Create an access control policy for a NAT firewall using CreateNatFirewallControlPolicy - Cloud Firewall - Alibaba Cloud - Cloud Firewall

Create an access control policy for a NAT Firewall.

Operation description

This API creates a policy to allow, deny, or monitor traffic passing through a NAT firewall.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-cloudfirewall:CreateNatFirewallControlPolicy

create

*NatFirewallControlPolicy

acs:yundun-cloudfirewall::{#accountId}:natfirewallcontrolpolicy/*

None

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the response and notifications. Valid values: zh (default): Chinese en: English	zh
AclAction	string	Yes	The action for traffic that matches the access control policy. Valid values: accept: Allows traffic. drop: Blocks traffic. log: Logs the traffic.	log
ApplicationNameList	array	Yes	The application types supported by the access control policy.
	string	No	The application type.	ANY
Description	string	Yes	The description of the access control policy.	放行流量
DestPort	string	No	The destination port for the traffic. If `Proto` is `ICMP`, leave this parameter empty. Note Access control based on the destination port is not supported for ICMP traffic. If `Proto` is `TCP`, `UDP`, or `ANY`, and `DestPortType` is `group`, leave this parameter empty. Note If you set `DestPortType` to `group`, you do not need to specify a destination port. The policy uses the ports defined in the specified port address book. If `Proto` is `TCP`, `UDP`, or `ANY`, and `DestPortType` is `port`, set this parameter to the destination port number.	80
Destination	string	Yes	The destination address in the access control policy. The value depends on the `DestinationType` parameter: If `DestinationType` is `net`, specify a destination CIDR. Example: 1.2.XX.XX/24 For example: 1.2.XX.XX/24 If `DestinationType` is `group`, specify the name of a destination address book. Example: db_group For example: db_group If `DestinationType` is `domain`, specify a destination domain. Example: .aliyuncs.com For example: .aliyuncs.com If `DestinationType` is `location`, specify a destination location. Example: ["BJ11", "ZB"] For example: ["BJ11", "ZB"]	XX.XX.XX.XX/24
DestinationType	string	Yes	The type of the destination address in the access control policy. Valid values: net: a destination CIDR group: a destination address book domain: a destination domain	net
NatGatewayId	string	Yes	The instance ID of the NAT gateway.	ngw-2vc2ustolqn6sr0******
Proto	string	Yes	The protocol of the traffic in the access control policy. Valid values: ANY: all protocols TCP UDP ICMP Note You must set this parameter to `TCP` if the destination is a domain-based threat intelligence or cloud service address book. The supported applications are HTTP, HTTPS, SMTP, SMTPS, and SSL.	ANY
Source	string	Yes	The source address in the access control policy. The value depends on the `SourceType` parameter: If `SourceType` is `net`, specify a source CIDR. Example: 10.2.4.0/24 For example: 10.2.4.0/24 If `SourceType` is `group`, specify the name of a source address book. Example: db_group For example: db_group	192.168.0.25/32
SourceType	string	Yes	The type of the source address in the access control policy. Valid values: net: a source CIDR group: a source address book	net
NewOrder	string	Yes	The priority of the access control policy. A smaller value indicates a higher priority. The value starts from 1.	1
DestPortType	string	No	The type of the destination port in the access control policy. port: a port number group: a port address book	port
DestPortGroup	string	No	The name of the destination port address book. Note This parameter is required only if `DestPortType` is `group`.	my_port_group
Release	string	No	Specifies whether the access control policy is enabled. By default, policies are enabled upon creation. true: The policy is enabled. false: The policy is disabled.	true
DomainResolveType	integer	No	The method for resolving domain names in the access control policy. 0: FQDN-based resolution 1: Dynamic DNS-based resolution 2: FQDN-based and dynamic DNS-based resolution Note If the domain resolution method is FQDN-based (`0` or `2`), the protocol must be `TCP`. The supported applications are HTTP, HTTPS, SMTP, SMTPS, SSL, IMAPS, and POPS.	0
IpVersion	string	No	The IP version supported by the policy. 4 (default): IPv4	4
Direction	string	Yes	The traffic direction of the access control policy. out: outbound traffic	out
RepeatType	string	No	The recurrence type for the policy validity period. Permanent (default): The policy is always active. None: The policy is active for a single, specified time range. Daily: The policy is active daily during a specified time range. Weekly: The policy is active on specific days of the week during a specified time range. Monthly: The policy is active on specific days of the month during a specified time range. Valid values: Daily : Daily Monthly : Monthly Permanent : Permanent Weekly : Weekly None : One-time	Permanent
RepeatDays	array	No	The days of the week or month on which the policy recurs. If `RepeatType` is `Permanent`, `None`, or `Daily`, leave this parameter empty. Example: `[]` If `RepeatType` is `Weekly`, this parameter is required. Example: `[0, 6]` Note If `RepeatType` is `Weekly`, the array cannot contain duplicate values. If `RepeatType` is `Monthly`, this parameter is required. Example: `[1, 31]` Note If `RepeatType` is `Monthly`, the array cannot contain duplicate values.
	integer	No	The day on which the policy recurs. Note If `RepeatType` is `Weekly`, the value ranges from 0 (Sunday) to 6 (Saturday). If `RepeatType` is `Monthly`, the value ranges from 1 to 31.	1
RepeatStartTime	string	No	The start time of the recurrence. For example, `08:00`. The time must be on the hour or half-hour, and at least 30 minutes before the recurrence end time. Note This parameter is required if `RepeatType` is `Daily`, `Weekly`, or `Monthly`. Leave this parameter empty if `RepeatType` is `Permanent` or `None`.	08:00
RepeatEndTime	string	No	The end time of the recurrence. For example, `23:30`. The time must be on the hour or half-hour, and at least 30 minutes after the recurrence start time. Note This parameter is required if `RepeatType` is `Daily`, `Weekly`, or `Monthly`. Leave this parameter empty if `RepeatType` is `Permanent` or `None`.	23:30
StartTime	integer	No	The start time of the policy validity period, specified as a UNIX timestamp in seconds. The time must be on the hour or half-hour, and at least 30 minutes before the end time. Note This parameter is required if `RepeatType` is `None`, `Daily`, `Weekly`, or `Monthly`. Leave this parameter empty if `RepeatType` is `Permanent`.	1694761200
EndTime	integer	No	The end time of the policy validity period, specified as a UNIX timestamp in seconds. The time must be on the hour or half-hour, and at least 30 minutes after the start time. Note This parameter is required if `RepeatType` is `None`, `Daily`, `Weekly`, or `Monthly`. Leave this parameter empty if `RepeatType` is `Permanent`.	1694764800

Response elements

Element	Type	Description	Example
	object
AclUuid	string	The unique identifier of the access control policy. Note To modify an access control policy, you must provide the unique identifier of the policy. You can call the `DescribeNatFirewallControlPolicy` operation to obtain the identifier.	6504d2fb-ab36-49c3-92a6-*****
RequestId	string	The ID of the request.	0DC783F1-B3A7-578D-8A63-*****

Examples

Success response

JSON format

{
  "AclUuid": "6504d2fb-ab36-49c3-92a6-*****",
  "RequestId": "0DC783F1-B3A7-578D-8A63-*****"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorParametersUid	The aliUid parameter is invalid.	The aliUid parameter is invalid.
400	ErrorUUIDNew	The UUID is invalid.	The UUID is invalid.
400	ErrorParametersSource	The source is invalid.	The source is invalid.
400	ErrorParametersDestination	The Destination parameter is invalid.	The Destination parameter is invalid.
400	ErrorParametersProto	The protocol is invalid.	The protocol is invalid.
400	ErrorParametersDestPort	The dst_port is invalid.	The dst_port is invalid.
400	ErrorParametersAction	The action is invalid.	The action is invalid.
400	ErrorDBSelect	An error occurred while querying database.	An error occurred while querying database.
400	ErrorParameters	A parameter error occurred.	A parameter error occurred.
400	ErrorAddressCountExceed	The maximum number of addresses is exceeded.	The maximum number of address is exceeded.
400	ErrorParametersNewOrder	The newOrder is invalid.	The newOrder is invalid.
400	ErrorDBInsert	An error occurred while performing an insert operation in the database.	An error occurred while performing an insert operation in the database.
400	ErrorDBDelete	An error occurred while deleting the database.	An error occurred while deleting the database.
400	ErrorRecordLog	An error occurred while updating the operation log.	An error occurred while updating the operation log.
400	ErrorAclDomainAnyCountExceed	The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications.	The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL.
400	ErrorParametersNatGatewayId	Invalid parameters NatGatewayId.	The request parameter NatGatewayId is invalid or does not exist.
400	ErrorParameterIpVersion	The IP version is invalid.	The IP version is invalid.
400	ErrorParametersDirection	The direction is invalid.	The direction is invalid.
400	ErrorDomainResolve	An error occurred while resolving the domain.	An error occurred while resolving the domain.
400	ErrorParametersPageSizeOrNo	Either pageSize or pageNo is invalid.	Either pageSize or pageNo is invalid.
400	ErrorMarshalJSON	An error occurred while encoding JSON.	An error occurred while encoding JSON.
400	ErrorParametersDestinationCount	Exceeding the number of countries in a single ACL.	Exceeds the number of selected areas for one ACL. It is recommended to split it into multiple ACLs.
400	ErrorStartTimeOrEndTime	The start time or end time is invalid. The time must be the hour or half hour, and the start time must be 30 minutes earlier than the end time.	The start time or end time is invalid. The time must be an hour or half an hour, and the start time must be 30 minutes earlier than the end time.
400	ErrorParametersFtpNotSupport	domain destination not support ftp.	FTP application is not supported when the policy destination is a domain name
400	ErrorAclExtendedCountExceed	ACL or extended ACL rules are not matched.	The quota for access control policies or extra access control policies is exhausted.
400	ErrorAddressGroupNotExist	The address group does not exist.	The address group does not exist.
400	ErrorParametersApplicationNameList	Specified parameter ApplicationNameList is not valid.	Specified parameter ApplicationNameList is not valid.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.