Creates an inbound or outbound rule for traffic mirroring.
Operation description
-
CreateTrafficMirrorFilterRules is an asynchronous operation. After a request is sent, the system returns a request ID and runs the task in the background. You can call ListTrafficMirrorFilters to query the status of the task.
- If the inbound or outbound rule is in the Creating state, the rule is being created.
- If the inbound or outbound rule is in the Created state, the rule is created.
-
You cannot call CreateTrafficMirrorFilterRules within the specified period of time.
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action
policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resources
is used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
Operation | Access level | Resource type | Condition key | Associated operation |
---|---|---|---|---|
vpc:CreateTrafficMirrorFilterRules | create |
|
| none |
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
TrafficMirrorFilterId | string | Yes | The ID of the filter. | tmf-j6cmls82xnc86vtpe**** |
ClientToken | string | No | The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that it is unique among different requests. The client token can contain only ASCII characters. Note
If you do not set this parameter, the system uses RequestId as ClientToken. RequestId may be different for each API request.
| 123e4567-e89b-12d3-a456-426655440000 |
DryRun | boolean | No | Specifies whether to check the request without performing the operation. Valid values:
| false |
IngressRules | array<object> | No | The list of inbound rules. | |
object | No | The list of inbound rules. | ||
Action | string | Yes | The action of the inbound rule. Valid values:
| accept |
SourceCidrBlock | string | No | The source CIDR block of the inbound traffic. | 10.0.0.0/24 |
Protocol | string | Yes | The protocol that is used by the inbound traffic to be mirrored. Valid values:
| TCP |
DestinationPortRange | string | No | The destination port range of the inbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. Note
If you set IngressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
| 80/120 |
Priority | integer | No | The priority of the inbound rule. A smaller value indicates a higher priority. The maximum value of N is 10. You can configure up to 10 inbound rules for a filter. | 1 |
DestinationCidrBlock | string | No | The destination CIDR block of the inbound traffic. | 10.0.0.0/24 |
SourcePortRange | string | No | The source port range of the inbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports. Note
If you set IngressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
| 80/120 |
EgressRules | array<object> | No | The list of outbound rules. | |
object | No | The list of outbound rules. | ||
Action | string | Yes | The action of the outbound rule. Valid values:
| accept |
SourceCidrBlock | string | No | The source CIDR block of the outbound traffic. | 10.0.0.0/24 |
Protocol | string | Yes | The protocol that is used by the outbound traffic to be mirrored. Valid values:
| TCP |
DestinationPortRange | string | No | The destination port range of the outbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports. Note
If you set EgressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
| 22/40 |
Priority | integer | No | The priority of the outbound rule. A smaller value indicates a higher priority. The maximum value of N is 10. You can configure up to 10 outbound rules for a filter. | 1 |
DestinationCidrBlock | string | No | The destination CIDR block of the outbound traffic. | 10.0.0.0/24 |
SourcePortRange | string | No | The source port range of the outbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports. Note
If you set EgressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
| 22/40 |
RegionId | string | Yes | The ID of the region to which the mirrored traffic belongs. You can call the DescribeRegions operation to query the most recent region list. For more information about regions that support traffic mirroring, see Overview of traffic mirroring. | cn-hongkong |
Response parameters
Examples
Sample success responses
JSON
format
{
"RequestId": "07F272E2-6AD5-433A-8207-A607C76F1676",
"IngressRules": [
{
"InstanceId": "tmr-j6c6rtallo51ouzv3****"
}
],
"EgressRules": [
{
"InstanceId": "tmr-j6cok23ugp53eeib5****"
}
]
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | ResourceNotFound.TrafficMirrorFilter | The specified resource of traffic mirror filter is not found. | The specified filter does not exist. |
400 | IncorrectStatus.TrafficMirrorFilter | The status of traffic mirror filter is incorrect. | The filter is in an invalid state. |
400 | IncorrectStatus.TrafficMirrorSession | The status of traffic mirror session is incorrect. | - |
400 | QuotaExceeded.TrafficMirrorRulesPerFilter | The quota of the number of traffic mirror rules per filter is exceeded. | The number of rules associated with the filter has reached the upper limit. |
400 | DuplicatedParam.Priority | The specified priority conflicts with the existing priority. | The specified priority is the same as an existing one. |
400 | UnsupportedRegion | The feature is not supported in current region. | The feature is not supported in the current region. |
400 | IllegalParam.CidrBlock | The specified CidrBlock is illegal. | The operation failed because CidrBlock is set to an invalid value. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2023-07-20 | API Description Update. The Error code has changed | View Change Details |