CreateCloudResource - Web Application Firewall - Alibaba Cloud Documentation Center

Integrates cloud products with Web Application Firewall (WAF). Currently, only Elastic Compute Service (ECS) and Classic Load Balancer (CLB) are supported.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

yundun-waf:CreateCloudResource

create

*All Resource

*

None

Request parameters

Parameter	Type	Required	Description	Example
InstanceId	string	Yes	The ID of the WAF instance. Note Call DescribeInstance to query the ID of the current WAF instance.	waf_v3prepaid_public_cn-***
ResourceManagerResourceGroupId	string	No	The ID of the Alibaba Cloud resource group.	rg-acfm***q
Listen	object	Yes	The listener configuration.
TLSVersion	string	No	The TLS version to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values: tlsv1 tlsv1.1 tlsv1.2	tlsv1
EnableTLSv3	boolean	No	Specifies whether to support TLS 1.3. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values: true: TLS 1.3 is supported. false: TLS 1.3 is not supported.	true
CipherSuite	integer	No	The type of cipher suite to add. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values: 1: Adds all cipher suites. 2: Adds strong cipher suites. You can select this value only when TLSVersion is set to tlsv1.2. 99: Adds custom cipher suites.	1
CustomCiphers	array	No	The custom cipher suites to add. This parameter is used only when CipherSuite is set to 99.
	string	No	The custom cipher suites to add. This parameter is used only when CipherSuite is set to 99.	ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384
ResourceProduct	string	Yes	The type of the cloud product. Valid values: clb4: Layer 4 CLB instance. clb7: Layer 7 CLB instance. ecs: ECS instance. nlb: Network Load Balancer (NLB) instance.	clb4
ResourceInstanceId	string	Yes	The ID of the cloud product instance.	lb-bp1*****
Port	integer	Yes	The port of the cloud product that is added to WAF.	80
Protocol	string	Yes	The protocol type. Valid values: http: HTTP. https: HTTPS.	http
Certificates	array<object>	No	The list of certificate IDs.
	object	No	The certificate information.
CertificateId	string	No	The ID of the certificate to add. Note Call DescribeResourceInstanceCerts to query the IDs of all SSL certificates that are associated with the cloud product instance.	123-cn-hangzhou
AppliedType	string	No	The type of the certificate for the HTTPS protocol. Valid values: default: the default certificate. extension: the additional certificate.	default
Http2Enabled	boolean	No	Specifies whether to enable HTTP/2. This parameter is used only when HttpsPorts is not empty, which indicates that the domain name uses HTTPS. Valid values: true: enables HTTP/2. false (default): disables HTTP/2.	true
ResourceRegionId	string	No	The region ID of the cloud product. Note This parameter is required if the ID of the instance that you want to add has not been synchronized to WAF.	cn-hangzhou
Redirect	object	No	The forwarding configuration.
RequestHeaders	array<object>	No	The value of this parameter is in the `[{"k":"key","v":"value"}]` format. key indicates the custom request header field. value indicates the value of the field. Note If the custom header field already exists in the request, the system overwrites the value of the custom header field with the specified value.
	object	No	The value of this parameter is in the `[{"k":"key","v":"value"}]` format. key indicates the custom request header field. value indicates the value of the field.
Key	string	No	The custom request header field.	key1
Value	string	No	The value of the custom request header field.	value1
XffHeaderMode	integer	No	The method that WAF uses to obtain the real IP address of a client. Valid values: 0: No Layer 7 proxy is deployed before WAF. 1: WAF reads the first value of the XFF header field to obtain the client IP address. 2: WAF reads the value of a custom header field to obtain the client IP address.	1
XffHeaders	array	No	The list of custom header fields that are used to obtain the client IP address. The value is in the `["header1","header2",...]` format. Note This parameter is required only when XffHeaderMode is set to 2, which indicates that WAF reads the value of a custom header field to obtain the client IP address.
	string	No	The list of custom header fields that are used to obtain the client IP address. The value is in the `["header1","header2",...]` format. Note This parameter is required only when XffHeaderMode is set to 2, which indicates that WAF reads the value of a custom header field to obtain the client IP address.	header1
ReadTimeout	integer	No	The read timeout period. Unit: seconds. Valid values: 1 to 3600.	1
WriteTimeout	integer	No	The write timeout period. Unit: seconds. Valid values: 1 to 3600.	1
Keepalive	boolean	No	Specifies whether to enable persistent connections. Valid values: true (default): enables persistent connections. false: disables persistent connections.	true
KeepaliveRequests	integer	No	The number of requests that can be reused in a persistent connection. Valid values: 60 to 1000. Note The number of requests that are reused over a persistent connection.	1000
KeepaliveTimeout	integer	No	The timeout period for an idle persistent connection. Valid values: 10 to 3600. Default value: 3600. Unit: seconds. Note The period of time after which an idle persistent connection is released.	3600
XffProto	boolean	No	Specifies whether to use the X-Forwarded-Proto header to pass the WAF protocol. Valid values: true (default): passes the WAF protocol. false: does not pass the WAF protocol.	true
MaxBodySize	integer	No	The maximum size of a request body. Valid values: 2 to 10. Default value: 2. Unit: GB. Note This feature is available only for the WAF Ultimate edition.	2
Tag	array<object>	No	The list of tags. You can add up to 20 tags.
	object	No
Key	string	No	The tag key.	TagKey1
Value	string	No	The tag value.	TagValue1
RegionId	string	Yes	The region where the WAF instance resides. Valid values: cn-hangzhou: the Chinese mainland. ap-southeast-1: outside the Chinese mainland.	cn-hangzhou
OwnerUserId	string	No	The Alibaba Cloud account ID of the resource owner.	123

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	66A98669-ER12-WE34-23PO-301469*****E
CloudResourceId	string	The ID of the added resource. This ID is automatically generated by WAF.	lb-***

Examples

Success response

JSON format

{
  "RequestId": "66A98669-ER12-WE34-23PO-301469*****E",
  "CloudResourceId": "lb-***"
}

Error codes

HTTP status code	Error code	Error message	Description
400	Waf.Pullin.CertNotExist	Certificate does not exist in SSL Certificate Center, certificate type:%s, certificate ID:%s.	Certificate does not exist in SSL Certificate Center, certificate type:%s, certificate ID:%s.
400	Waf.Pullin.CertExpired	Certificate expired, certificate ID:%s .

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.