Updating a Network ACL Rule

Function

This API is used to update a network ACL rule.

Calling Method

For details, see Calling APIs.

URI

PUT /v3/{project_id}/vpc/firewalls/{firewall_id}/update-rules

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
firewall_id	Yes	String	Unique ID of a network ACL.
project_id	Yes	String	Project ID. For details about how to obtain a project ID, see Obtaining a Project ID.

Request Parameters

**Table 2** Request body parameters
Parameter	Mandatory	Type	Description
firewall	Yes	FirewallUpdateRuleOption object	Inbound or outbound network ACL rules to be updated.

**Table 3** FirewallUpdateRuleOption
Parameter	Mandatory	Type	Description
ingress_rules	No	Array of FirewallUpdateRuleItemOption objects	Inbound network ACL rules to be updated. ingress_rules and egress_rules cannot be specified at the same time. Only one rule can be updated at a time.
egress_rules	No	Array of FirewallUpdateRuleItemOption objects	Outbound network ACL rules to be updated. ingress_rules and egress_rules cannot be specified at the same time. Only one rule can be updated at a time.

**Table 4** FirewallUpdateRuleItemOption
Parameter	Mandatory	Type	Description
id	Yes	String	Network ACL rule ID, which uniquely identifies a network ACL rule. The value is a string in UUID format.
name	No	String	Network ACL rule name. The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).
description	No	String	Description about the network ACL rule. The value can contain no more than 255 characters. The value cannot contain angle brackets (< or >).
action	No	String	Whether a network ACL rule allows or denies traffic. allow indicates traffic is allowed and deny indicates that traffic is denied.
protocol	No	String	Network ACL rule protocol. The value can be tcp, udp, icmp, icmpv6, or an IP protocol number (0–255). any indicates all protocols.
ip_version	No	Integer	IP version of a network ACL rule. The value can be 4 (IPv4) or 6 (IPv6).
source_ip_address	No	String	Source IP address or CIDR block of a network ACL rule. source_ip_address and source_address_group_id cannot be specified at the same time.
destination_ip_address	No	String	Destination IP address or CIDR block of a network ACL rule. destination_ip_address and destination_address_group_id cannot be specified at the same time.
source_port	No	String	Source ports of a network ACL rule. You can specify a single port or a port range. Separate every two entries with a comma. The maximum number of port entries is 20 by default.
destination_port	No	String	Destination ports of a network ACL rule. You can specify a single port or a port range. Separate every two entries with a comma. The maximum number of port entries is 20 by default.
source_address_group_id	No	String	Source IP address group ID of a network ACL rule. source_ip_address and source_address_group_id cannot be specified at the same time.
destination_address_group_id	No	String	Destination IP address group ID of a network ACL rule. destination_ip_address and destination_address_group_id cannot be specified at the same time.
enabled	No	Boolean	Whether to enable a network ACL rule. true means to enable the network ACL rule and false means to disable the network ACL rule. The default value is true.

Response Parameters

Status code: 200

**Table 5** Response body parameters
Parameter	Type	Description
firewall	FirewallDetail object	Details after a network ACL rule is updated.
request_id	String	Request ID.

**Table 6** FirewallDetail
Parameter	Type	Description
id	String	The unique ID of a network ACL. The value is a string in UUID format.
name	String	Network ACL name. The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).
description	String	Description about the network ACL. The value can contain no more than 255 characters. The value cannot contain angle brackets (< or >).
project_id	String	ID of the project that is associated with the network ACL.
created_at	String	Time when the network ACL was created. The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.
updated_at	String	Time when the network ACL was last updated. The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.
admin_state_up	Boolean	Whether a network ACL is enabled. The value can be true (enabled) or false (disabled).
status	String	Network ACL status.
enterprise_project_id	String	ID of the enterprise project that is associated with the network ACL. The project ID can be 0 or a string that contains a maximum of 36 characters in UUID format with hyphens (-). 0 indicates the default enterprise project.
tags	Array of ResourceTag objects	Network ACL tags.
associations	Array of FirewallAssociation objects	Subnets that are associated with a network ACL.
ingress_rules	Array of FirewallRuleDetail objects	Inbound network ACL rules.
egress_rules	Array of FirewallRuleDetail objects	Outbound network ACL rules.

**Table 7** ResourceTag
Parameter	Type	Description
key	String	Tag key Tag keys must be unique for each resource. The value can contain 1 to 128 characters. Minimum: 1 Maximum: 128
value	String	Tag value. The value can contain no more than 255 characters Maximum: 255

**Table 8** FirewallAssociation
Parameter	Type	Description
virsubnet_id	String	IDs of subnets that are associated with a network ACL.

**Table 9** FirewallRuleDetail
Parameter	Type	Description
id	String	Network ACL rule ID, which uniquely identifies a network ACL rule. The value is a string in UUID format.
name	String	Network ACL rule name. The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).
description	String	Description about the network ACL rule. The value can contain no more than 255 characters. The value cannot contain angle brackets (< or >).
action	String	Whether a network ACL rule allows or denies traffic. allow indicates traffic is allowed and deny indicates that traffic is denied.
project_id	String	ID of the project that is associated with a network ACL rule.
protocol	String	Network ACL rule protocol. The value can be tcp, udp, icmp, icmpv6, or an IP protocol number (0–255).
ip_version	Integer	IP version of a network ACL rule. The value can be 4 (IPv4) or 6 (IPv6).
source_ip_address	String	Source IP address or CIDR block of a network ACL rule. source_ip_address and source_address_group_id cannot be specified at the same time.
destination_ip_address	String	Destination IP address or CIDR block of a network ACL rule. destination_ip_address and destination_address_group_id cannot be specified at the same time.
source_port	String	Source ports of a network ACL rule. You can specify a single port or a port range. Separate every two entries with a comma. The maximum number of port entries is 20 by default.
destination_port	String	Destination ports of a network ACL rule. You can specify a single port or a port range. Separate every two entries with a comma. The maximum number of port entries is 20 by default.
source_address_group_id	String	Source IP address group ID of a network ACL rule. source_ip_address and source_address_group_id cannot be specified at the same time.
destination_address_group_id	String	Destination IP address group ID of a network ACL rule. destination_ip_address and destination_address_group_id cannot be specified at the same time.
enabled	Boolean	Whether to enable a network ACL rule. true means to enable the network ACL rule and false means to disable the network ACL rule. The default value is true.

Example Requests

Update the inbound rule whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629 in the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

PUT https://{Endpoint}/v3/{project_id}/vpc/firewalls/e9a7731d-5bd9-4250-a524-b9a076fd5629/update-rules

{
  "firewall" : {
    "ingress_rules" : [ {
      "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
      "name" : "network_acl_rule test2",
      "description" : "network_acl_rule test2",
      "action" : "allow",
      "protocol" : "tcp",
      "ip_version" : "4",
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90",
      "source_address_group_id" : null,
      "destination_address_group_id" : null
    } ]
  }
}

Example Responses

Status code: 200

Normal response to the PUT operation. For more status codes, see Status Codes.

{
  "firewall" : {
    "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
    "name" : "network_acl_test1",
    "description" : "network_acl_test1",
    "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
    "created_at" : "2022-04-07T07:30:46.000+00:00",
    "updated_at" : "2022-04-07T07:30:46.000+00:00",
    "admin_state_up" : true,
    "enterprise_project_id" : "158ad39a-dab7-45a3-9b5a-2836b3cf93f9",
    "status" : "ACTIVE",
    "tags" : [ ],
    "ingress_rules" : [ {
      "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
      "name" : "network_acl_rule test2",
      "description" : "network_acl_rule test2",
      "action" : "allow",
      "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
      "protocol" : "tcp",
      "ip_version" : 4,
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90"
    } ],
    "egress_rules" : [ {
      "id" : "f9a7731d-5bd9-4250-a524-b9a076fd5629",
      "name" : "network_acl_rule test",
      "description" : "network_acl_rule test",
      "action" : "allow",
      "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
      "protocol" : "tcp",
      "ip_version" : 4,
      "source_ip_address" : "192.168.3.0/24",
      "destination_ip_address" : "192.168.6.0/24",
      "source_port" : "30-40,60-90",
      "destination_port" : "40-60,70-90"
    } ],
    "associations" : [ {
      "virsubnet_id" : "8359e5b0-353f-4ef3-a071-98e67a34a143"
    } ]
  }
}

SDK Sample Code

The SDK sample code is as follows.

Update the inbound rule whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629 in the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.vpc.v3.region.VpcRegion;
import com.huaweicloud.sdk.vpc.v3.*;
import com.huaweicloud.sdk.vpc.v3.model.*;

import java.util.List;
import java.util.ArrayList;

public class UpdateFirewallRulesSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        VpcClient client = VpcClient.newBuilder()
                .withCredential(auth)
                .withRegion(VpcRegion.valueOf("<YOUR REGION>"))
                .build();
        UpdateFirewallRulesRequest request = new UpdateFirewallRulesRequest();
        request.withFirewallId("{firewall_id}");
        UpdateFirewallRulesRequestBody body = new UpdateFirewallRulesRequestBody();
        List<FirewallUpdateRuleItemOption> listFirewallIngressRules = new ArrayList<>();
        listFirewallIngressRules.add(
            new FirewallUpdateRuleItemOption()
                .withId("e9a7731d-5bd9-4250-a524-b9a076fd5629")
                .withName("network_acl_rule test2")
                .withDescription("network_acl_rule test2")
                .withAction("allow")
                .withProtocol("tcp")
                .withIpVersion(4)
                .withSourceIpAddress("192.168.3.0/24")
                .withDestinationIpAddress("192.168.6.0/24")
                .withSourcePort("30-40,60-90")
                .withDestinationPort("40-60,70-90")
        );
        FirewallUpdateRuleOption firewallbody = new FirewallUpdateRuleOption();
        firewallbody.withIngressRules(listFirewallIngressRules);
        body.withFirewall(firewallbody);
        request.withBody(body);
        try {
            UpdateFirewallRulesResponse response = client.updateFirewallRules(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

Update the inbound rule whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629 in the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

      
       
         
         
           # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkvpc.v3.region.vpc_region import VpcRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkvpc.v3 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = VpcClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(VpcRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = UpdateFirewallRulesRequest()
        request.firewall_id = "{firewall_id}"
        listIngressRulesFirewall = [
            FirewallUpdateRuleItemOption(
                id="e9a7731d-5bd9-4250-a524-b9a076fd5629",
                name="network_acl_rule test2",
                description="network_acl_rule test2",
                action="allow",
                protocol="tcp",
                ip_version=4,
                source_ip_address="192.168.3.0/24",
                destination_ip_address="192.168.6.0/24",
                source_port="30-40,60-90",
                destination_port="40-60,70-90"
            )
        ]
        firewallbody = FirewallUpdateRuleOption(
            ingress_rules=listIngressRulesFirewall
        )
        request.body = UpdateFirewallRulesRequestBody(
            firewall=firewallbody
        )
        response = client.update_firewall_rules(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

Update the inbound rule whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629 in the network ACL whose ID is e9a7731d-5bd9-4250-a524-b9a076fd5629.

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    vpc "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := vpc.NewVpcClient(
        vpc.VpcClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.UpdateFirewallRulesRequest{}
	request.FirewallId = "{firewall_id}"
	nameIngressRules:= "network_acl_rule test2"
	descriptionIngressRules:= "network_acl_rule test2"
	actionIngressRules:= "allow"
	protocolIngressRules:= "tcp"
	ipVersionIngressRules:= int32(4)
	sourceIpAddressIngressRules:= "192.168.3.0/24"
	destinationIpAddressIngressRules:= "192.168.6.0/24"
	sourcePortIngressRules:= "30-40,60-90"
	destinationPortIngressRules:= "40-60,70-90"
	var listIngressRulesFirewall = []model.FirewallUpdateRuleItemOption{
        {
            Id: "e9a7731d-5bd9-4250-a524-b9a076fd5629",
            Name: &nameIngressRules,
            Description: &descriptionIngressRules,
            Action: &actionIngressRules,
            Protocol: &protocolIngressRules,
            IpVersion: &ipVersionIngressRules,
            SourceIpAddress: &sourceIpAddressIngressRules,
            DestinationIpAddress: &destinationIpAddressIngressRules,
            SourcePort: &sourcePortIngressRules,
            DestinationPort: &destinationPortIngressRules,
        },
    }
	firewallbody := &model.FirewallUpdateRuleOption{
		IngressRules: &listIngressRulesFirewall,
	}
	request.Body = &model.UpdateFirewallRulesRequestBody{
		Firewall: firewallbody,
	}
	response, err := client.UpdateFirewallRules(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     