Adds an access control policy to a specific policy group for a virtual private cloud (VPC) firewall.

Usage notes

This operation is used to add an access control policy to a specific policy group for a VPC firewall. Different access control policies are used when a VPC firewall is used to protect traffic between two VPCs that are connected by using a Cloud Enterprise Network (CEN) instance or an Express Connect circuit.

QPS limit

You can call this operation up to 10 times per second per account. If the number of calls per second exceeds the limit, throttling is triggered. Your business is affected. We recommend that you take note of the limit when you call this operation.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateVpcFirewallControlPolicy

The operation that you want to perform. Set the value to CreateVpcFirewallControlPolicy.

Lang String No zh

The natural language of the request and response. Valid values:

  • zh: Chinese (default)
  • en: English
AclAction String Yes accept

The action that Cloud Firewall performs on the traffic. Valid values:

  • accept: allows the traffic.
  • drop: denies the traffic.
  • log: monitors the traffic.
ApplicationName String Yes HTTP

The type of the application that the access control policy supports. Valid values:

  • FTP
  • HTTP
  • HTTPS
  • MySQL
  • SMTP
  • SMTPS
  • RDP
  • VNC
  • SSH
  • Redis
  • MQTT
  • MongoDB
  • Memcache
  • SSL
  • ANY, which indicates all application types
Description String Yes test

The description of the access control policy.

DestPort String No 80

The destination port in the access control policy.

Note If the DestPortType parameter is set to port, this parameter is required.
Destination String Yes 10.2.XX.XX/24

The destination address in the access control policy. Valid values:

  • If the DestinationType parameter is set to net, the value of this parameter is a CIDR block.
  • If the DestinationType parameter is set to group, the value of this parameter is the name of an address book.
  • If the DestinationType parameter is set to domain, the value of this parameter is a domain name.
DestinationType String Yes net

The type of the destination address in the access control policy. Valid values:

  • net: CIDR block
  • group: address book
  • domain: domain name
VpcFirewallId String Yes vfw-a42bbb7b887148c9****

The ID of the policy group for which you want to create the access control policy.

  • If a VPC firewall protects the traffic between two VPCs that are connected by using a CEN instance, the value of this parameter is the ID of the CEN instance.
  • If a VPC firewall protects the traffic between two VPCs that are connected by using an Express Connect circuit, the value of this parameter is the instance ID of the VPC firewall.
Note You can call the DescribeVpcFirewallAclGroupList operation to query the ID.
Proto String Yes TCP

The type of the protocol in the access control policy. Valid values:

  • ANY, which indicates all protocols
  • TCP
  • UDP
  • ICMP
Source String Yes 10.2.XX.XX/24

The source address in the access control policy.

  • If the SourceType parameter is set to net, the value of this parameter is a CIDR block.
  • If the SourceType parameter is set to group, the value of this parameter is the name of an address book.
SourceType String Yes net

The type of the source address in the access control policy. Valid values:

  • net: CIDR block
  • group: address book
NewOrder String Yes 1

The priority of the access control policy.

The priority value starts from 1. A smaller value indicates a higher priority.

DestPortType String No port

The type of the destination port in the access control policy. Valid values:

  • port: port
  • group: port address book
DestPortGroup String No my_port_group

The name of the destination port address book in the access control policy.

Note If the DestPortType parameter is set to group, this parameter is required.
MemberUid String No 258039427902****

The ID of the member of the Alibaba Cloud account.

Release String No true

Indicates whether the access control policy is enabled. By default, an access control policy is enabled after it is created. Valid values:

  • true: The access control policy is enabled.
  • false: The access control policy is disabled.

Response parameters

Parameter Type Example Description
AclUuid String 00281255-d220-4db1-8f4f-c4df221ad84c

The ID of the access control policy.

RequestId String CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D

The ID of the request.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateVpcFirewallControlPolicy
&SourceIp=192.0.XX.XX
&Lang=zh
&AclAction=accept
&ApplicationName=HTTP
&Description=test
&DestPort=80
&Destination=10.2.XX.XX/24
&DestinationType=net
&VpcFirewallId=vfw-a42bbb7b887148c9****
&Proto=TCP
&Source=10.2.XX.XX/24
&SourceType=net
&NewOrder=1
&DestPortType=port
&DestPortGroup=my_port_group
&MemberUid=258039427902****
&Release=true
&Common request parameters

Sample responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateVpcFirewallControlPolicyResponse>
    <AclUuid>00281255-d220-4db1-8f4f-c4df221ad84c</AclUuid>
    <RequestId>CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D</RequestId>
</CreateVpcFirewallControlPolicyResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "AclUuid" : "00281255-d220-4db1-8f4f-c4df221ad84c",
  "RequestId" : "CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D"
}