Modifies the egress rule of a security group. If you have not created a security group rule, you can call AuthorizeSecurityGroupEgress to create one.

Description

According to your access authorization requirements, you can define an egress rule for a security group by using either of the following groups of parameters:

  • If you need to authorize access to a specified CIDR block, use the following parameters: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCiderIp, and SourceCidrIp (optional).
  • If you need to authorize access to other security groups, use the following parameters: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCiderIp (optional), DestGroupOwnerAccount, and DestGroupId.

Debug

Use OpenAPI Explorer to perform debug operations and generate SDK code examples.

Request parameters

Name Type Required? Example value Description
IpProtocol String Yes tcp

The transport layer protocol. Case insensitive. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all: supports all protocols
PortRange String Yes 80/80

The range of the ports enabled by the source security group for the transport layer protocol. Valid values:

  • TCP/UDP. Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • ICMP: -1/-1.
  • GRE: -1/-1.
  • ALL: -1/-1.
RegionId String Yes cn-hangzhou

The ID of the region to which the source security group belongs. To view the latest list of Alibaba Cloud regions, call DescribeRegions.

SecurityGroupId String Yes sg-securitygroupid1

The ID of the source security group.

Action String No ModifySecurityGroupEgressRule

The name of this action. Value: ModifySecurityGroupRule

ClientToken String No 123e4567-e89b-12d3-a456-426655440000

Guarantees the idempotence of the request. The value is generated by your client and must be globally unique. Only ASCII characters are allowed. It can contain a maximum of 64 ASCII characters. For more information, see How to ensure idempotence.

Description String No Thisisanewsecuritygrouprule

The description of the security group rule. The length of the description is 1 to 512 characters.

DestCidrIp String No XXX.XX.XXX.XXX/X

The destination CIDR block. CIDR IP addresses and IPv4 addresses are supported. Default value: 0.0.0.0/0

DestGroupId String No sg-securitygroupid22

The ID of the destination security group.

DestGroupOwnerAccount String No EcsforCloud@Alibaba.com

The account to which the destination security group belongs (also known as UID).

DestGroupOwnerId Long No 155780923770

The ID of the account to which the destination security group belongs.

Ipv6DestCidrIp String No 2001:db8:1234:1a00::XXX

The destination CIDR block. CIDR IP addresses and IPv6 addresses are supported.

Ipv6SourceCidrIp String No 2001:db8:1234:1a00::XXX

The source CIDR block. CIDR IP addresses and IPv6 addresses are supported.

NicType String No internet

The NIC type. Valid values:

  • internet: Internet NIC.
  • intranet:intranet NIC.

If you configure mutual access between security groups (that is, DestGroupId is specified but DestCidrIp is not), the value of NicType must be intranet.

Policy String No accept

The access permission. Valid values:

  • accept: admits access.
  • drop: denies access. No denied access message is returned.

Default value: accept

Priority String No 1

The priority of the security group. Value range: 1 to 100

Default value: 1

SourceCidrIp String No XXX.XX.XXX.XXX/X

The source CIDR block. CIDR IP addresses and IPv4 addresses are supported.

SourcePortRange String No 80/80

The range of the ports enabled by the source security group for the transport layer protocol. Valid values:

  • TCP/UDP. Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • ICMP: -1/-1.
  • GRE: -1/-1.
  • ALL: -1/-1.

Response parameters

Name Type Example value Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The request ID.

Example

Request example

https://ecs.aliyuncs.com/?Action=ModifySecurityGroupEgressRule
&SecurityGroupId=sg-F876FF7BA
&SourceGroupId=sg-1651FBB64
&SourceGroupOwnerAccount=test@aliyun.com
&IpProtocol=tcp
&PortRange=80/80
&Policy=allow
&Description=Thisisanewsecuritygrouprule.
&<Common Request Parameters>            

Response example

XML format

<ModifySecurityGroupEgressRuleResponse>
  <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</ModifySecurityGroupEgressRuleResponse>            

JSON format

{
    "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Errors

HTTP status code Error code Error message Meaning
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist under this account. Check whether the security group ID is correct.
404 InvalidDestGroupId.NotFound The DestGroupId provided does not exist in our records. The specified destination security group does not exist.
400 OperationDenied The specified IpProtocol does not exist or IpProtocol and PortRange do not match. The specified IP Protocol does not exist, or does not match the port range.
400 InvalidIpProtocol.Malformed The specified parameter "PortRange" is not valid. The format of the specified IP Protocol is invalid.
403 InvalidDestGroupId.Mismatch NicType is required or NicType expects intranet. You must specify NicType or specify the access as intranet.
400 InvalidDestCidrIp.Malformed The specified parameter "DestCidrIp" is not valid. The specified DestCidrIp is invalid. Check whether this parameter is correct.
403 MissingParameter The input parameter "DestGroupId" or "DestCidrIp" cannot be both blank. The parameters DestGroupId and DestCidrIp cannot be both blank.
400 InvalidPolicy.Malformed The specified parameter "Policy" is not valid. The specified Policy is invalid. Check whether this parameter is correct.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The specified NIC type does not exist.
400 InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. The specified NIC type conflicts with the authorized type.
403 AuthorizationLimitExceed The limit of authorization records in the security group reaches. The number of security group rules reaches the upper limit. Check whether the security group rules are set correctly.
403 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The source security group must be different from the destination security group.
400 InvalidDestGroupId.Mismatch Specified security group and destination group are not in the same VPC. The specified security group is not in the same VPC as the destination security group.
400 InvalidDestGroup.NotFound Specified destination security group does not exist. The specified destination security group does not exist.
400 VPCDisabled Can't use the SecurityGroup in VPC. The VPC does not support security groups.
400 InvalidPriority.Malformed The specified parameter "Priority" is not valid. The specified Priority is invalid.
400 InvalidPriority.ValueNotSupported The specified Priority is invalid. The specified Priority is invalid.
400 InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. The specified DestCidrIp is invalid. Check whether this parameter is correct.
500 InternalError The request processing has failed due to some unknown error. An internal error occurs. Try again. If the error persists, open a ticket.
403 InvalidNetworkType.Conflict The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). The network type of the specified SecurityGroup must be the same as that of SouceGroup.
403 InvalidSecurityGroup.IsSame The authorized SecurityGroupId should be different from the DestGroupId. The authorized SecurityGroupId cannot be the same as DestGroupId.
400 InvalidNicType.ValueNotSupported The specified NicType is not valid. The specified NIC type does not exist.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. The description of the specified security group rule is invalid.
404 SecurityGroupRule.NotFound The target security group rule do not exist. The target security group rule does not exist.
400 InvalidSecurityGroup.InvalidNetworkType The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. The specified network type is invalid.
400 MissingParameter.Dest The parameter DestCidrIp or DestGroupId is essential. The fields for both DestCidrIp and DestGroupId cannot be blank.
400 InvalidParam.PortRange The specified param PortRange or SourcePortRange is not valid. should be integer and less than 65535, range separator is '/'. The specified parameter is invalid.
400 InvalidIpProtocol.ValueNotSupported The specified parameter IpProtocol should not be null and only tcp, udp, icmp, gre or all is supported. Ignore case. The specified protocol must be TCP, UDP, ICMP, GRE, or All.
400 InvalidPriority.ValueNotSupported The parameter Priority is invalid. The specified Priority is invalid.
400 InvalidParam.SourceIp %s The specified source IP address is invalid.
400 InvalidParam.DestIp %s The specified destination IP address is invalid.
400 InvalidParam.Ipv6DestCidrIp %s The specified destination IP address (IPv6 address) is invalid.
400 InvalidParam.Ipv6SourceCidrIp %s The specified source IP address (IPv6 address) is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address %s An IPv4 CIDR block and an IPv6 CIDR block cannot exist at the same time.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address %s An IPv6 CIDR block and an IPv4 CIDR block cannot exist at the same time.
400 ILLEGAL_IPV6_CIDR %s The specified IPv6 CIDR block is invalid.

For a list of error codes, visit the API Error Center.