CreateTrafficMirrorFilterRules - Virtual Private Cloud - Alibaba Cloud Documentation Center

Creates an inbound or outbound rule for traffic mirroring.

Operation description

CreateTrafficMirrorFilterRules is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call ListTrafficMirrorFilters to query the status of the task.
- If the inbound or outbound rule is in the Creating state, the rule is being created.
- If the inbound or outbound rule is in the Created state, the rule is created.
You cannot call CreateTrafficMirrorFilterRules within the specified period of time.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Debug

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
vpc:CreateTrafficMirrorFilterRules	create	TrafficMirrorFilter acs:vpc:{#regionId}:{#accountId}:trafficmirrorfilter/{#TrafficMirrorFilterId}	none	none

Request parameters

Parameter	Type	Required	Description	Example
TrafficMirrorFilterId	string	Yes	The ID of the filter.	tmf-j6cmls82xnc86vtpe****
ClientToken	string	No	The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that it is unique among different requests. The client token can contain only ASCII characters. Note If you do not set this parameter, the system uses RequestId as ClientToken. RequestId may be different for each API request.	123e4567-e89b-12d3-a456-426655440000
DryRun	boolean	No	Specifies whether to check the request without performing the operation. Valid values: true: checks the request without performing the operation. The system checks the required parameters, request format, and limits. If the request fails the precheck, an error message is returned. If the request passes the precheck, the `DryRunOperation` error code is returned. false (default): sends the request. After the request passes the check, the operation is performed.	false
IngressRules	array<object>	No	The list of inbound rules.
	object	No	The list of inbound rules.
Action	string	Yes	The action of the inbound rule. Valid values: accept: accepts network traffic. drop: drops network traffic.	accept
SourceCidrBlock	string	No	The source CIDR block of the inbound traffic.	10.0.0.0/24
Protocol	string	Yes	The protocol that is used by the inbound traffic to be mirrored. Valid values: ALL: all protocols ICMP: Internet Control Message Protocol (ICMP) TCP: TCP UDP: User Datagram Protocol (UDP)	TCP
DestinationPortRange	string	No	The destination port range of the inbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. Note If you set IngressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.	80/120
Priority	integer	No	The priority of the inbound rule. A smaller value indicates a higher priority. The maximum value of N is 10. You can configure up to 10 inbound rules for a filter.	1
DestinationCidrBlock	string	No	The destination CIDR block of the inbound traffic.	10.0.0.0/24
SourcePortRange	string	No	The source port range of the inbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports. Note If you set IngressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.	80/120
EgressRules	array<object>	No	The list of outbound rules.
	object	No	The list of outbound rules.
Action	string	Yes	The action of the outbound rule. Valid values: accept: accepts network traffic. drop: drops network traffic.	accept
SourceCidrBlock	string	No	The source CIDR block of the outbound traffic.	10.0.0.0/24
Protocol	string	Yes	The protocol that is used by the outbound traffic to be mirrored. Valid values: ALL: all protocols ICMP: ICMP TCP: TCP UDP: UDP	TCP
DestinationPortRange	string	No	The destination port range of the outbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports. Note If you set EgressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.	22/40
Priority	integer	No	The priority of the outbound rule. A smaller value indicates a higher priority. The maximum value of N is 10. You can configure up to 10 outbound rules for a filter.	1
DestinationCidrBlock	string	No	The destination CIDR block of the outbound traffic.	10.0.0.0/24
SourcePortRange	string	No	The source port range of the outbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports. Note If you set EgressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.	22/40
RegionId	string	Yes	The ID of the region to which the mirrored traffic belongs. You can call the DescribeRegions operation to query the most recent region list. For more information about regions that support traffic mirroring, see Overview of traffic mirroring.	cn-hongkong

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The ID of the request.	07F272E2-6AD5-433A-8207-A607C76F1676
IngressRules	array<object>	The list of inbound rules.
	object
InstanceId	string	The ID of the inbound rule.	tmr-j6c6rtallo51ouzv3****
EgressRules	array<object>	The list of outbound rules.
	object
InstanceId	string	The ID of the outbound rule.	tmr-j6cok23ugp53eeib5****

Examples

Sample success responses

JSONformat

{
  "RequestId": "07F272E2-6AD5-433A-8207-A607C76F1676",
  "IngressRules": [
    {
      "InstanceId": "tmr-j6c6rtallo51ouzv3****"
    }
  ],
  "EgressRules": [
    {
      "InstanceId": "tmr-j6cok23ugp53eeib5****"
    }
  ]
}

Error codes

HTTP status code	Error code	Error message	Description
400	ResourceNotFound.TrafficMirrorFilter	The specified resource of traffic mirror filter is not found.	The specified filter does not exist.
400	IncorrectStatus.TrafficMirrorFilter	The status of traffic mirror filter is incorrect.	The filter is in an invalid state.
400	IncorrectStatus.TrafficMirrorSession	The status of traffic mirror session is incorrect.	-
400	QuotaExceeded.TrafficMirrorRulesPerFilter	The quota of the number of traffic mirror rules per filter is exceeded.	The number of rules associated with the filter has reached the upper limit.
400	DuplicatedParam.Priority	The specified priority conflicts with the existing priority.	The specified priority is the same as an existing one.
400	UnsupportedRegion	The feature is not supported in current region.	The feature is not supported in the current region.
400	IllegalParam.CidrBlock	The specified CidrBlock is illegal.	The operation failed because CidrBlock is set to an invalid value.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2023-07-20	API Description Update. The Error code has changed	View Change Details