Adds an access control list (ACL) rule.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes AddACLRule

The operation that you want to perform. Set the value to AddACLRule.

RegionId String No cn-shanghai

The ID of the region where the ACL is deployed.

You can call the DescribeRegions operation to query the most recent region list.

AclId String No acl-xhwhyuo43l0n*****

The ID of the ACL.

Description String No desctest

The description of the ACL rule.

The description must be 1 to 512 characters in length.

Direction String No in

The direction of traffic in which the ACL rule is applied. Valid values:

  • in: The ACL rule controls inbound network traffic of the on-premises network that is associated with the Smart Access Gateway (SAG) instance.
  • out: The ACL rule controls outbound network traffic of the on-premises network that is associated with the SAG instance.
SourceCidr String No 192.168.20.0/24

The range of the source IP addresses.

Specify the value of this parameter in CIDR notation. Example: 192.168.1.0/24.

DestCidr String No 192.168.10.0/24

The range of the destination IP addresses.

Specify the value of this parameter in CIDR notation. Example: 192.168.10.0/24.

IpProtocol String No tcp

The protocol used by the ACL rule.

The protocols that are provided in this topic are for reference only. The protocols available in the SAG console may vary. The value of the parameter is not case-sensitive.

SourcePortRange String No 1/200

The source port range.

Valid values: 1 to 65535 and -1.

Set the source port range in one of the following formats: 1/200 or 80/80. A value of -1/-1 indicates all ports.

DestPortRange String No 1/200

The destination port range.

Valid values: 1 to 65535 and -1.

Set the destination port range in one of the following formats: 1/200 or 80/80. A value of -1/-1 indicates all ports.

Policy String No accept

The action policy of the ACL rule. Valid values:

  • accept: allows network traffic.
  • drop: blocks the network traffic.
Priority Integer No 12

The priority of the ACL rule.

A smaller value indicates a higher priority. If rules have the same priority, whichever applied to the SAG devices earlier takes effect.

Valid values: 1 to 100. Default value: 1.

Type String No LAN

The type of the ACL rule: Valid values:

  • LAN: The ACL rule controls network traffic transmitted through private IP addresses.
  • WAN: The ACL rule controls network traffic transmitted through public IP addresses.
Name String No doctest

The name of the ACL rule.

The name must be 2 to 100 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-). It must start with a letter.

DpiSignatureIds.N String No 1

The ID of the application.

You can enter at most 100 application IDs in each call.

DpiGroupIds.N String No 20

The ID of the application group.

You can enter at most 100 application group IDs in each call.

Response parameters

Parameter Type Example Description
Policy String drop

The action policy of the ACL rule.

  • accept: allows the network traffic.
  • drop: blocks the network traffic.
Description String test

The description of the ACL rule.

RequestId String 880F84CB-9B54-4413-A8A3-8832C82D1BC4

The ID of the request.

SourcePortRange String 1/65535

The source port range.

SourceCidr String 192.168.20.0/24

The source CIDR block.

The value of this parameter is specified in CIDR notation. Example: 192.168.1.0/24.

Priority Integer 1

The priority of the ACL rule.

A smaller value indicates a higher priority. If rules have the same priority, whichever applied to the SAG devices earlier takes effect.

AclId String acl-xhwhyuo43l0*******

The ID of the ACL.

AcrId String acr-c1hkd054qywi******

The ID of the ACL rule.

DestPortRange String 1/65535

The destination port range.

Direction String out

The direction of traffic in which the ACL rule is applied. Valid values:

  • in: The ACL rule controls inbound network traffic of the on-premises network that is associated with the SAG instance.
  • out: The ACL rule controls outbound network traffic of the on-premises network that is associated with the SAG instance.
DpiGroupIds Array of String 20

The IDs of the application groups that match the current ACL rule.

Name String doctest

The name of the ACL rule.

Type String LAN

The type of the ACL rule:

  • LAN: The ACL rule controls network traffic transmitted through private IP addresses.
  • WAN: The ACL rule controls network traffic transmitted through public IP addresses.
GmtCreate Long 1553766882689

The timestamp when the ACL rule was created.

The timestamp is of the Long data type. If multiple ACL rules have the same priority, the rule with the earliest timestamp takes effect.

DestCidr String 192.168.10.0/24

The destination CIDR block.

The value of this parameter is specified in CIDR notation. Example: 192.168.10.0/24.

DpiSignatureIds Array of String 1

The IDs of the applications that match the current ACL rule.

IpProtocol String TCP

The protocol used by the ACL rule.

Examples

Sample requests

http(s)://[Endpoint]/?Action=AddACLRule
&RegionId=cn-shanghai
&AclId=acl-xhwhyuo43l0n*****
&Description=desctest
&Direction=in
&SourceCidr=192.168.20.0/24
&DestCidr=192.168.10.0/24
&IpProtocol=tcp
&SourcePortRange=1/200
&DestPortRange=1/200
&Policy=accept
&Priority=12
&Type=LAN
&Name=doctest
&DpiSignatureIds=["1"]
&DpiGroupIds=["20"]
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<AddACLRuleResponse>
    <Policy>drop</Policy>
    <Description>test</Description>
    <RequestId>880F84CB-9B54-4413-A8A3-8832C82D1BC4</RequestId>
    <SourcePortRange>1/65535</SourcePortRange>
    <SourceCidr>192.168.20.0/24</SourceCidr>
    <Priority>1</Priority>
    <AclId>acl-xhwhyuo43l0*******</AclId>
    <AcrId>acr-c1hkd054qywi******</AcrId>
    <DestPortRange>1/65535</DestPortRange>
    <Direction>out</Direction>
    <DpiGroupIds>20</DpiGroupIds>
    <Name>doctest</Name>
    <Type>LAN</Type>
    <GmtCreate>1553766882689</GmtCreate>
    <DestCidr>192.168.10.0/24</DestCidr>
    <DpiSignatureIds>1</DpiSignatureIds>
    <IpProtocol>TCP</IpProtocol>
</AddACLRuleResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "Policy" : "drop",
  "Description" : "test",
  "RequestId" : "880F84CB-9B54-4413-A8A3-8832C82D1BC4",
  "SourcePortRange" : "1/65535",
  "SourceCidr" : "192.168.20.0/24",
  "Priority" : 1,
  "AclId" : "acl-xhwhyuo43l0*******",
  "AcrId" : "acr-c1hkd054qywi******",
  "DestPortRange" : "1/65535",
  "Direction" : "out",
  "DpiGroupIds" : [ "20" ],
  "Name" : "doctest",
  "Type" : "LAN",
  "GmtCreate" : 1553766882689,
  "DestCidr" : "192.168.10.0/24",
  "DpiSignatureIds" : [ "1" ],
  "IpProtocol" : "TCP"
}

Error codes

HttpCode Error code Error message Description
400 ACL.NoSupportWanType An SAG 1000 device does not support a WAN ACL. The error message returned because an SAG-1000 device does not support a WAN ACL rule.
400 ACL.InvalidType The specified ACL type is invalid. The error message returned because the specified ACL rule type is invalid.
403 Forbidden User not authorized to operate on the specified resource. The error message returned because you do not have the permissions to manage the specified resource.
403 MissingParameter The input parameter is missing, please check your input. The error message returned because one or more required parameters are empty. Check whether you have configured all required parameters.
403 InvalidDescription Description not valid. The error message returned because the length of the description exceeds the upper limit.
403 InvalidParameter The specified parameter is invalid. The error message returned because a parameter is set to an invalid value.
403 FeatureNotSupport The current edition of the smart access gateway does not support this feature. The error message returned because the current version of the specified SAG device does not support this feature.
403 FeatureNotSupportForActiveSmartAG The current edition of the active smart access gateway does not support this feature. The error message returned because the current version of the active SAG device does not support this feature.
403 FeatureNotSupportForStandBySmartAG The current edition of the standby smart access gateway does not support this feature. The error message returned because the current version of the standby SAG device does not support this feature.
403 NotSupportedProtocol The specified protocol of the ACL rule is not supported. The error message returned because the protocol type that you specified for the ACL rule is not supported.
403 InvalidId.ACL The specified ACL ID is invalid. The error message returned because the specified ACL ID is invalid.
403 InvalidPortRange The specified port range is invalid. The error message returned because the specified port range is invalid.
403 AcrPerAclAmountLimit The maximum number of rules in an ACL is exceeded. You can open a ticket to increase the quota. The number of ACL rules has reached the upper limit of ACL rules that you can create under each ACL group. You can submit a ticket to request a quota increase.
403 InternalError An internal server error occurred. The error message returned because an internal server error occurred.

For a list of error codes, see Service error codes.