Updates the rules of a network access control list (ACL).

Usage notes

  • UpdateNetworkAclEntries is an asynchronous operation. After you send a request, the system returns a request ID and runs the task in the background. You can call the DescribeNetworkAclAttributes operation to query the status of a network ACL:
    • If the network ACL is in the Modifying state, the rules of the network ACL are being updated.
    • If the network ACL is in the Available state, the rules of the network ACL are updated.
  • You cannot repeatedly call the UpdateNetworkAclEntries operation to update the rules of a network ACL within the specified period of time.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
IngressAclEntries.N.NetworkAclEntryId String No nae-2zepn32de59j8m4****

The ID of the inbound rule.

Valid values of N: 0 to 99. You can specify at most 100 inbound rules.

IngressAclEntries.N.EntryType String No custom

The type of the rule. Set the value to custom, which specifies custom rules.

IngressAclEntries.N.NetworkAclEntryName String No acl-3

The name of the inbound rule.

The name must be 1 to 128 characters in length, and cannot start with http:// or https://.

IngressAclEntries.N.Policy String No accept

The action to be performed on network traffic that matches the rule. Valid values:

  • accept: allows network traffic.
  • drop: blocks network traffic.
IngressAclEntries.N.SourceCidrIp String No 10.0.0.0/24

The source CIDR block.

IngressAclEntries.N.Description String No This is IngressAclEntries.

The description of the inbound rule.

The description must be 1 to 256 characters in length and cannot start with http:// or https://.

IngressAclEntries.N.Protocol String No all

The protocol. Valid values:

  • icmp: ICMP
  • gre: GRE
  • tcp: TCP
  • udp: UDP
  • all: all protocols
IngressAclEntries.N.Port String No -1/-1

The source port range of the inbound rule.

  • If Protocol of the inbound rule is set to all, icmp, or gre, the port range is -1/-1, which specifies all ports.
  • If Protocol of the inbound rule is set to tcp or udp, set the port range in the following format: 1/200 or 80/80, which specifies port 1 to port 200 or port 80. Valid values for a port: 1 to 65535.
EgressAclEntries.N.NetworkAclEntryId String No nae-2zecs97e0brcge46****

The ID of the outbound rule.

Valid values of N: 0 to 99. You can specify at most 100 outbound rules.

EgressAclEntries.N.EntryType String No custom

The type of the rule. Set the value to custom, which specifies custom rules.

EgressAclEntries.N.NetworkAclEntryName String No acl-2

The name of the outbound rule.

The name must be 1 to 128 characters in length, and cannot start with http:// or https://.

EgressAclEntries.N.Policy String No accept

The action to be performed on network traffic that matches the rule. Valid values:

  • accept: allows network traffic.
  • drop: blocks network traffic.
EgressAclEntries.N.Description String No This is EgressAclEntries.

The description of the outbound rule.

The description must be 1 to 256 characters in length and cannot start with http:// or https://.

EgressAclEntries.N.Protocol String No all

The protocol. Valid values:

  • icmp: ICMP
  • gre: GRE
  • tcp: TCP
  • udp: UDP
  • all: all protocols
EgressAclEntries.N.DestinationCidrIp String No 10.0.0.0/24

The destination CIDR block.

EgressAclEntries.N.Port String No -1/-1

The destination port range of the outbound traffic.

  • If Protocol of the outbound rule is set to all, icmp, or gre, the port range is -1/-1, which indicates all ports.
  • If Protocol of the outbound rule is set to tcp or udp, set the port range in the following format: 1/200 or 80/80, which specifies port 1 to port 200 or port 80. Valid values for a port: 1 to 65535.
UpdateIngressAclEntries Boolean No false

Specifies whether to update inbound rules. Valid values:

  • true: yes
  • false (default): no
Note If an inbound rule is already added to the network ACL and you want to add another inbound rule, you must specify both rules when you call this operation. If you specify only the new rule, the existing rule will be deleted.
UpdateEgressAclEntries Boolean No false

Specifies whether to update outbound rules. Valid values:

  • true: yes
  • false (default): no
Note If an outbound rule is already added to the network ACL and you want to add another outbound rule, you must specify both rules when you call this operation. If you specify only the new rule, the existing rule will be deleted.
NetworkAclId String Yes nacl-bp1lhl0taikrzxsc****

The ID of the network ACL.

RegionId String Yes cn-hangzhou

The region ID of the network ACL.

You can call the DescribeRegions operation to query the most recent region list.

ClientToken String No 123e4567-e89b-12d3-a456-426655440000

The client token that is used to ensure the idempotence of the request.

You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters.

Note If you do not set this parameter, the system sets ClientToken to the value of RequestId. RequestId may be different for each API request.
Action String Yes UpdateNetworkAclEntries

The operation that you want to perform. Set the value to UpdateNetworkAclEntries.

Response parameters

Parameter Type Example Description
RequestId String 1170A5A0-E760-4331-9133-A7D38D973215

The request ID.

Examples

Sample requests

http(s)://[Endpoint]/?IngressAclEntries=[{"NetworkAclEntryId":"nae-2zepn32de59j8m4****","EntryType":"custom","NetworkAclEntryName":"acl-3","Policy":"accept","SourceCidrIp":"10.0.0.0/24","Description":"This is IngressAclEntries.","Protocol":"all","Port":"-1/-1"}]
&EgressAclEntries=[{"NetworkAclEntryId":"nae-2zecs97e0brcge46****","EntryType":"custom","NetworkAclEntryName":"acl-2","Policy":"accept","Description":"This is EgressAclEntries.","Protocol":"all","DestinationCidrIp":"10.0.0.0/24","Port":"-1/-1"}]
&UpdateIngressAclEntries=false
&UpdateEgressAclEntries=false
&NetworkAclId=nacl-bp1lhl0taikrzxsc****
&RegionId=cn-hangzhou
&ClientToken=123e4567-e89b-12d3-a456-426655440000
&Action=UpdateNetworkAclEntries
&Common request parameters

Sample responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<UpdateNetworkAclEntriesResponse>
    <RequestId>1170A5A0-E760-4331-9133-A7D38D973215</RequestId>
</UpdateNetworkAclEntriesResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "1170A5A0-E760-4331-9133-A7D38D973215"
}

Error codes

HttpCode Error code Error message Description
400 ParameterLengthIllegal.Name ParameterLengthIllegal.Name The error message returned because the length of the rule name is invalid.
400 ParameterIllegal.Name ParameterIllegal.Name The error message returned because the name of the rule is invalid.
400 QuotaExceed.NetworkAclEntry Network acl entry is over limit. The error message returned because the number of rules in the network ACL has reached the upper limit.
400 InvalidNetworkAcl.NotFound The special Network Acl is not found. The error message returned because the network ACL is not found.
400 IllegalParam.IngressAclEntryId The specified IngressAclEntryId is invalid. The error message returned because the ID of the inbound ACL rule is invalid.
400 IllegalParam.EgressAclEntryId The specified EgressAclEntryId is invalid. The error message returned because the ID of the outbound ACL rule is invalid.
500 InternalError The request processing has failed due to some unknown error. The error message returned because some unknown errors occurred.

For a list of error codes, visit the API Error Center.