Creates an inbound or outbound rule for traffic mirroring.

Usage notes

  • The CreateTrafficMirrorFilterRules operation is asynchronous. After you send the request, the system returns a request ID. However, the operation is still being performed in the system background. You can call the ListTrafficMirrorFilters operation to query the status of an inbound or outbound rule:
    • If the rule is in the Creating state, the rule is being created.
    • If the rule is in the Created state, the rule is created.
  • You cannot repeatedly call the CreateTrafficMirrorFilterRules operation to create an inbound or outbound rule for a traffic mirroring filter.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes CreateTrafficMirrorFilterRules

The operation that you want to perform. Set the value to CreateTrafficMirrorFilterRules.

TrafficMirrorFilterId String Yes tmf-j6cmls82xnc86vtpe****

The ID of the filter.

ClientToken String No 123e4567-e89b-12d3-a456-426655440000

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the value, but you must make sure that it is unique among different requests. The client token can contain only ASCII characters.

Note If you do not set this parameter, the system uses RequestId as ClientToken. RequestId may be different for each API request.
DryRun Boolean No false

Specifies whether to check the request without performing the operation. Valid values:

  • true: checks the request without performing the operation. The system checks the required parameters, request format, and limits. If the request fails the precheck, an error message is returned. If the request passes the precheck, the DryRunOperation error code is returned.
  • false (default): sends the request. After the request passes the check, the operation is performed.
IngressRules.N.Action String Yes accept

The action of the inbound rule. Valid values:

  • accept: accepts network traffic.
  • drop: drops network traffic.
IngressRules.N.SourceCidrBlock String No 10.0.0.0/24

The source CIDR block of the inbound traffic.

IngressRules.N.Protocol String Yes TCP

The protocol that is used by the inbound traffic to be mirrored. Valid values:

  • ALL: all protocols
  • ICMP: Internet Control Message Protocol (ICMP)
  • TCP: TCP
  • UDP: User Datagram Protocol (UDP)
IngressRules.N.DestinationPortRange String No 80/120

The destination port range of the inbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80.

Note If you set IngressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
IngressRules.N.Priority Integer No 1

The priority of the inbound rule. A smaller value indicates a higher priority. The maximum value of N is 10. You can configure up to 10 inbound rules for a filter.

IngressRules.N.DestinationCidrBlock String No 10.0.0.0/24

The destination CIDR block of the inbound traffic.

IngressRules.N.SourcePortRange String No 80/120

The source port range of the inbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports.

Note If you set IngressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
EgressRules.N.Action String Yes accept

The action of the outbound rule. Valid values:

  • accept: accepts network traffic.
  • drop: drops network traffic.
EgressRules.N.SourceCidrBlock String No 10.0.0.0/24

The source CIDR block of the outbound traffic.

EgressRules.N.Protocol String Yes TCP

The protocol that is used by the outbound traffic to be mirrored. Valid values:

  • ALL: all protocols
  • ICMP: ICMP
  • TCP: TCP
  • UDP: UDP
EgressRules.N.DestinationPortRange String No 22/40

The destination port range of the outbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports.

Note If you set EgressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
EgressRules.N.Priority Integer No 1

The priority of the outbound rule. A smaller value indicates a higher priority. The maximum value of N is 10. You can configure up to 10 outbound rules for a filter.

EgressRules.N.DestinationCidrBlock String No 10.0.0.0/24

The destination CIDR block of the outbound traffic.

EgressRules.N.SourcePortRange String No 22/40

The source port range of the outbound traffic. Valid values for a port: 1 to 65535. Separate the first port and the last port with a forward slash (/). Examples: 1/200 and 80/80. You cannot set this parameter to only -1/-1, which specifies all ports.

Note If you set EgressRules.N.Protocol to ALL or ICMP, you do not need to set this parameter. In this case, all ports are available.
RegionId String Yes cn-hongkong

The ID of the region to which the mirrored traffic belongs.

You can call the DescribeRegions operation to query the most recent region list. For more information about regions that support traffic mirroring, see Overview of traffic mirroring.

Response parameters

Parameter Type Example Description
RequestId String 07F272E2-6AD5-433A-8207-A607C76F1676

The ID of the request.

IngressRules Array of IngressRule

The list of inbound rules.

InstanceId String tmr-j6c6rtallo51ouzv3****

The ID of the inbound rule.

EgressRules Array of EgressRule

The list of outbound rules.

InstanceId String tmr-j6cok23ugp53eeib5****

The ID of the outbound rule.

Examples

Sample requests

http(s)://[Endpoint]/?Action=CreateTrafficMirrorFilterRules
&TrafficMirrorFilterId=tmf-j6cmls82xnc86vtpe****
&ClientToken=123e4567-e89b-12d3-a456-426655440000
&DryRun=false
&IngressRules=[{"Action":"accept","SourceCidrBlock":"10.0.0.0/24","Protocol":"TCP","DestinationPortRange":"80/120","Priority":1,"DestinationCidrBlock":"10.0.0.0/24","SourcePortRange":"80/120"}]
&EgressRules=[{"Action":"accept","SourceCidrBlock":"10.0.0.0/24","Protocol":"TCP","DestinationPortRange":"22/40","Priority":1,"DestinationCidrBlock":"10.0.0.0/24","SourcePortRange":"22/40"}]
&RegionId=cn-hongkong
&Common request parameters

Sample success responses

XML format 

HTTP/1.1 200 OK
Content-Type:application/xml

<CreateTrafficMirrorFilterRulesResponse>
    <RequestId>07F272E2-6AD5-433A-8207-A607C76F1676</RequestId>
    <IngressRules>
        <InstanceId>tmr-j6c6rtallo51ouzv3****</InstanceId>
    </IngressRules>
    <EgressRules>
        <InstanceId>tmr-j6cok23ugp53eeib5****</InstanceId>
    </EgressRules>
</CreateTrafficMirrorFilterRulesResponse>

JSON format 

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "07F272E2-6AD5-433A-8207-A607C76F1676",
  "IngressRules" : [ {
    "InstanceId" : "tmr-j6c6rtallo51ouzv3****"
  } ],
  "EgressRules" : [ {
    "InstanceId" : "tmr-j6cok23ugp53eeib5****"
  } ]
}

Error codes

HttpCode Error code Error message Description
400 ResourceNotFound.TrafficMirrorFilter The specified resource of traffic mirror filter is not found. The error message returned because the specified filter does not exist.
400 IncorrectStatus.TrafficMirrorFilter The status of traffic mirror filter is incorrect. The error message returned because the filter is in an invalid state.
400 IncorrectStatus.TrafficMirrorSession The status of traffic mirror session is incorrect. The error message returned because the traffic mirror session is in an invalid state.
400 QuotaExceeded.TrafficMirrorRulesPerFilter The quota of the number of traffic mirror rules per filter is exceeded. The error message returned because the number of rules associated with the filter has reached the upper limit.
400 DuplicatedParam.Priority The specified priority conflicts with the existing priority. The error message returned because the specified priority is the same as an existing one.
400 UnsupportedRegion The feature is not supported in current region. The error message returned because the feature is not supported in the current region.

For a list of error codes, visit the API Error Center.