Creates a VPC firewall to protect traffic between a network instance in a Cloud Enterprise Network (CEN) and a specified VPC.
Operation description
This operation creates a VPC firewall for a VPC that is connected to a Cloud Enterprise Network (CEN). The VPC firewall protects traffic between the VPC and other network instances in the CEN, such as virtual private clouds (VPCs), virtual border routers (VBRs), and Cloud Connect Network (CCN) instances. The VPC firewall does not protect traffic between VBRs, between CCNs, or between VBRs and CCNs. For more information, see Limits on VPC firewalls.
QPS limit
The queries per second (QPS) limit for this operation is 10 calls per second per user. If you exceed this limit, your API calls are throttled. This can affect your business. Plan your calls accordingly.
Try it now
Test
RAM authorization
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| Lang |
string |
No |
The language of the request and response. Valid values:
|
zh |
| VpcFirewallName |
string |
Yes |
The name of the VPC firewall instance. |
测试用实例 |
| NetworkInstanceId |
string |
Yes |
The ID of the VPC for which you want to create the VPC firewall. |
vpc-bp10zlifxh6j0232w**** |
| VpcRegion |
string |
Yes |
The region ID of the VPC for which you want to create the VPC firewall. Note
For more information about the regions that Cloud Firewall supports, see Supported regions. |
cn-hangzhou |
| FirewallSwitch |
string |
Yes |
The status of the VPC firewall. Valid values:
|
open |
| CenId |
string |
Yes |
The ID of the CEN instance. |
cen-x5jayxou71ad73**** |
| MemberUid |
string |
No |
The UID of the member account. |
258039427902**** |
| VSwitchId |
string |
No |
The ID of the vSwitch that is used by the Cloud Firewall interface. |
vsw-qzeaol304m*** |
| FirewallVpcCidrBlock |
string |
No |
The CIDR block of the VPC that is used by the firewall. Specify a CIDR block with a subnet mask of 28 bits or less. This CIDR block is allocated to the VPC that is automatically created for the firewall for traffic redirection. If you do not specify this parameter, the system automatically allocates the 10.0.0.0/8 CIDR block. If you leave this property empty, the CIDR block 10.0.0.0/8 is automatically allocated. Note
This parameter is valid only when you create a VPC firewall for the first time in the current region of the CEN. |
10.0.0.0/8 |
| FirewallVpcZoneId |
string |
No |
The ID of the primary zone for the firewall. If your business is sensitive to latency, specify the same zone for the firewall and the vSwitch of your business VPC to reduce latency. If you do not specify this parameter, the system automatically assigns a zone for the firewall. If you do not specify a value, a zone is automatically allocated to the VPC firewall. Note
This parameter is valid only when you create a VPC firewall for the first time in the current region of the CEN. |
cn-hangzhou-a |
| FirewallVSwitchCidrBlock |
string |
No |
The CIDR block of the vSwitch that is used by the firewall. Specify a CIDR block with a subnet mask of 29 bits or less that does not conflict with your network plan. This CIDR block is allocated to the vSwitch that is automatically created in the firewall VPC (Cloud_Firewall_VSWITCH) for traffic redirection. The vSwitch CIDR block must be a subnet of the firewall VPC CIDR block. If you do not specify this parameter, the system automatically allocates the 10.219.219.216/29 CIDR block. If you leave this parameter empty, the CIDR block 10.219.219.216/29 is automatically allocated. Note
This parameter is valid only when you create a VPC firewall for the first time in the current region of the CEN. |
10.0.*.*/28 |
| FirewallVpcStandbyZoneId |
string |
No |
The ID of the secondary zone for the firewall. If the service in the primary zone becomes unavailable, the firewall automatically switches to the secondary zone. If you do not specify this parameter, the system automatically assigns a secondary zone for the firewall. If you do not specify a value, a zone is automatically allocated to the VPC firewall. Note
This parameter is valid only when you create a VPC firewall for the first time in the current region of the CEN. |
cn-hangzhou-b |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| VpcFirewallId |
string |
The ID of the VPC firewall instance. |
vfw-m5e7dbc4y**** |
| RequestId |
string |
The ID of the request. |
850A84D6-0DE4-4797-A1E8-00090125h4j6 |
Examples
Success response
JSON format
{
"VpcFirewallId": "vfw-m5e7dbc4y****",
"RequestId": "850A84D6-0DE4-4797-A1E8-00090125h4j6"
}Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | ErrorAliUid | The aliuid is invalid. | The aliuid is invalid. |
| 400 | ErrorVpcFirewallExist | The firewall has been configured and cannot be created repeatedly. | The firewall is configured and cannot be repeatedly created. |
| 400 | ErrorVpcId | The VPC ID is invalid. | The VPC ID is invalid. |
| 400 | ErrorRegionNoError | The region is invalid. | The region is invalid. |
| 400 | ErrorVpcFirewallNotFound | The specified VPC firewall does not exist. Please select again. | The specified VPC firewall does not exist. Enter another value. |
| 400 | ErrorDBSelectError | A database select error occurred. | The error message returned because an internal error has occurred in querying the database. |
| 400 | ErrorDBTxError | A database transaction error occurred. | The error message returned because an internal error has occurred in the database transaction. |
| 400 | ErrorDBUpdateError | A database update error occurred. | |
| 400 | ErrorRecordLog | An error occurred while updating the operation log. | An error occurred while updating the operation log. |
| 400 | ErrorCenVbrNotSupport | 云企业网vbr不支持开防火墙 | |
| 400 | ErrorCenNotSupportCCN | VPC防火墙云企业网CCN实例, 不支持开启VPC防火墙 | |
| 400 | ErrorCenNotSupportMultipleAccounts | The current version of Cloud Firewall does not support multiple accounts when it uses VPC Firewall to protect Cloud Enterprise Network. Upgrade the specifications and try again. | The current edition of Cloud Firewall does not support multiple accounts when it uses VPC Firewall to protect CEN. Upgrade the specifications and try again. |
| 400 | ErrorFirewallStatus | Firewall status error, please try again later. | The status of the firewall is invalid. Try again later. |
| 400 | ErrorFirewallQuotaNotEmpty | quota is not enough, unable to configure VPC firewall, please increase quota first. | |
| 400 | ErrorHubvpcCannotCreate | HUB VPC不允许创建防火墙 | |
| 400 | ErrorCenVpcEcConflict | The VPC of the cloud enterprise network conflicts with the VPC of the high-speed channel, and the firewall cannot be opened. Please select again | Conflicts occur between the VPC of CEN and the VPC of Express Connect. You cannot enable the firewall. Specify another value. |
| 400 | ErrorRegionNoDisable | There are unsupported regions, please reselect | Some regions are not supported. Specify supported regions. |
| 400 | ErrorCenFirewallVpcNumInvalid | 云企业网vpc数量不足, 无法开启VPC边界防火墙 | |
| 400 | ErrorDestCidrError | The target network segment is wrong. Please configure the target network segment correctly. | The specified destination CIDR block is invalid. Enter another value. |
| 400 | ErrorVpcCustomRouteTableWithVswitch | VPC存在自定义路由表且关联了vswitch, 不允许创建VPC防火墙 | |
| 400 | ErrorCenNotSupportTREnterpriseAutoMode | VPC firewall does not support TR Enterprise Edition auto mode protection, please use manual mode protection | VPC firewalls do not support the CEN-TR automatic mode. |
| 400 | ErrorInvalidMemberUid | Member uid is invalid | The member is invalid. |
| 400 | ErrorFirewallName | Firewall name invalid. | Firewall name error, please re-enter. |
| 400 | ErrorFirewallSwitch | The firewall enabling parameter is incorrect. Please select again. | The specified switch of the firewall is invalid. Enter another value. |
| 400 | ErrorNetworkInstanceIdError | Network InstanceId ID is invalid | The ID of the network instance is invalid. |
| 400 | ErrorCenId | CEN ID is error | The ID of the CEN instance is invalid. |
| 400 | ErrorCidrFormat | Cidr ip format error. | CIDR format error, please re-select |
| 400 | ErrorDestCidrEmpty | The target network segment is empty and cannot be created | The destination CIDR block is not specified. The firewall cannot be created. |
| 400 | ErrorOwnerId | owner id invalid. | The account is incorrect, please re-enter. |
| 400 | ErrorCenManualFirewallExist | VPC firewall in manual mode already exists in this CEN network. You are not allowed to create a VPC firewall in automatic mode. | This CEN already has a VPC firewall in manual mode. You cannot create a VPC firewall in automatic mode. |
| 400 | ErrorFirewallExistDeleting | There is a VPC firewall that is being deleted, and it is not allowed to create. | The VPC firewall being deleted is not allowed to be created. |
| 400 | ErrorSameCidrIp | The same network segment cannot be configured repeatedly. Please reselect the network segment. | The CIDR block is already in use. Specify another CIDR block. |
| 400 | ErrorCenRouteMapExist | cen route map is exist. | Creating a VPC perimeter firewall is not allowed RouteMap it already exists. Please contact the cloud firewall after-sales technical support. |
| 400 | ErrorUserCredentials | User credentials failed. | Unauthorized, not accessible, please first authorize firewall permissions. |
| 400 | ErrorDBNoRow | No rows in database. | No data found. |
| 400 | ErrorVpcFirewallVpcNumLimit | The number of vpcs in this region is limited to open the vpc firewall. | The VPC boundary firewall cannot be enabled because of the limited number of VPCs in this region. |
| 400 | ErrorCenExistPublicCidr | cen domain route exist public route. | There is a public network segment in the cloud enterprise network, and the VPC boundary firewall is not supported. |
| 400 | ErrorCenExistTrRoute | Cen VPC route exist tr route. | The VPC in the cloud enterprise network has a route whose next hop is TR, and the VPC boundary firewall is not supported. |
| 400 | ErrorCenTRAssociationCustomRouteTable | CEN-TR association custom route table. | The VPC boundary firewall does not support the custom route table associated with the CEN-TR network instance connection, and the VPC boundary firewall cannot be enabled. |
| 400 | ErrorDBInsertError | A database insert error occurred. | An error occurred while performing an insert operation in the database. |
| 400 | ErrorVpcFirewallZoneId | VPC firewall zone error. | VPC firewall zone selection error |
| 400 | ErrorInvalidMemberUidStatus | invalid member uid status. | The status of the member account is invalid. This operation is not supported. |
| 400 | ErrorBandwidthPenalty | Cloud Firewall bandwidth is being overused. | Cloud Firewall bandwidth is being overused. |
| 400 | ErrorGeneralInstanceSpecFull | Cloud Firewall instance specifications are full. | Cloud Firewall instance specifications are full. |
| 400 | ErrorFirewallVSwitchCidrConflict | Firewall switch network segment conflicts with business network segment. | Firewall switch network segment conflicts with business network segment |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.