Modifies the egress rule of a security group. If you have not created a security group rule, you can call AuthorizeSecurityGroupEgress to create one.
Description
According to your access authorization requirements, you can define an egress rule for a security group by using either of the following groups of parameters:
- If you need to authorize access to a specified CIDR block, use the following parameters: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCiderIp, and SourceCidrIp (optional).
- If you need to authorize access to other security groups, use the following parameters: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCiderIp (optional), DestGroupOwnerAccount, and DestGroupId.
Debug
Use OpenAPI Explorer to perform debug operations and generate SDK code examples.
Request parameters
| Name | Type | Required? | Example value | Description |
|---|---|---|---|---|
| IpProtocol | String | Yes | tcp | The transport layer protocol. Case insensitive. Valid values:
|
| PortRange | String | Yes | 80/80 | The range of the ports enabled by the source security group for the transport layer protocol. Valid values:
|
| RegionId | String | Yes | cn-hangzhou | The ID of the region to which the source security group belongs. To view the latest list of Alibaba Cloud regions, call DescribeRegions. |
| SecurityGroupId | String | Yes | sg-securitygroupid1 | The ID of the source security group. |
| Action | String | No | ModifySecurityGroupEgressRule | The name of this action. Value: ModifySecurityGroupRule |
| ClientToken | String | No | 123e4567-e89b-12d3-a456-426655440000 | Guarantees the idempotence of the request. The value is generated by your client and must be globally unique. Only ASCII characters are allowed. It can contain a maximum of 64 ASCII characters. For more information, see How to ensure idempotence. |
| Description | String | No | Thisisanewsecuritygrouprule | The description of the security group rule. The length of the description is 1 to 512 characters. |
| DestCidrIp | String | No | XXX.XX.XXX.XXX/X | The destination CIDR block. CIDR IP addresses and IPv4 addresses are supported. Default value: 0.0.0.0/0 |
| DestGroupId | String | No | sg-securitygroupid22 | The ID of the destination security group. |
| DestGroupOwnerAccount | String | No | EcsforCloud@Alibaba.com | The account to which the destination security group belongs (also known as UID). |
| DestGroupOwnerId | Long | No | 155780923770 | The ID of the account to which the destination security group belongs. |
| Ipv6DestCidrIp | String | No | 2001:db8:1234:1a00::XXX | The destination CIDR block. CIDR IP addresses and IPv6 addresses are supported. |
| Ipv6SourceCidrIp | String | No | 2001:db8:1234:1a00::XXX | The source CIDR block. CIDR IP addresses and IPv6 addresses are supported. |
| NicType | String | No | internet | The NIC type. Valid values:
If you configure mutual access between security groups (that is, DestGroupId is specified but DestCidrIp is not), the value of NicType must be intranet. |
| Policy | String | No | accept | The access permission. Valid values:
Default value: accept |
| Priority | String | No | 1 | The priority of the security group. Value range: 1 to 100 Default value: 1 |
| SourceCidrIp | String | No | XXX.XX.XXX.XXX/X | The source CIDR block. CIDR IP addresses and IPv4 addresses are supported. |
| SourcePortRange | String | No | 80/80 | The range of the ports enabled by the source security group for the transport layer protocol. Valid values:
|
Response parameters
| Name | Type | Example value | Description |
|---|---|---|---|
| RequestId | String | 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E | The request ID. |
Example
Request example
https://ecs.aliyuncs.com/?Action=ModifySecurityGroupEgressRule
&SecurityGroupId=sg-F876FF7BA
&SourceGroupId=sg-1651FBB64
&SourceGroupOwnerAccount=test@aliyun.com
&IpProtocol=tcp
&PortRange=80/80
&Policy=allow
&Description=Thisisanewsecuritygrouprule.
&<Common Request Parameters> Response example
XML format
<ModifySecurityGroupEgressRuleResponse>
<RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</ModifySecurityGroupEgressRuleResponse> JSON format
{
"RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}Errors
| HTTP status code | Error code | Error message | Meaning |
|---|---|---|---|
| 404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The specified security group does not exist under this account. Check whether the security group ID is correct. |
| 404 | InvalidDestGroupId.NotFound | The DestGroupId provided does not exist in our records. | The specified destination security group does not exist. |
| 400 | OperationDenied | The specified IpProtocol does not exist or IpProtocol and PortRange do not match. | The specified IP Protocol does not exist, or does not match the port range. |
| 400 | InvalidIpProtocol.Malformed | The specified parameter "PortRange" is not valid. | The format of the specified IP Protocol is invalid. |
| 403 | InvalidDestGroupId.Mismatch | NicType is required or NicType expects intranet. | You must specify NicType or specify the access as intranet. |
| 400 | InvalidDestCidrIp.Malformed | The specified parameter "DestCidrIp" is not valid. | The specified DestCidrIp is invalid. Check whether this parameter is correct. |
| 403 | MissingParameter | The input parameter "DestGroupId" or "DestCidrIp" cannot be both blank. | The parameters DestGroupId and DestCidrIp cannot be both blank. |
| 400 | InvalidPolicy.Malformed | The specified parameter "Policy" is not valid. | The specified Policy is invalid. Check whether this parameter is correct. |
| 400 | InvalidNicType.ValueNotSupported | The specified NicType does not exist. | The specified NIC type does not exist. |
| 400 | InvalidNicType.Mismatch | Specified nic type conflicts with the authorization record. | The specified NIC type conflicts with the authorized type. |
| 403 | AuthorizationLimitExceed | The limit of authorization records in the security group reaches. | The number of security group rules reaches the upper limit. Check whether the security group rules are set correctly. |
| 403 | InvalidParamter.Conflict | The specified SecurityGroupId should be different from the SourceGroupId. | The source security group must be different from the destination security group. |
| 400 | InvalidDestGroupId.Mismatch | Specified security group and destination group are not in the same VPC. | The specified security group is not in the same VPC as the destination security group. |
| 400 | InvalidDestGroup.NotFound | Specified destination security group does not exist. | The specified destination security group does not exist. |
| 400 | VPCDisabled | Can't use the SecurityGroup in VPC. | The VPC does not support security groups. |
| 400 | InvalidPriority.Malformed | The specified parameter "Priority" is not valid. | The specified Priority is invalid. |
| 400 | InvalidPriority.ValueNotSupported | The specified Priority is invalid. | The specified Priority is invalid. |
| 400 | InvalidDestCidrIp.Malformed | The specified parameter DestCidrIp is not valid. | The specified DestCidrIp is invalid. Check whether this parameter is correct. |
| 500 | InternalError | The request processing has failed due to some unknown error. | An internal error occurs. Try again. If the error persists, open a ticket. |
| 403 | InvalidNetworkType.Conflict | The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). | The network type of the specified SecurityGroup must be the same as that of SouceGroup. |
| 403 | InvalidSecurityGroup.IsSame | The authorized SecurityGroupId should be different from the DestGroupId. | The authorized SecurityGroupId cannot be the same as DestGroupId. |
| 400 | InvalidNicType.ValueNotSupported | The specified NicType is not valid. | The specified NIC type does not exist. |
| 400 | InvalidSecurityGroupDiscription.Malformed | The specified security group rule description is not valid. | The description of the specified security group rule is invalid. |
| 404 | SecurityGroupRule.NotFound | The target security group rule do not exist. | The target security group rule does not exist. |
| 400 | InvalidSecurityGroup.InvalidNetworkType | The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. | The specified network type is invalid. |
| 400 | MissingParameter.Dest | The parameter DestCidrIp or DestGroupId is essential. | The fields for both DestCidrIp and DestGroupId cannot be blank. |
| 400 | InvalidParam.PortRange | The specified param PortRange or SourcePortRange is not valid. should be integer and less than 65535, range separator is '/'. | The specified parameter is invalid. |
| 400 | InvalidIpProtocol.ValueNotSupported | The specified parameter IpProtocol should not be null and only tcp, udp, icmp, gre or all is supported. Ignore case. | The specified protocol must be TCP, UDP, ICMP, GRE, or All. |
| 400 | InvalidPriority.ValueNotSupported | The parameter Priority is invalid. | The specified Priority is invalid. |
| 400 | InvalidParam.SourceIp | %s | The specified source IP address is invalid. |
| 400 | InvalidParam.DestIp | %s | The specified destination IP address is invalid. |
| 400 | InvalidParam.Ipv6DestCidrIp | %s | The specified destination IP address (IPv6 address) is invalid. |
| 400 | InvalidParam.Ipv6SourceCidrIp | %s | The specified source IP address (IPv6 address) is invalid. |
| 400 | InvalidParam.Ipv4ProtocolConflictWithIpv6Address | %s | An IPv4 CIDR block and an IPv6 CIDR block cannot exist at the same time. |
| 400 | InvalidParam.Ipv6ProtocolConflictWithIpv4Address | %s | An IPv6 CIDR block and an IPv4 CIDR block cannot exist at the same time. |
| 400 | ILLEGAL_IPV6_CIDR | %s | The specified IPv6 CIDR block is invalid. |
For a list of error codes, visit the API Error Center.