CreateVpcFirewallControlPolicy - Cloud Firewall - Alibaba Cloud Documentation Center

Adds an access control policy to a policy group for a specified VPC firewall.

Operation description

This operation adds an access control policy to a policy group for a specified VPC border firewall. A VPC border firewall uses access control policies to protect traffic between two VPCs that are connected through a Cloud Enterprise Network (CEN) instance or an Express Connect circuit.

QPS limits

This operation is limited to 10 queries per second (QPS) per user. Calls that exceed this limit are throttled. Throttling can affect your business. We recommend that you call this operation at a reasonable rate.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the request and response. Valid values: zh (default): Chinese en: English	zh
AclAction	string	Yes	The action that Cloud Firewall performs on the traffic. Valid values: accept: Allows the traffic. drop: Denies the traffic. log: Monitors the traffic.	accept
ApplicationName `deprecated`	string	No	The application type that the access control policy supports. Valid values: FTP HTTP HTTPS MySQL SMTP SMTPS RDP VNC SSH Redis MQTT MongoDB Memcache SSL ANY (all application types)	HTTP
Description	string	Yes	The description of the access control policy.	test
DestPort	string	No	The destination port in the access control policy. Note Set this parameter when DestPortType is set to `port`.	80
Destination	string	Yes	The destination address in the access control policy. Valid values: If DestinationType is `net`, set this parameter to a destination CIDR block. If DestinationType is `group`, set this parameter to the name of a destination address book. If DestinationType is `domain`, set this parameter to a destination domain name.	10.2.XX.XX/24
DestinationType	string	Yes	The type of the destination address in the access control policy. Valid values: net: CIDR block group: address book domain: domain name	net
VpcFirewallId	string	Yes	The ID of the policy group for the VPC border firewall. If the VPC border firewall protects traffic between two VPCs that are connected using a CEN instance, set this parameter to the ID of the CEN instance. If the VPC border firewall protects traffic between two VPCs that are connected using an Express Connect circuit, set this parameter to the ID of the VPC border firewall instance. Note Call the DescribeVpcFirewallAclGroupList operation to get this ID.	vfw-a42bbb7b887148c9****
Proto	string	Yes	The protocol type in the access control policy. Valid values: ANY (Set this value if you are unsure of the protocol type.) TCP UDP ICMP	TCP
Source	string	Yes	The source address in the access control policy. If SourceType is `net`, set this parameter to a source CIDR block. If SourceType is `group`, set this parameter to the name of a source address book.	10.2.XX.XX/24
SourceType	string	Yes	The type of the source address in the access control policy. Valid values: net: CIDR block group: address book	net
NewOrder	string	Yes	The priority of the access control policy. The priority starts from 1. A smaller value indicates a higher priority.	1
DestPortType	string	No	The type of the destination port in the access control policy. Valid values: port: port group: port address book	port
DestPortGroup	string	No	The name of the destination port address book in the access control policy. Note Set this parameter when DestPortType is set to `group`.	my_port_group
MemberUid	string	No	The UID of the member account.	258039427902****
Release	string	No	The status of the access control policy. The policy is enabled by default after it is created. Valid values: true: Enables the access control policy. false: Disables the access control policy.	true
ApplicationNameList	array	No	The list of application types that the access control policy supports.
	string	No	The application type that the access control policy supports. Valid values: FTP HTTP HTTPS Memcache MongoDB MQTT MySQL RDP Redis SMTP SMTPS SSH SSL_No_Cert SSL VNC ANY (all application types) Note The valid values depend on the value of Proto. If Proto is TCP, set ApplicationNameList to any of the listed application types in the ["HTTP","HTTPS",...] format. If Proto is UDP, ICMP, or ANY, set ApplicationNameList only to ANY. You must specify ApplicationNameList or ApplicationName. Do not leave both parameters empty. If both ApplicationNameList and ApplicationName are specified, the value of `ApplicationNameList` takes precedence.	[ "ANY" ]
RepeatType	string	No	The recurrence type for the policy validity period. Valid values: Permanent (default): always None: one-time Daily: daily Weekly: weekly Monthly: monthly Valid values: Daily : Daily Monthly : Monthly Permanent : Always Weekly : Weekly None : One-time	Permanent
RepeatDays	array	No	The days of the week or month on which the policy is recurrently active. If RepeatType is `Permanent`, `None`, or `Daily`, leave this parameter empty. Example: `[]` If RepeatType is `Weekly`, set this parameter. Example: `[0, 6]` Note If RepeatType is set to `Weekly`, the values in RepeatDays cannot be duplicates. If RepeatType is `Monthly`, set this parameter. Example: `[1, 31]` Note If RepeatType is set to `Monthly`, the values in RepeatDays cannot be duplicates.
	integer	No	The day of the week or month. Note If RepeatType is set to `Weekly`, the valid values are 0 to 6. The week starts on Sunday. If RepeatType is set to `Monthly`, the valid values are 1 to 31.	1
RepeatStartTime	string	No	The recurring start time of the policy validity period. For example: `08:00`. The time must be on the hour or half-hour and must be at least 30 minutes earlier than the recurring end time. Note If RepeatType is `Permanent` or `None`, leave this parameter empty. If RepeatType is `Daily`, `Weekly`, or `Monthly`, set this parameter.	08:00
RepeatEndTime	string	No	The recurring end time of the policy validity period. For example: `23:30`. The time must be on the hour or half-hour and must be at least 30 minutes later than the recurring start time. Note If RepeatType is `Permanent` or `None`, leave this parameter empty. If RepeatType is `Daily`, `Weekly`, or `Monthly`, set this parameter.	23:30
StartTime	integer	No	The start time of the policy validity period. This value is a UNIX timestamp. The time must be on the hour or half-hour and must be at least 30 minutes earlier than the end time. Note If RepeatType is `Permanent`, leave this parameter empty. If RepeatType is `None`, `Daily`, `Weekly`, or `Monthly`, set this parameter.	1694761200
EndTime	integer	No	The end time of the policy validity period. This value is a UNIX timestamp. The time must be on the hour or half-hour and must be at least 30 minutes later than the start time. Note If RepeatType is `Permanent`, leave this parameter empty. If RepeatType is `None`, `Daily`, `Weekly`, or `Monthly`, set this parameter.	1694764800
DomainResolveType	string	No	The domain name resolution method for the access control policy. Valid values: FQDN: FQDN-based DNS: DNS-based dynamic resolution FQDN_AND_DNS: FQDN-based and DNS-based dynamic resolution	FQDN

Response elements

Element	Type	Description	Example
	object
AclUuid	string	The unique ID of the access control policy.	00281255-d220-4db1-8f4f-c4df221ad84c
RequestId	string	The ID of the request.	CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D

Examples

Success response

JSON format

{
  "AclUuid": "00281255-d220-4db1-8f4f-c4df221ad84c",
  "RequestId": "CBF1E9B7-D6A0-4E9E-AD3E-2B47E6C2837D"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorParametersUid	The aliUid parameter is invalid.	The aliUid parameter is invalid.
400	ErrorUUIDNew	The UUID is invalid.	The UUID is invalid.
400	ErrorParametersSource	The source is invalid.	The source is invalid.
400	ErrorParametersDestination	The Destination parameter is invalid.	The Destination parameter is invalid.
400	ErrorParametersProto	The protocol is invalid.	The protocol is invalid.
400	ErrorParametersDestPort	The dst_port is invalid.	The dst_port is invalid.
400	ErrorParametersAction	The action is invalid.	The action is invalid.
400	ErrorDBSelect	An error occurred while querying database.	An error occurred while querying database.
400	ErrorParameters	A parameter error occurred.	A parameter error occurred.
400	ErrorAddressCountExceed	The maximum number of addresses is exceeded.	The maximum number of address is exceeded.
400	ErrorParametersNewOrder	The newOrder is invalid.	The newOrder is invalid.
400	ErrorDBInsert	An error occurred while performing an insert operation in the database.	An error occurred while performing an insert operation in the database.
400	ErrorDBDelete	An error occurred while deleting the database.	An error occurred while deleting the database.
400	ErrorRecordLog	An error occurred while updating the operation log.	An error occurred while updating the operation log.
400	ErrorParameterIpVersion	The IP version is invalid.	The IP version is invalid.
400	ErrorParametersDirection	The direction is invalid.	The direction is invalid.
400	ErrorDomainResolve	An error occurred while resolving the domain.	An error occurred while resolving the domain.
400	ErrorAclExtendedCountExceed	ACL or extended ACL rules are not matched.	The quota for access control policies or extra access control policies is exhausted.
400	ErrorAclDomainAnyCountExceed	The number of resolved domain names cannot exceed 200. ACL configuration can be continued for HTTP, HTTPS, SMTP, SMTPS, and SSL applications.	The domain name is resolved to more than 200 IP addresses. We recommend that you set Application in your access control policy to HTTPS, HTTPS, SMTP, SMTPS, or SSL.
400	ErrorMarshalJSON	An error occurred. Try again later.	An error occurred. Try again later.
400	ErrorParametersFtpNotSupport	domain destination not support ftp.	FTP application is not supported when the policy destination is a domain name
400	ErrorParametersApplicationName	Specified parameter ApplicationName is not valid.	Specified parameter ApplicationName is not valid.
400	ErrorParametersApplicationNameList	Specified parameter ApplicationNameList is not valid.	Specified parameter ApplicationNameList is not valid.
400	ErrorAddressGroupNotExist	The address group does not exist.	The address group does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.