Help Center/ Virtual Private Cloud/ API Reference/ API V3/ Network ACL/ Inserting a Network ACL Rule
Updated on 2024-10-11 GMT+08:00
Online Debugging
CLI Examples
View PDF
Share

Inserting a Network ACL Rule

Function

This API is used to insert a network ACL rule.

Debugging

You can debug this API through automatic authentication in API Explorer.

URI

PUT /v3/{project_id}/vpc/firewalls/{firewall_id}/insert-rules

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

firewall_id

Yes

String

Unique ID of a network ACL.

project_id

Yes

String

Project ID.

For details about how to obtain a project ID, see Obtaining a Project ID.

Request Parameters

Table 2 Request body parameters

Parameter

Mandatory

Type

Description

firewall

Yes

FirewallInsertRuleOption object

Details about the inbound and outbound network ACL rules to be inserted.
Table 3 FirewallInsertRuleOption

Parameter

Mandatory

Type

Description

ingress_rules

No

Array of FirewallInsertRuleItemOption objects

  • Inbound network ACL rules to be inserted.

egress_rules

No

Array of FirewallInsertRuleItemOption objects

  • Outbound network ACL rules to be inserted.

insert_after_rule

No

String

  • Whether to insert a network ACL rule below an inbound or outbound rule. If insert_after_rule is not specified, the rule is inserted at the top of the inbound or outbound rule list.

  • If insert_after_rule is specified, ingress_rules and egress_rules cannot be specified at the same time, and the rule must be existing inbound or outbound rule.
Table 4 FirewallInsertRuleItemOption

Parameter

Mandatory

Type

Description

name

No

String

  • Network ACL rule name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

No

String

  • Description about the network ACL rule.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

action

Yes

String

  • Whether a network ACL rule allows or denies traffic.

  • allow indicates traffic is allowed and deny that traffic is denied.

protocol

Yes

String

  • Network ACL rule protocol.

  • The value can be tcp, udp, icmp, icmpv6, or an IP protocol number (0–255). any indicates all protocols.

ip_version

Yes

Integer

  • IP version of a network ACL rule.

  • The value can be 4 (IPv4) or 6 (IPv6).

source_ip_address

No

String

  • Source IP address or CIDR block of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_ip_address

No

String

  • Destination IP address or CIDR block of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

source_port

No

String

  • Source ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

destination_port

No

String

  • Destination ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

source_address_group_id

No

String

  • Source IP address group ID of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_address_group_id

No

String

  • Destination IP address group ID of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

enabled

No

Boolean

  • Whether to enable a network ACL rule.

  • true means to enable the network ACL rule and false means to disable the network ACL rule.- -

  • The default value is true.

Response Parameters

Status code: 200

Table 5 Response body parameters

Parameter

Type

Description

firewall

FirewallDetail object

Details after the network ACL rules are inserted.

request_id

String

Request ID.
Table 6 FirewallDetail

Parameter

Type

Description

id

String

  • The unique ID of a network ACL.

  • The value is a string in UUID format.

name

String

  • Network ACL name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

String

  • Description about the network ACL.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

project_id

String

  • ID of the project that is associated with the network ACL.

created_at

String

  • Time when a network ACL is created.

  • The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.

updated_at

String

  • Time when the network ACL was last updated.

  • The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.

admin_state_up

Boolean

  • Whether a network ACL is enabled.

  • The value can be true (enabled) or false (disabled).

status

String

  • Network ACL status.

enterprise_project_id

String

  • ID of the enterprise project that is associated with the network ACL.

  • The project ID can be 0 or a string that contains a maximum of 36 characters in UUID format with hyphens (-). 0 indicates the default enterprise project.

tags

Array of ResourceTag objects

  • Network ACL tags.

associations

Array of FirewallAssociation objects

  • Subnets that are associated with a network ACL.

ingress_rules

Array of FirewallRuleDetail objects

  • Inbound network ACL rules.

egress_rules

Array of FirewallRuleDetail objects

  • Outbound network ACL rules.
Table 7 ResourceTag

Parameter

Type

Description

key

String

  • Tag key

  • Tag keys must be unique for each resource.

Minimum: 1

Maximum: 128

value

String

  • Tag value.

Maximum: 255
Table 8 FirewallAssociation

Parameter

Type

Description

virsubnet_id

String

  • IDs of subnets that are associated with a network ACL.
Table 9 FirewallRuleDetail

Parameter

Type

Description

id

String

  • Network ACL rule ID, which uniquely identifies a network ACL rule.

  • The value is a string in UUID format.

name

String

  • Network ACL rule name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

String

  • Description about the network ACL rule.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

action

String

  • Whether a network ACL rule allows or denies traffic.

  • allow indicates traffic is allowed and deny that traffic is denied.

project_id

String

  • ID of the project that is associated with a network ACL rule.

protocol

String

  • Network ACL rule protocol.

  • The value can be tcp, udp, icmp, icmpv6, or an IP protocol number (0–255).

ip_version

Integer

  • IP version of a network ACL rule.

  • The value can be 4 (IPv4) or 6 (IPv6).

source_ip_address

String

  • Source IP address or CIDR block of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_ip_address

String

  • Destination IP address or CIDR block of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

source_port

String

  • Source ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

destination_port

String

  • Destination ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

source_address_group_id

String

  • Source IP address group ID of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_address_group_id

String

  • Destination IP address group ID of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

enabled

Boolean

  • Whether to enable a network ACL rule.

  • true means to enable the network ACL rule and false means to disable the network ACL rule.

  • The default value is true.

Example Requests

  • Insert an inbound rule below the rule whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5630 to the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

    PUT https://{Endpoint}/v3/{project_id}/vpc/firewalls/e9a7731d-5bd9-4250-a524-b9a076fd5629/insert-rules

{
  "firewall" : {
    "ingress_rules" : [ {
      "name" : "network_acl_rule test",
      "description" : "network_acl_rule test",
      "action" : "allow",
      "protocol" : "tcp",
      "ip_version" : "4",
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90",
      "source_address_group_id" : null,
      "destination_address_group_id" : null
    } ],
    "insert_after_rule" : "e9a7731d-5bd9-4250-a524-b9a076fd5630"
  }
}

  • Insert an outbound rule below the rule whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5630 to the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

    PUT https://{Endpoint}/v3/{project_id}/vpc/firewalls/e9a7731d-5bd9-4250-a524-b9a076fd5629/insert-rules

{
  "firewall" : {
    "egress_rules" : [ {
      "name" : "network_acl_rule test",
      "description" : "network_acl_rule test",
      "action" : "allow",
      "protocol" : "tcp",
      "ip_version" : "4",
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90",
      "source_address_group_id" : null,
      "destination_address_group_id" : null
    } ],
    "insert_after_rule" : "e9a7731d-5bd9-4250-a524-b9a076fd5630"
  }
}

Example Responses

Status code: 200

Normal response to the PUT operation. For more status codes, see Status Codes.

  • {
  "firewall" : {
    "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
    "name" : "network_acl_test1",
    "description" : "network_acl_test1",
    "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
    "created_at" : "2022-04-07T07:30:46.000+00:00",
    "updated_at" : "2022-04-07T07:30:46.000+00:00",
    "admin_state_up" : true,
    "enterprise_project_id" : "158ad39a-dab7-45a3-9b5a-2836b3cf93f9",
    "status" : "ACTIVE",
    "tags" : [ ],
    "ingress_rules" : [ {
      "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
      "name" : "network_acl_rule test",
      "description" : "network_acl_rule test",
      "action" : "allow",
      "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
      "protocol" : "tcp",
      "ip_version" : 4,
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90"
    } ],
    "egress_rules" : [ {
      "id" : "f9a7731d-5bd9-4250-a524-b9a076fd5629",
      "name" : "network_acl_rule test",
      "description" : "network_acl_rule test",
      "action" : "allow",
      "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
      "protocol" : "tcp",
      "ip_version" : 4,
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90"
    } ],
    "associations" : [ {
      "virsubnet_id" : "8359e5b0-353f-4ef3-a071-98e67a34a143"
    } ]
  }
}

Status Codes

Status Code

Description

200

Normal response to the PUT operation. For more status codes, see Status Codes.

Error Codes

See Error Codes.

Parent topic: Network ACL