Updated on 2025-08-19 GMT+08:00

Creating a Network ACL

Function

This API is used to create a network ACL.

Calling Method

For details, see Calling APIs.

URI

POST /v3/{project_id}/vpc/firewalls

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Project ID.

For details about how to obtain a project ID, see Obtaining a Project ID.

Request Parameters

Table 2 Request body parameters

Parameter

Mandatory

Type

Description

firewall

Yes

CreateFirewallOption object

Request body for creating a network ACL.

dry_run

No

Boolean

  • Whether to only send the check request.

  • The value can be one of the following:

    • true: A check request will be sent and the network ACL will not be created. Check items include mandatory parameters, request format, and constraints. If the check fails, the system returns an error. If the check succeeds, response code 202 will be returned.

    • false (default value): A request will be sent and a network ACL will be created.

Table 3 CreateFirewallOption

Parameter

Mandatory

Type

Description

name

Yes

String

  • Network ACL name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

No

String

  • Description about the network ACL.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

enterprise_project_id

No

String

  • ID of the enterprise project that is associated with the network ACL.

  • The project ID can be 0 or a string that contains a maximum of 36 characters in UUID format with hyphens (-). 0 indicates the default enterprise project.

tags

No

Array of ResourceTag objects

  • Network ACL resource tags.

admin_state_up

No

Boolean

  • Whether a network ACL is enabled. The default value is true.

  • The value can be true (enabled) or false (disabled).

Table 4 ResourceTag

Parameter

Mandatory

Type

Description

key

Yes

String

  • Tag key

  • Tag keys must be unique for each resource.

  • The value can contain 1 to 128 characters.

Minimum: 1

Maximum: 128

value

Yes

String

  • Tag value.

  • The value can contain no more than 255 characters

Maximum: 255

Response Parameters

Status code: 201

Table 5 Response body parameters

Parameter

Type

Description

firewall

FirewallDetail object

Response body for creating a network ACL.

request_id

String

Request ID.

Table 6 FirewallDetail

Parameter

Type

Description

id

String

  • The unique ID of a network ACL.

  • The value is a string in UUID format.

name

String

  • Network ACL name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

String

  • Description about the network ACL.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

project_id

String

  • ID of the project that is associated with the network ACL.

created_at

String

  • Time when the network ACL was created.

  • The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.

updated_at

String

  • Time when the network ACL was last updated.

  • The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss, which is automatically generated by the system.

admin_state_up

Boolean

  • Whether a network ACL is enabled.

  • The value can be true (enabled) or false (disabled).

status

String

  • Network ACL status.

enterprise_project_id

String

  • ID of the enterprise project that is associated with the network ACL.

  • The project ID can be 0 or a string that contains a maximum of 36 characters in UUID format with hyphens (-). 0 indicates the default enterprise project.

tags

Array of ResourceTag objects

  • Network ACL tags.

associations

Array of FirewallAssociation objects

  • Subnets that are associated with a network ACL.

ingress_rules

Array of FirewallRuleDetail objects

  • Inbound network ACL rules.

egress_rules

Array of FirewallRuleDetail objects

  • Outbound network ACL rules.

Table 7 ResourceTag

Parameter

Type

Description

key

String

  • Tag key

  • Tag keys must be unique for each resource.

  • The value can contain 1 to 128 characters.

Minimum: 1

Maximum: 128

value

String

  • Tag value.

  • The value can contain no more than 255 characters

Maximum: 255

Table 8 FirewallAssociation

Parameter

Type

Description

virsubnet_id

String

  • IDs of subnets that are associated with a network ACL.

Table 9 FirewallRuleDetail

Parameter

Type

Description

id

String

  • Network ACL rule ID, which uniquely identifies a network ACL rule.

  • The value is a string in UUID format.

name

String

  • Network ACL rule name.

  • The value can contain no more than 64 characters, including letters, digits, underscores (_), hyphens (-), and periods (.).

description

String

  • Description about the network ACL rule.

  • The value can contain no more than 255 characters.

  • The value cannot contain angle brackets (< or >).

action

String

  • Whether a network ACL rule allows or denies traffic.

  • allow indicates traffic is allowed and deny indicates that traffic is denied.

project_id

String

  • ID of the project that is associated with a network ACL rule.

protocol

String

  • Network ACL rule protocol.

  • The value can be tcp, udp, icmp, icmpv6, or an IP protocol number (0–255).

ip_version

Integer

  • IP version of a network ACL rule.

  • The value can be 4 (IPv4) or 6 (IPv6).

source_ip_address

String

  • Source IP address or CIDR block of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_ip_address

String

  • Destination IP address or CIDR block of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

source_port

String

  • Source ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

destination_port

String

  • Destination ports of a network ACL rule.

  • You can specify a single port or a port range. Separate every two entries with a comma.

  • The maximum number of port entries is 20 by default.

source_address_group_id

String

  • Source IP address group ID of a network ACL rule.

  • source_ip_address and source_address_group_id cannot be specified at the same time.

destination_address_group_id

String

  • Destination IP address group ID of a network ACL rule.

  • destination_ip_address and destination_address_group_id cannot be specified at the same time.

enabled

Boolean

  • Whether to enable a network ACL rule.

  • true means to enable the network ACL rule and false means to disable the network ACL rule.

  • The default value is true.

Example Requests

Create a network ACL named network_acl_test1.

POST https://{Endpoint}/v3/{project_id}/vpc/firewalls

{
  "firewall" : {
    "name" : "network_acl_test1",
    "description" : "network_acl_test1",
    "enterprise_project_id" : "158ad39a-dab7-45a3-9b5a-2836b3cf93f9"
  }
}

Example Responses

Status code: 201

Normal response to the POST operation. For more status codes, see Status Codes.

{
  "firewall" : {
    "id" : "e9a7731d-5bd9-4250-a524-b9a076fd5629",
    "name" : "network_acl_test1",
    "description" : "network_acl_test1",
    "project_id" : "9476ea5a8a9849c38358e43c0c3a9e12",
    "created_at" : "2022-04-07T07:30:46.000+00:00",
    "updated_at" : "2022-04-07T07:30:46.000+00:00",
    "admin_state_up" : true,
    "enterprise_project_id" : "158ad39a-dab7-45a3-9b5a-2836b3cf93f9",
    "status" : "ACTIVE",
    "tags" : [ ],
    "ingress_rules" : [ ],
    "egress_rules" : [ ],
    "associations" : [ ]
  }
}

SDK Sample Code

The SDK sample code is as follows.

Create a network ACL named network_acl_test1.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.vpc.v3.region.VpcRegion;
import com.huaweicloud.sdk.vpc.v3.*;
import com.huaweicloud.sdk.vpc.v3.model.*;


public class CreateFirewallSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        VpcClient client = VpcClient.newBuilder()
                .withCredential(auth)
                .withRegion(VpcRegion.valueOf("<YOUR REGION>"))
                .build();
        CreateFirewallRequest request = new CreateFirewallRequest();
        CreateFirewallRequestBody body = new CreateFirewallRequestBody();
        CreateFirewallOption firewallbody = new CreateFirewallOption();
        firewallbody.withName("network_acl_test1")
            .withDescription("network_acl_test1")
            .withEnterpriseProjectId("158ad39a-dab7-45a3-9b5a-2836b3cf93f9");
        body.withFirewall(firewallbody);
        request.withBody(body);
        try {
            CreateFirewallResponse response = client.createFirewall(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Create a network ACL named network_acl_test1.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkvpc.v3.region.vpc_region import VpcRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkvpc.v3 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = VpcClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(VpcRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = CreateFirewallRequest()
        firewallbody = CreateFirewallOption(
            name="network_acl_test1",
            description="network_acl_test1",
            enterprise_project_id="158ad39a-dab7-45a3-9b5a-2836b3cf93f9"
        )
        request.body = CreateFirewallRequestBody(
            firewall=firewallbody
        )
        response = client.create_firewall(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Create a network ACL named network_acl_test1.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    vpc "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := vpc.NewVpcClient(
        vpc.VpcClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.CreateFirewallRequest{}
	descriptionFirewall:= "network_acl_test1"
	enterpriseProjectIdFirewall:= "158ad39a-dab7-45a3-9b5a-2836b3cf93f9"
	firewallbody := &model.CreateFirewallOption{
		Name: "network_acl_test1",
		Description: &descriptionFirewall,
		EnterpriseProjectId: &enterpriseProjectIdFirewall,
	}
	request.Body = &model.CreateFirewallRequestBody{
		Firewall: firewallbody,
	}
	response, err := client.CreateFirewall(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

201

Normal response to the POST operation. For more status codes, see Status Codes.

Error Codes

See Error Codes.