProto | The protocol is invalid. | The protocol is invalid. |
| 400 | ErrorParametersDestPort | The dst_port is invalid. | The dst_port is invalid. |
| 400 | ErrorParametersAction | The action is invalid. | The action is invalid. |
| 400 | ErrorDBSelect | An error occurred while querying database. | An error occurred while querying database. |
| 400 | ErrorParameters | A parameter error occurred. | A parameter error occurred. |
| 400 | ErrorAddressCountExceed | The maximum number of addresses is exceeded. | The maximum number of address is exceeded. |
| 400 | ErrorParametersNewOrder | The newOrder is invalid. | The newOrder is invalid. |
| 400 | ErrorDBInsert | An error occurred while performing an insert operation in the database. | An error occurred while performing an insert operation in the database. |
| 400 | ErrorDBDelete | An error occurred while deleting the database. | An error occurred while deleting the database. |
| 400 | ErrorRecordLog | An error occurred while updating the operation log. | An error occurred while updating the operation log. |
| 400 | ErrorAclDomainAnyCountExceed | The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications. | The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL. |
| 400 | ErrorParametersNatGatewayId | Invalid parameters NatGatewayId. | The request parameter NatGatewayId is invalid or does not exist. |
| 400 | ErrorParameterIpVersion | The IP version is invalid. | The IP version is invalid. |
| 400 | ErrorParametersDirection | The direction is invalid. | The direction is invalid. |
| 400 | ErrorDomainResolve | An error occurred while resolving the domain. | An error occurred while resolving the domain. |
| 400 | ErrorParametersPageSizeOrNo | Either pageSize or pageNo is invalid. | Either pageSize or pageNo is invalid. |
| 400 | ErrorMarshalJSON | An error occurred while encoding JSON. | An error occurred while encoding JSON. |
| 400 | ErrorParametersDestinationCount | Exceeding the number of countries in a single ACL. | Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs. |
| 400 | ErrorStartTimeOrEndTime | The start time or end time is invalid. The time must be the hour or half hour, and the start time must be 30 minutes earlier than the end time. | The start time or end time is invalid. The time must be an hour or half an hour, and the start time must be 30 minutes earlier than the end time. |
| 400 | ErrorParametersFtpNotSupport | domain destination not support ftp. | FTP application is not supported when the policy destination is a domain name |
| 400 | ErrorAclExtendedCountExceed | ACL or extended ACL rules are not matched. | The quota for access control policies or extra access control policies is exhausted. |
| 400 | ErrorAddressGroupNotExist | The address group does not exist. | The address group does not exist. |
| 400 | ErrorParametersApplicationNameList | Specified parameter ApplicationNameList is not valid. | Specified parameter ApplicationNameList is not valid. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.