AuthorizeSecurityGroup

Last Updated: Mar 28, 2018

Description

Adds an inbound rule to a security group. This action permits or declines the inbound traffic from other devices to the instances that are in a specified security group. We define the beginning of the traffic as the source, and the terminal of the traffic as the destination, see the following picture.

IngressRule

When you call this interface, consider the following:

  • You can add up to 100 authorization rules to one security group.

  • You can set the authorization policies to accept or drop.

  • The Priority of a security group ranges from 1 to 100. Here, smaller the number, higher the priority is.

  • If the priorities of several authorization rules are the same, drop rules take the precedence.

  • Source device

    • From an IP address range (SourceCidrIp). Then, you can set the network interface (NicType) of a classic network-connected security group to Internet interface (internet) or intranet interface (intranet), but you can only set the network interface (NicType) of a VPC-connected security group to Internet interface (internet). For more information, see Request example 1.

    • From the instances that are in another security group (SourceGroupId). Then, you can only set the network interface (NicType) to Internet interface (internet).

      • Classic network-connected security group: The instances are in a classic network-connected security group, which can be yours or created by other Alibaba Cloud accounts.

      • VPC-connected security group: The instances are in a VPC-connected security group, which are in the same VPC of the destination security group.

        For more information, see Request example 2.

  • Use the following two sets of parameters to add a security group rule. If one rule already exists according to the two sets of parameters, the AuthorizeSecurityGroup fails.

    • To set the access permission of an IP address range, for example, Request example 1: IpProtocol, PortRange, (Optional) SourcePortRange, NicType, Policy, (Optional) DestCiderIp, and SourceCidrIp.

    • To set the access permission of instances that are in another security group, for example, Request example 2: IpProtocol, PortRange, (Optional) SourcePortRange, NicType, Policy, (Optional) DestCiderIp, SourceGroupOwnerAccount, and SourceGroupId.

We provide two APIs AuthorizeSecurityGroup and AuthorizeSecurityGroupEgress for you to add security group rules. The AuthorizeSecurityGroup add the inbound rules of a security group, while the AuthorizeSecurityGroupEgress add the outbound rules.

Request parameters

Name Type Required Description
Action String Yes The name of this interface. Value: AuthorizeSecurityGroup.
RegionId String Yes The region ID. For more information, see Regions and zones, or call DescribeRegions to obtain the latest region list.
SecurityGroupId String Yes The ID of the destination security group.
Priority String No The authorization policy priority. Value range: [1, 100].
Default value: 1.
Description String No The security group rule description, which can contain up to 512 characters.
IpProtocol String Yes The transport layer protocol. Optional values:
  • icmp
  • gre
  • tcp
  • udp
  • all
These values are case-insensitive.
NicType String No The network type. Optional values:
  • internet
  • intranet
In mutual security group authorization, SourceGroupId is specified, while SourceCidrIp is not specified, you must specify the NicType as intranet.
Default value: internet.
Policy String No The access permission. Optional values:
  • accept: Allows the access.
  • drop: Declines the access, and sends no response to the source device.
Default value: accept.
PortRange String Yes The range of destination port relevant to the transport layer protocol. Optional values:
  • For TCP/UDP protocol, [1, 65535]. You can use a forward slash (/) to separate the port range, expected sample: 1/200, incorrect sample: 200/1.
  • For ICMP protocol, -1/-1.
  • For GRE protocol, -1/-1.
  • For all the protocols, -1/-1.
SourcePortRange String Yes The range of source port relevant to the transport layer protocol. Optional values:
  • For TCP/UDP protocol, [1, 65535]. You can use a forward slash (/) to separate the port range, expected sample: 1/200, incorrect sample: 200/1.
  • For ICMP protocol, -1/-1.
  • For GRE protocol, -1/-1.
  • For all the protocols, -1/-1.
DestCidrIp String No The destination IP address range. Only CIDR and IPv4 format are supported.
Default value: 0.0.0.0/0.
SourceCidrIp String No The source IP address range. Only CIDR and IPv4 format are supported.
Default value: 0.0.0.0/0.
SourceGroupId String No The source security group ID. Either the SourceGroupId or SourceCidrIp parameter must be set. If both are set, SourceCidrIp is authorized by default. If SourceGroupId is specified and SourceCidrIp is not specified, NicType must be set to intranet.
SourceGroupOwnerAccount String No The Alibaba Cloud account of the source security group. If the SourceGroupOwnerAccount and SourceGroupOwnerId are not set, authorization is performed for security groups of the same account. If SourceCidrIp is already set, the SourceGroupOwnerAccount is invalid.
SourceGroupOwnerId String No The Alibaba Cloud account ID of the source security group. If the SourceGroupOwnerAccount and SourceGroupOwnerId are not set, authorization is performed for security groups of the same account. If SourceCidrIp is already set, the SourceGroupOwnerId is invalid.

Response parameters

All are common parameters. For more information, see Common parameters.

Examples

For more information about how to add a security group rule, see Scenarios.

Request example 1

Grant access permission to a specified IP address range.

  1. https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup
  2. &SecurityGroupId=sg-F876FF7BA
  3. &SourceCidrIp=0.0.0.0/0
  4. &IpProtocol=tcp
  5. &PortRange=1/65535
  6. &NicType=intranet
  7. &Policy=Allow
  8. &<Common Request Parameters>

Request example 2

Decline the access permission of another security group.

  1. https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup
  2. &SecurityGroupId=sg-F876FF7BA
  3. &SourceGroupId=sg-1651FBB64
  4. &SourceGroupOwnerAccount=test@aliyun.com
  5. &IpProtocol=tcp
  6. &PortRange=1/65535
  7. &NicType=intranet
  8. &Policy=Drop
  9. &<Common Request Parameters>

Response example

XML format

  1. <AuthorizeSecurityGroupResponse>
  2. <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
  3. </AuthorizeSecurityGroupResponse>

JSON format

  1. {
  2. "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
  3. }

Error codes

Error code Error message HTTP status code Meaning
InvalidIpProtocol.Malformed The specified parameter “PortRange” is not valid. 400 The specified IpProtocol is invalid.
InvalidPriority.Malformed The specified parameter “Priority” is not valid. 400 The specified Priority is invalid.
InvalidSourceCidrIp.Malformed The specified parameter “SourceCidrIp” is not valid. 400 The specified SourceCidrIp is invalid.
InvalidDestCidrIp.Malformed The specified parameter “DestCidrIp” is not valid. 400 The specified DestCidrIp is invalid.
InvalidPolicy.Malformed The specified parameter “Policy” is not valid. 400 The specified Policy is invalid.
InvalidNicType.ValueNotSupported The specified NicType does not exist. 400 The specified NicType does not exist.
InvalidSourceGroupId.Mismatch Specified security group and source group are not in the same VPC. 400 The network type of the specified destination security group is VPC, so the source security group must be VPC-connected.
InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. 400 The specified NicType is invalid.
InvalidSourceGroup.NotFound The specified SourceGroupId does not exist. 400 The specified SourceGroupId does not exist.
InvalidPriority.ValueNotSupported The specified Priority is invalid. 400 The specified Priority is invalid.
InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. 400 The specified Description is invalid.
OperationDenied The specified IpProtocol does not exist or IpProtocol and PortRange do not match. 400 The specified IpProtocol does not exist. Or the IpProtocol and the PortRange are incorrectly matched.
AuthorizationLimitExceed The maximum number of authorization rules in the security group is exceeded. 403 You cannot add more than 100 authorization rules to one security group.
InvalidSourceGroupId.Mismatch NicType is required or NicType expects intranet. 403 You must specify the NicType. Or the NicType must be set to intranet.
InvalidNetworkType.Mismatch The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). 403 The network type of the security group must be the same.
InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. 403 The SecurityGroupId and SourceGroupId cannot be the same security group.
MissingParameter The input parameter “SourceGroupId” or “SourceCidrIp” cannot be both blank. 403 You must specify the SourceGroupId or SourceCidrIp.
InvalidSourceGroupId.NotFound The SourceGroupId provided does not exist in our records. 404 The specified SourceGroup does not exist.
InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. 404 The specified SecurityGroupId does not exist.
InvalidRegionId.NotFound The specified RegionId does not exist. 404 The specified RegionId does not exist.
Thank you! We've received your feedback.