AddACLRule - Smart Access Gateway - Alibaba Cloud Documentation Center

Adds an access control rule.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

smartag:AddACLRule

create

*Acl

acs:smartag:{#regionId}:{#accountId}:acl/{#AclId}

None

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The ID of the region where the access control list (ACL) is located. For more information, see DescribeRegions.	cn-shanghai
AclId	string	Yes	The ID of the ACL.	acl-xhwhyuo43l0n*****
Description	string	No	The description of the ACL rule. The description must be 1 to 512 characters in length.	desctest
Direction	string	Yes	The direction of traffic to which the ACL rule applies. Valid values: in: inbound. Traffic from an external network to the local branch where the SAG instance is deployed. out: outbound. Traffic from the local branch where the SAG instance is deployed to an external network.	in
SourceCidr	string	Yes	The source CIDR block. For example: 192.168.1.0/24.	192.168.20.0/24
DestCidr	string	Yes	The destination CIDR block. For example: 192.168.10.0/24.	192.168.10.0/24
IpProtocol	string	Yes	The protocol to which the ACL rule applies. For a list of supported protocols, see the console. The protocol is not case-sensitive.	tcp
SourcePortRange	string	Yes	The source port range. Valid values: -1 and 1 to 65535. Use the format 1/200 or 80/80. A value of -1/-1 means all ports.	1/200
DestPortRange	string	Yes	The destination port range. Valid values: -1 and 1 to 65535. Use the format 1/200 or 80/80. A value of -1/-1 means all ports.	1/200
Policy	string	Yes	The authorization policy of the ACL rule. Valid values: accept: allows access. drop: denies access.	accept
Priority	integer	No	The priority of the ACL rule. A smaller value indicates a higher priority. If multiple rules have the same priority, the rule that is first delivered to the Smart Access Gateway device takes precedence. Valid values: 1 to 100. Default value: 1.	12
Type	string	No	The type of the ACL rule. Valid values: LAN: (Default) private network. The ACL rule controls traffic on private networks. WAN: public network. The ACL rule controls traffic on public networks.	LAN
Name	string	No	The name of the ACL rule. The name must be 2 to 100 characters in length, start with a letter, and can contain digits, periods (.), underscores (_), and hyphens (-).	doctest
DpiSignatureIds	array	No	A list of application IDs. The ACL rule matches traffic of the specified applications. For more information, see ListDpiSignatures. You can specify up to 10 application IDs.	1
	string	No	The application ID. You can specify up to 100 application IDs.	1
DpiGroupIds	array	No	A list of application group IDs. The ACL rule matches traffic of the specified application groups. For more information, see ListDpiGroups. You can specify up to 10 application group IDs.	20
	string	No	The application group ID. You can specify up to 100 application group IDs.	20

Response parameters

Parameter	Type	Description	Example
	object
Policy	string	The authorization policy of the ACL rule. accept: allows access. drop: denies access.	drop
Description	string	The description of the ACL rule.	test
RequestId	string	The request ID.	880F84CB-9B54-4413-A8A3-8832C82D1BC4
SourcePortRange	string	The source port range.	1/65535
SourceCidr	string	The source CIDR block. The source CIDR block is in the CIDR format. For example: 192.168.1.0/24.	192.168.20.0/24
Priority	integer	The priority of the ACL rule. A smaller value indicates a higher priority. If multiple rules have the same priority, the rule that is first delivered to the Smart Access Gateway device takes precedence.	1
AclId	string	The ID of the ACL.	acl-xhwhyuo43l0*******
AcrId	string	The ID of the ACL rule.	acr-c1hkd054qywi******
DestPortRange	string	The destination port range.	1/65535
Direction	string	The direction of traffic to which the ACL rule applies. Valid values: in: inbound. Traffic from an external network to the local branch where the SAG instance is deployed. out: outbound. Traffic from the local branch where the SAG instance is deployed to an external network.	out
DpiGroupIds	object
DpiGroupId	array
	string	A list of application group IDs that the ACL rule matches.	20
Name	string	The name of the ACL rule.	doctest
Type	string	The type of the ACL rule. LAN: private network. The ACL rule controls traffic on private networks. WAN: public network. The ACL rule controls traffic on public networks.	LAN
GmtCreate	integer	The UNIX timestamp when the ACL rule was created. This value is a long integer. If rules have the same priority, the one with the earlier timestamp takes precedence.	1553766882689
DestCidr	string	The destination CIDR block. For example: 192.168.10.0/24.	192.168.10.0/24
DpiSignatureIds	object
DpiSignatureId	array
	string	A list of application IDs that the ACL rule matches.	1
IpProtocol	string	The protocol to which the ACL rule applies.	TCP

Examples

Success response

JSON format

{
  "Policy": "drop",
  "Description": "test",
  "RequestId": "880F84CB-9B54-4413-A8A3-8832C82D1BC4",
  "SourcePortRange": "1/65535",
  "SourceCidr": "192.168.20.0/24",
  "Priority": 1,
  "AclId": "acl-xhwhyuo43l0*******",
  "AcrId": "acr-c1hkd054qywi******",
  "DestPortRange": "1/65535",
  "Direction": "out",
  "DpiGroupIds": {
    "DpiGroupId": [
      "20"
    ]
  },
  "Name": "doctest",
  "Type": "LAN",
  "GmtCreate": 1553766882689,
  "DestCidr": "192.168.10.0/24",
  "DpiSignatureIds": {
    "DpiSignatureId": [
      "1"
    ]
  },
  "IpProtocol": "TCP"
}

Error codes

HTTP status code	Error code	Error message	Description
400	ACL.NoSupportWanType	An SAG 1000 device does not support a WAN ACL.	An SAG 1000 device does not support a WAN ACL.
400	ACL.InvalidType	The specified ACL type is invalid.	The specified ACL type is invalid.
403	Forbidden	User not authorized to operate on the specified resource.	You do not have permissions to manage the specified resource.
403	MissingParameter	The input parameter is missing, please check your input.	Missing parameters. Check whether all required parameters are set.
403	InvalidDescription	Description not valid.	The length of the description has exceeded the upper limit.
403	InvalidParameter	The specified parameter is invalid.	Invalid parameters.
403	FeatureNotSupport	The current edition of the smart access gateway does not support this feature.	The current version of Smart Access Gateway does not support this feature.
403	FeatureNotSupportForActiveSmartAG	The current edition of the active smart access gateway does not support this feature.	The current edition of the active SAG instance does not support this feature.
403	FeatureNotSupportForStandBySmartAG	The current edition of the standby smart access gateway does not support this feature.	The current version of Smart Access Gateway does not support this feature.
403	NotSupportedProtocol	The specified protocol of the ACL rule is not supported.	The specified protocol of the ACL rule is not supported.
403	InvalidId.ACL	The specified ACL ID is invalid.	The specified ACL group ID is invalid.
403	InvalidPortRange	The specified port range is invalid.	The specified port range is invalid.
403	AcrPerAclAmountLimit	The maximum number of rules in an ACL is exceeded. You can open a ticket to increase the quota.	The number of ACL rules has reached the upper limit of ACL rules that you can create under each ACL group. You can submit a ticket to request a quota increase.
403	InternalError	An internal server error occurred.	An internal server error occurred.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.