Help Center/ Virtual Private Cloud/ API Reference/ VPC APIs (V3)/ Network ACL/ Associating a Subnet with a Network ACL
Updated on 2025-08-19 GMT+08:00

Associating a Subnet with a Network ACL

Function

This API is used to associate a subnet with a network ACL.

Calling Method

For details, see Calling APIs.

URI

PUT /v3/{project_id}/vpc/firewalls/{firewall_id}/associate-subnets

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

firewall_id

Yes

String

Unique ID of a network ACL.

project_id

Yes

String

Project ID.

For details about how to obtain a project ID, see Obtaining a Project ID.

Request Parameters

Table 2 Request body parameters

Parameter

Mandatory

Type

Description

subnets

Yes

Array of FirewallAssociation objects

Subnets associated with a network ACL.

Table 3 FirewallAssociation

Parameter

Mandatory

Type

Description

virsubnet_id

Yes

String

  • IDs of subnets that are associated with a network ACL.

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

firewall

FirewallDetail object

Response body for associating a subnet with a network ACL.

request_id

String

Request ID.

Table 5 FirewallDetail

Parameter

Type

Description

id

String

  • The unique ID of a network ACL.

  • The value is a string in UUID format.

name

String

  • Network ACL name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

String

  • Description about the network ACL.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

project_id

String

  • ID of the project that is associated with the network ACL.

created_at

String

  • Time when the network ACL was created.

  • The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.

updated_at

String

  • Time when the network ACL was last updated.

  • The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.

admin_state_up

Boolean

  • Whether a network ACL is enabled.

  • The value can be true (enabled) or false (disabled).

status

String

  • Network ACL status.

enterprise_project_id

String

  • ID of the enterprise project that is associated with the network ACL.

  • The project ID can be 0 or a string that contains a maximum of 36 characters in UUID format with hyphens (-). 0 indicates the default enterprise project.

tags

Array of ResourceTag objects

  • Network ACL tags.

associations

Array of FirewallAssociation objects

  • Subnets that are associated with a network ACL.

ingress_rules

Array of FirewallRuleDetail objects

  • Inbound network ACL rules.

egress_rules

Array of FirewallRuleDetail objects

  • Outbound network ACL rules.

Table 6 ResourceTag

Parameter

Type

Description

key

String

  • Tag key

  • Tag keys must be unique for each resource.

  • The value can contain 1 to 128 characters.

Minimum: 1

Maximum: 128

value

String

  • Tag value.

  • The value can contain no more than 255 characters

Maximum: 255

Table 7 FirewallAssociation

Parameter

Type

Description

virsubnet_id

String

  • IDs of subnets that are associated with a network ACL.

Table 8 FirewallRuleDetail

Parameter

Type

Description

id

String

  • Network ACL rule ID, which uniquely identifies a network ACL rule.

  • The value is a string in UUID format.

name

String

  • Network ACL rule name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

String

  • Description about the network ACL rule.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

action

String

  • Whether a network ACL rule allows or denies traffic.

  • allow indicates traffic is allowed and deny indicates that traffic is denied.

project_id

String

  • ID of the project that is associated with a network ACL rule.

protocol

String

  • Network ACL rule protocol.

  • The value can be tcp, udp, icmp, icmpv6, or an IP protocol number (0–255).

ip_version

Integer

  • IP version of a network ACL rule.

  • The value can be 4 (IPv4) or 6 (IPv6).

source_ip_address

String

  • Source IP address or CIDR block of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_ip_address

String

  • Destination IP address or CIDR block of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

source_port

String

  • Source ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

destination_port

String

  • Destination ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

source_address_group_id

String

  • Source IP address group ID of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_address_group_id

String

  • Destination IP address group ID of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

enabled

Boolean

  • Whether to enable a network ACL rule.

  • true means to enable the network ACL rule and false means to disable the network ACL rule.

  • The default value is true.

Example Requests

Associate the subnet whose ID is 8359e5b0-353f-4ef3-a071-98e67a34a143 with the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

PUT https://{Endpoint}/v3/{project_id}/vpc/firewalls/e9a7731d-5bd9-4250-a524-b9a076fd5629/associate-subnets

{
  "subnets" : [ {
    "virsubnet_id" : "8359e5b0-353f-4ef3-a071-98e67a34a143"
  } ]
}

Example Responses

Status code: 200

Normal response to the PUT operation. For more status codes, see Status Codes.

{
  "firewall" : {
    "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
    "name" : "network_acl_test1",
    "description" : "network_acl_test1",
    "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
    "created_at" : "2022-04-07T07:30:46.000+00:00",
    "updated_at" : "2022-04-07T07:30:46.000+00:00",
    "admin_state_up" : true,
    "enterprise_project_id" : "158ad39a-dab7-45a3-9b5a-2836b3cf93f9",
    "status" : "ACTIVE",
    "tags" : [ ],
    "ingress_rules" : [ {
      "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
      "name" : "network_acl_rule test",
      "description" : "network_acl_rule test",
      "action" : "allow",
      "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
      "protocol" : "tcp",
      "ip_version" : 4,
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90"
    } ],
    "egress_rules" : [ {
      "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
      "name" : "network_acl_rule test",
      "description" : "network_acl_rule test",
      "action" : "allow",
      "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
      "protocol" : "tcp",
      "ip_version" : 4,
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90"
    } ],
    "associations" : [ {
      "virsubnet_id" : "8359e5b0-353f-4ef3-a071-98e67a34a143"
    } ]
  }
}

SDK Sample Code

The SDK sample code is as follows.

Associate the subnet whose ID is 8359e5b0-353f-4ef3-a071-98e67a34a143 with the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.vpc.v3.region.VpcRegion;
import com.huaweicloud.sdk.vpc.v3.*;
import com.huaweicloud.sdk.vpc.v3.model.*;

import java.util.List;
import java.util.ArrayList;

public class AssociateSubnetFirewallSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        VpcClient client = VpcClient.newBuilder()
                .withCredential(auth)
                .withRegion(VpcRegion.valueOf("<YOUR REGION>"))
                .build();
        AssociateSubnetFirewallRequest request = new AssociateSubnetFirewallRequest();
        request.withFirewallId("{firewall_id}");
        AssociateSubnetFirewallRequestBody body = new AssociateSubnetFirewallRequestBody();
        List<FirewallAssociation> listbodySubnets = new ArrayList<>();
        listbodySubnets.add(
            new FirewallAssociation()
                .withVirsubnetId("8359e5b0-353f-4ef3-a071-98e67a34a143")
        );
        body.withSubnets(listbodySubnets);
        request.withBody(body);
        try {
            AssociateSubnetFirewallResponse response = client.associateSubnetFirewall(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Associate the subnet whose ID is 8359e5b0-353f-4ef3-a071-98e67a34a143 with the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkvpc.v3.region.vpc_region import VpcRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkvpc.v3 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = VpcClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(VpcRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = AssociateSubnetFirewallRequest()
        request.firewall_id = "{firewall_id}"
        listSubnetsbody = [
            FirewallAssociation(
                virsubnet_id="8359e5b0-353f-4ef3-a071-98e67a34a143"
            )
        ]
        request.body = AssociateSubnetFirewallRequestBody(
            subnets=listSubnetsbody
        )
        response = client.associate_subnet_firewall(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Associate the subnet whose ID is 8359e5b0-353f-4ef3-a071-98e67a34a143 with the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    vpc "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := vpc.NewVpcClient(
        vpc.VpcClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.AssociateSubnetFirewallRequest{}
	request.FirewallId = "{firewall_id}"
	var listSubnetsbody = []model.FirewallAssociation{
        {
            VirsubnetId: "8359e5b0-353f-4ef3-a071-98e67a34a143",
        },
    }
	request.Body = &model.AssociateSubnetFirewallRequestBody{
		Subnets: listSubnetsbody,
	}
	response, err := client.AssociateSubnetFirewall(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

Normal response to the PUT operation. For more status codes, see Status Codes.

Error Codes

See Error Codes.