You can call this operation to modify the description of outbound rules of a security group. You can modify only the description by calling this operation. If you want to modify the policies, port ranges, and authorization objects of security group rules, log on to the ECS console.
Description
You can determine an outbound rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.
- Parameters used to specify an outbound security group rule that controls access to a specified CIDR block: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp, and SourceCidrIp (optional).
- Parameters used to specify an outbound security group rule that controls access to a specified security group: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCiderIp (optional), DestGroupOwnerAccount, and DestGroupId.
Debugging
Request parameters
| Parameter | Type | Required | Example | Description |
|---|---|---|---|---|
| Action | String | Yes | ModifySecurityGroupEgressRule |
The operation that you want to perform. Set the value to ModifySecurityGroupEgressRule. |
| IpProtocol | String | Yes | tcp |
The transport layer protocol. The value is case-insensitive. Valid values:
|
| PortRange | String | Yes | 80/80 |
The range of destination ports relevant to the transport layer protocol. Valid values:
|
| RegionId | String | Yes | cn-hangzhou |
The region ID of the source security group. You can call the DescribeRegions operation to query the most recent region list. |
| SecurityGroupId | String | Yes | sg-bp67acfmxazb4p**** |
The ID of the source security group. |
| DestGroupId | String | No | sg-bp67acfmxazb4p**** |
The ID of the destination security group. |
| DestGroupOwnerId | Long | No | 1234567890 |
The ID of the Alibaba Cloud account (UID) that manages the destination security group. |
| DestGroupOwnerAccount | String | No | EcsforCloud@Alibaba.com |
The name of the Alibaba Cloud account that manages the destination security group. |
| DestCidrIp | String | No | 10.0.0.0/8 |
The range of destination IP addresses. CIDR blocks and IPv4 addresses are supported. This parameter is empty by default. |
| Ipv6DestCidrIp | String | No | 2001:db8:1233:1a00::*** |
The range of destination IPv6 addresses. CIDR blocks and IPv6 addresses are supported. This parameter is empty by default. |
| SourceCidrIp | String | No | 10.0.0.0/8 |
The range of source IP addresses. CIDR blocks and IPv4 addresses are supported. This parameter is empty by default. |
| Ipv6SourceCidrIp | String | No | 2001:db8:1234:1a00::*** |
The range of source IPv6 addresses. CIDR blocks and IPv6 addresses are supported. This parameter is empty by default. |
| SourcePortRange | String | No | 80/80 |
The range of source ports relevant to the transport layer protocol. Valid values:
|
| Policy | String | No | accept |
The access control policy. Valid values:
Default value: accept. |
| Priority | String | No | 1 |
The priority of the security group rule. Valid values: 1 to 100. Default: 1. |
| NicType | String | No | intranet |
The NIC type of the rule when the security group is in the classic network. Valid values:
Default value: internet. The NicType parameter can be set to only intranet in the following cases:
|
| ClientToken | String | No | 123e4567-e89b-12d3-a456-426655440000 |
The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must ensure that it is unique among different requests. The ClientToken value must contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence. |
| Description | String | No | This is a new securitygroup rule. |
The description of the security group rule. The description must be 1 to 512 characters in length. |
Response parameters
| Parameter | Type | Example | Description |
|---|---|---|---|
| RequestId | String | 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E |
The ID of the request. |
Examples
Sample requests
https://ecs.aliyuncs.com/?Action=ModifySecurityGroupEgressRule
&SecurityGroupId=sg-bp67acfmxazb4p****
&DestGroupId=sg-bp67acfmxazb4p****
&SourceGroupOwnerAccount=EcsforCloud@Alibaba.com
&IpProtocol=tcp
&PortRange=80/80
&Policy=allow
&Description=This is a new securitygroup rule.
&<Common request parameters>Sample success responses
XML format
<ModifySecurityGroupEgressRuleResponse>
<RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</ModifySecurityGroupEgressRuleResponse>JSON format
{
"RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The error message returned because the specified security group does not exist in this account. Check whether the security group ID is correct. |
| 404 | InvalidDestGroupId.NotFound | The DestGroupId provided does not exist in our records. | The error message returned because the specified DestGroupId parameter does not exist. |
| 400 | OperationDenied | The specified IpProtocol does not exist or IpProtocol and PortRange do not match. | The error message returned because the specified IpProtocol parameter does not exist or does not match the specified PortRange parameter. |
| 400 | InvalidIpProtocol.Malformed | The specified parameter "PortRange" is not valid. | The error message returned because the specified IpProtocol or PortRange parameter is invalid. |
| 403 | InvalidDestGroupId.Mismatch | NicType is required or NicType expects intranet. | The error message returned because the NicType parameter is not specified or is not set to intranet. |
| 400 | InvalidDestCidrIp.Malformed | The specified parameter "DestCidrIp" is not valid. | The error message returned because the specified DestCidrIp parameter is invalid. |
| 403 | MissingParameter | The input parameter "DestGroupId" or "DestCidrIp" cannot be both blank. | The error message returned because the DestGroupId and DestCidrIp parameters cannot be empty at the same time. |
| 400 | InvalidPolicy.Malformed | The specified parameter "Policy" is not valid. | The error message returned because the specified Policy parameter is invalid. |
| 400 | InvalidNicType.ValueNotSupported | The specified NicType does not exist. | The error message returned because the specified NicType parameter does not exist. |
| 400 | InvalidNicType.Mismatch | Specified nic type conflicts with the authorization record. | The error message returned because the specified NIC type conflicts with the authorization record. |
| 403 | AuthorizationLimitExceed | The limit of authorization records in the security group reaches. | The error message returned because the maximum number of authorized security group rules has been reached. Check whether your authorization policy is valid. |
| 403 | InvalidParamter.Conflict | The specified SecurityGroupId should be different from the SourceGroupId. | The error message returned because the specified security group is the same as the source security group. |
| 400 | InvalidDestGroupId.Mismatch | Specified security group and destination group are not in the same VPC. | The error message returned because the specified security group and the destination security group do not belong to the same VPC. |
| 400 | InvalidDestGroup.NotFound | Specified destination security group does not exist. | The error message returned because the specified DestGroupId parameter does not exist. |
| 400 | VPCDisabled | Can't use the SecurityGroup in VPC. | The error message returned because the current VPC does not support security groups. |
| 400 | InvalidPriority.Malformed | The specified parameter "Priority" is not valid. | The error message returned because the specified Priority parameter is invalid. |
| 400 | InvalidPriority.ValueNotSupported | The specified Priority is invalid. | The error message returned because the specified Priority parameter is invalid. |
| 400 | InvalidDestCidrIp.Malformed | The specified parameter DestCidrIp is not valid. | The error message returned because the specified DestCidrIp parameter is invalid. |
| 500 | InternalError | The request processing has failed due to some unknown error. | The error message returned because an internal error has occurred. Try again later. If the problem persists, submit a ticket. |
| 403 | InvalidNetworkType.Conflict | The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). | The error message returned because the network type of the specified security group is different from that of the source security group. |
| 403 | InvalidSecurityGroup.IsSame | The authorized SecurityGroupId should be different from the DestGroupId. | The error message returned because the authorized security group cannot be the same as the current destination security group. |
| 400 | InvalidNicType.ValueNotSupported | The specified NicType is not valid. | The error message returned because the specified NicType parameter does not exist. |
| 400 | InvalidSecurityGroupDiscription.Malformed | The specified security group rule description is not valid. | The error message returned because the specified Description parameter is invalid. |
| 404 | SecurityGroupRule.NotFound | The target security group rule do not exist. | The error message returned because the specified security group rule does not exist. |
| 400 | InvalidSecurityGroup.InvalidNetworkType | The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. | The error message returned because the operation is not supported while the security group is of the current network type. You must enable ClassicLink for security groups in VPCs. |
| 400 | MissingParameter.Dest | The parameter DestCidrIp or DestGroupId is essential. | The error message returned because the DestCidrIp and DestGroupId parameters cannot be empty at the same time. |
| 400 | InvalidParam.PortRange | The specified param PortRange or SourcePortRange is not valid. should be integer and less than 65535, range separator is '/'. | The error message returned because the specified PortRange or SourcePortRange parameter is invalid. The parameter values must be integers smaller than 65535 and separated with forward slashes (/). |
| 400 | InvalidIpProtocol.ValueNotSupported | The specified parameter IpProtocol should not be null and only tcp, udp, icmp, gre or all is supported. Ignore case. | The error message returned because the IpProtocol parameter is not set to tcp, udp, icmp, gre, or all. |
| 400 | InvalidPriority.ValueNotSupported | The parameter Priority is invalid. | The error message returned because the specified Priority parameter is invalid. |
| 400 | InvalidParam.SourceIp | %s | The error message returned because the specified SourceCidrIp parameter is invalid. |
| 400 | InvalidParam.DestIp | %s | The error message returned because the specified DestCidrIp parameter is invalid. |
| 400 | InvalidParam.Ipv6DestCidrIp | %s | The error message returned because the specified Ipv6DestCidrIp parameter is invalid. |
| 400 | InvalidParam.Ipv6SourceCidrIp | %s | The error message returned because the specified Ipv6SourceCidrIp parameter is invalid. |
| 400 | InvalidParam.Ipv4ProtocolConflictWithIpv6Address | %s | The error message returned because the specified parameter is invalid. Check whether you have entered an IPv6 address under an IPv4 protocol by mistake. |
| 400 | InvalidParam.Ipv6ProtocolConflictWithIpv4Address | %s | The error message returned because the specified parameter is invalid. Check whether you have entered an IPv4 address under an IPv6 protocol by mistake. |
| 400 | ILLEGAL_IPV6_CIDR | %s | The error message returned because the specified IPv6 address is invalid. |
| 400 | InvalidSourcePortRange.Malformed | The specified parameter "SourcePortRange" is not valid. | The error message returned because the specified SourcePortRange parameter is invalid. |
For a list of error codes, visit the API Error Center.