Creates a network access control list (ACL).

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
VpcId String Yes vpc-dsfd34356vdf****

The ID of the virtual private cloud (VPC) to which the network ACL belongs.

If the VPC contains Elastic Compute Service (ECS) instances of the following families, upgrade the ECS instances or release the ECS instances. Otherwise, you cannot create a network ACL for the VPC.

ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

Note If your VPC contains instances of the preceding instance types and you have created a network ACL, you must upgrade the instances. Otherwise, the network ACL cannot work as expected.
NetworkAclName String No acl-1

The name of the network ACL.

The name must be 2 to 128 characters in length, and can contain letters, digits, underscores (_), and hyphens (-). The name must start with a letter but cannot start with http:// or https://.

Description String No This is my NetworkAcl.

The description of the network ACL. The description must be 2 to 256 characters in length. It must start with a letter but cannot start with http:// or https://.

RegionId String Yes cn-hangzhou

The region ID of the network ACL. You can call the DescribeRegions operation to query the most recent region list.

ClientToken String No 0c593ea1-3bea-11e9-b96b-88e9fe637760

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the value, but you must make sure that it is unique among different requests. The token can contain only ASCII characters and cannot exceed 64 characters in length.

Note If you do not set this parameter, the system automatically uses RequestId as ClientToken. RequestId may be different for each API request.
Action String Yes CreateNetworkAcl

The operation that you want to perform. Set the value to CreateNetworkAcl.

Response parameters

Parameter Type Example Description
NetworkAclId String nacl-a2do9e413e0spzasx****

The ID of the network ACL.

RequestId String 0ED8D006-F706-4D23-88ED-E11ED28DCAC0

The ID of the request.

NetworkAclAttribute Object

The attributes of the network ACL.

Status String Modifying

The status of the network ACL. Valid values:

  • Available: available
  • Modifying: being configured
VpcId String vpc-a2d33rfpl72k5xsscd****

The ID of the VPC to which the network ALC belongs.

CreationTime String 2021-12-25 11:33:27

The time when the network ACL was created.

Description String This is my NetworkAcl.

The description of the network ACL.

NetworkAclName String acl-1

The name of the network ACL.

NetworkAclId String nacl-a2do9e413e0spdefr****

The ID of the network ACL.

RegionId String cn-hangzhou

The region ID of the network ACL.

IngressAclEntries Array of IngressAclEntry

The inbound rules.

IngressAclEntry
NetworkAclEntryId String nae-a2dk86arlydmexscd****

The ID of the inbound rule.

NetworkAclEntryName String acl-3

The name of the inbound rule.

Policy String accept

The action to be performed on network traffic that matches the rule. Valid values:

  • accept: allows the network traffic.
  • drop: blocks the network traffic.
Description String This is IngressAclEntries.

The description of the inbound rule.

SourceCidrIp String 10.0.0.0/24

The source CIDR block.

Protocol String all

The transport layer protocol. Valid values:

  • icmp: Internet Control Message Protocol (ICMP)
  • gre: Generic Routing Encapsulation (GRE)
  • tcp: TCP
  • udp: UDP
  • all: all protocols
Port String -1/-1

The destination port range of the inbound traffic.

  • If Protocol of the inbound rule is set to all, icmp, or gre, the port range is -1/-1, which indicates that all ports are available.
  • If Protocol of the inbound rule is set to tcp or udp, the port range is 1 to 65535. The port range is set in the following format: 1/200 or 80/80, which indicates port 1 to port 200, or port 80.
EgressAclEntries Array of EgressAclEntry

The outbound rules.

EgressAclEntry
NetworkAclEntryId String nae-a2d447uw4tillxsdc****

The ID of the outbound rule.

NetworkAclEntryName String acl-2

The name of the outbound rule.

Policy String accept

The action to be performed on network traffic that matches the rule. Valid values:

  • accept: allows the network traffic.
  • drop: blocks the network traffic.
Description String This is EgressAclEntries.

The description of the outbound rule.

Protocol String all

The transport layer protocol. Valid values:

  • icmp: ICMP
  • gre: GRE
  • tcp: TCP
  • udp: UDP
  • all: all protocols
DestinationCidrIp String 10.0.0.0/24

The destination CIDR block.

Port String -1/-1

The destination port range of the outbound traffic.

  • If Protocol of the outbound rule is set to all, icmp, or gre, the port range is -1/-1, which indicates that all ports are available.
  • If Protocol of the outbound rule is set to tcp or udp, the port range is 1 to 65535. The port range is set in the following format: 1/200 or 80/80, which indicates port 1 to port 200, or port 80.
Resources Array of Resource

The resources that are associated with the network ACL.

Resource
Status String BINDED

The status of the associated resource. Valid values:

  • BINDED: The resource is associated with the network ACL.
  • BINDING: The resource is being associated with the network ACL.
  • UNBINDING: The resource is disassociated from the network ACL.
ResourceType String VSwitch

The type of the associated resource.

ResourceId String vsw-bp1de348lntdwgthy****

The ID of the associated resource.

Examples

Sample requests

http(s)://[Endpoint]/?VpcId=vpc-dsfd34356vdf****
&NetworkAclName=acl-1
&Description=This is my NetworkAcl.
&RegionId=cn-hangzhou
&ClientToken=0c593ea1-3bea-11e9-b96b-88e9fe637760
&Action=CreateNetworkAcl
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateNetworkAclResponse>
    <NetworkAclId>nacl-a2do9e413e0spzasx****</NetworkAclId>
    <RequestId>0ED8D006-F706-4D23-88ED-E11ED28DCAC0</RequestId>
    <NetworkAclAttribute>
        <Status>Modifying</Status>
        <VpcId>vpc-a2d33rfpl72k5xsscd****</VpcId>
        <CreationTime>2021-12-25 11:33:27</CreationTime>
        <Description>This is my NetworkAcl.</Description>
        <NetworkAclName>acl-1	</NetworkAclName>
        <NetworkAclId>nacl-a2do9e413e0spdefr****</NetworkAclId>
        <RegionId>cn-hangzhou	</RegionId>
        <IngressAclEntries>
            <NetworkAclEntryId>nae-a2dk86arlydmexscd****</NetworkAclEntryId>
            <NetworkAclEntryName>acl-3	</NetworkAclEntryName>
            <Policy>accept</Policy>
            <Description>This is IngressAclEntries.	</Description>
            <SourceCidrIp>10.0.0.0/24	</SourceCidrIp>
            <Protocol>all</Protocol>
            <Port>-1/-1	</Port>
        </IngressAclEntries>
        <EgressAclEntries>
            <NetworkAclEntryId>nae-a2d447uw4tillxsdc****</NetworkAclEntryId>
            <NetworkAclEntryName>acl-2</NetworkAclEntryName>
            <Policy>accept</Policy>
            <Description>This is EgressAclEntries.</Description>
            <Protocol>all</Protocol>
            <DestinationCidrIp>10.0.0.0/24</DestinationCidrIp>
            <Port>-1/-1	</Port>
        </EgressAclEntries>
        <Resources>
            <Status>BINDED</Status>
            <ResourceType>VSwitch</ResourceType>
            <ResourceId>vsw-bp1de348lntdwgthy****</ResourceId>
        </Resources>
    </NetworkAclAttribute>
</CreateNetworkAclResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "NetworkAclId" : "nacl-a2do9e413e0spzasx****",
  "RequestId" : "0ED8D006-F706-4D23-88ED-E11ED28DCAC0",
  "NetworkAclAttribute" : {
    "Status" : "Modifying",
    "VpcId" : "vpc-a2d33rfpl72k5xsscd****",
    "CreationTime" : "2021-12-25 11:33:27",
    "Description" : "This is my NetworkAcl.",
    "NetworkAclName" : "acl-1\t",
    "NetworkAclId" : "nacl-a2do9e413e0spdefr****",
    "RegionId" : "cn-hangzhou\t",
    "IngressAclEntries" : [ {
      "NetworkAclEntryId" : "nae-a2dk86arlydmexscd****",
      "NetworkAclEntryName" : "acl-3\t",
      "Policy" : "accept",
      "Description" : "This is IngressAclEntries.\t",
      "SourceCidrIp" : "10.0.0.0/24\t",
      "Protocol" : "all",
      "Port" : "-1/-1\t"
    } ],
    "EgressAclEntries" : [ {
      "NetworkAclEntryId" : "nae-a2d447uw4tillxsdc****",
      "NetworkAclEntryName" : "acl-2",
      "Policy" : "accept",
      "Description" : "This is EgressAclEntries.",
      "Protocol" : "all",
      "DestinationCidrIp" : "10.0.0.0/24",
      "Port" : "-1/-1\t"
    } ],
    "Resources" : [ {
      "Status" : "BINDED",
      "ResourceType" : "VSwitch",
      "ResourceId" : "vsw-bp1de348lntdwgthy****"
    } ]
  }
}

Error codes

HttpCode Error code Error message Description
500 InternalError The request processing has failed due to some unknown error. The error message returned because an unknown error occurred.

For a list of error codes, visit the API Error Center.