You can call this operation to query the rules of a security group.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
RegionId String Yes cn-hangzhou

The ID of the region to which the security group belongs. You can call the DescribeRegions operation to query the most recent region list.

SecurityGroupId String Yes sg-bp1gxw6bznjjvhu3g***

The ID of the security group.

Action String Yes DescribeSecurityGroupAttribute

The operation that you want to perform. Set the value to DescribeSecurityGroupAttribute.

NicType String No intranet

The NIC type of the security group rule.

  • Valid values of security groups in the classic network:
    • internet
    • intranet
      Note By default, the parameter is set to internet. For a single call, you can query only security group rules of one NIC type. If you want to query all security group rules, call the operation twice.
  • Valid values of security groups in VPCs:
    • intranet
      Note By default, the parameter is set to intranet. If you set the parameter to internet or leave the parameter empty, the parameter is automatically set to intranet.
Direction String No all

The direction in which a security group rule is applied. Valid values:

  • egress: Outbound traffic is allowed for the security group.
  • ingress: Inbound traffic is allowed for the security group.
  • all: Both inbound and outbound traffic is allowed for the security group.

Default value: all.

Response parameters

Parameter Type Example Description
Description String FinanceDept

The description of the security group.

InnerAccessPolicy String Accept

The access control policy within the security group. Valid values:

  • Accept: All instances within the security group can communicate with each other.
  • Drop: All instances within the security group are isolated from each other.
Permissions Array

An array consisting of Permission data.

Permission

The permission rules of the security group.

CreateTime String 2018-12-12T07:28:38Z

The time when the security group was created. The time is displayed in UTC.

Description String FinanceDept

The description of the security group.

DestCidrIp String 0.0.0.0/0

The destination CIDR block for outbound authorization.

DestGroupId String sg-securitygroupid1

The ID of the destination security group for outbound authorization.

DestGroupName String SecurityGuard

The name of the destination security group.

DestGroupOwnerAccount String SecurityGuard

The Alibaba Cloud account that manages the destination security group.

Direction String ingress

The allowed direction of traffic.

IpProtocol String TCP

The Internet protocol.

Ipv6DestCidrIp String 2001:db8:1234:1a00::***

The destination IPv6 CIDR block.

Ipv6SourceCidrIp String 2001:db8:1234:1a00::***

The source IPv6 CIDR block.

NicType String intranet

The NIC type of the security group.

Policy String Accept

The authorization policy.

PortRange String 80/80

The port range.

Priority String 1

The rule priority.

SourceCidrIp String 0.0.0.0/0

The source CIDR block for inbound authorization.

SourceGroupId String sg-securitygroupid2

The ID of the source security group for inbound authorization.

SourceGroupName String FinanceDeptJoshua

The name of the source security group.

SourceGroupOwnerAccount String FinanceJoshua

The Alibaba Cloud account that manages the source security group.

SourcePortRange String 80/80

The source port range.

RegionId String cn-hangzhou

The ID of the region.

RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The ID of the request.

SecurityGroupId String sg-bp1gxw6bznjjvhu3g***

The ID of the destination security group.

SecurityGroupName String FinanceJoshua

The name of the destination security group.

VpcId String vpc-bp1opxu1zkhn00gzv2***

The ID of the VPC. If a VPC ID is returned, the network type of the security group is VPC. Otherwise, the network type of the security group is the classic network.

Examples

Sample requests

https://ecs.aliyuncs.com/?RegionId=cn-hangzhou
&SecurityGroupId=sg-bp1gxw6bznjjvhu3g***
&<Common request parameters>

Sample success responses

XML format

<DescribeSecurityGroupAttributeResponse>
	  <SecurityGroupId>sg-bp1gxw6bznjjvhu3g***</SecurityGroupId>
	  <InnerAccessPolicy>Accept</InnerAccessPolicy>
	  <SecurityGroupName>FinanceJoshua</SecurityGroupName>
	  <Description>FinanceDept</Description>
	  <RegionId>cn-hangzhou</RegionId>
	  <RequestId>A72322C1-47C0-491E-8088-8B17E4EA859F</RequestId>
	  <Permissions>
		    <Permission>
			      <SourceCidrIp>10.0.0.0/8</SourceCidrIp>
			      <Description></Description>
			      <DestCidrIp></DestCidrIp>
			      <NicType>intranet</NicType>
			      <DestGroupName></DestGroupName>
			      <PortRange>22/22</PortRange>
			      <DestGroupId></DestGroupId>
			      <Ipv6DestCidrIp></Ipv6DestCidrIp>
			      <Direction>ingress</Direction>
			      <Priority>1</Priority>
			      <IpProtocol>TCP</IpProtocol>
			      <SourcePortRange></SourcePortRange>
			      <SourceGroupOwnerAccount></SourceGroupOwnerAccount>
			      <Policy>Accept</Policy>
			      <CreateTime>2018-12-12T07:28:38Z</CreateTime>
			      <SourceGroupId></SourceGroupId>
			      <DestGroupOwnerAccount></DestGroupOwnerAccount>
			      <Ipv6SourceCidrIp></Ipv6SourceCidrIp>
			      <SourceGroupName></SourceGroupName>
		    </Permission>
		    <Permission>
			      <SourceCidrIp>0.0.0.0/0</SourceCidrIp>
			      <Description></Description>
			      <DestCidrIp></DestCidrIp>
			      <NicType>intranet</NicType>
			      <DestGroupName></DestGroupName>
			      <PortRange>443/443</PortRange>
			      <DestGroupId></DestGroupId>
			      <Ipv6DestCidrIp></Ipv6DestCidrIp>
			      <Direction>ingress</Direction>
			      <Priority>1</Priority>
			      <IpProtocol>TCP</IpProtocol>
			      <SourcePortRange></SourcePortRange>
			      <SourceGroupOwnerAccount></SourceGroupOwnerAccount>
			      <Policy>Accept</Policy>
			      <CreateTime>2018-12-12T07:28:38Z</CreateTime>
			      <SourceGroupId></SourceGroupId>
			      <DestGroupOwnerAccount></DestGroupOwnerAccount>
			      <Ipv6SourceCidrIp></Ipv6SourceCidrIp>
			      <SourceGroupName></SourceGroupName>
		    </Permission>
		    <Permission>
			      <SourceCidrIp>10.0.0.0/8</SourceCidrIp>
			      <Description></Description>
			      <DestCidrIp></DestCidrIp>
			      <NicType>intranet</NicType>
			      <DestGroupName></DestGroupName>
			      <PortRange>80/80</PortRange>
			      <DestGroupId></DestGroupId>
			      <Ipv6DestCidrIp></Ipv6DestCidrIp>
			      <Direction>ingress</Direction>
			      <Priority>1</Priority>
			      <IpProtocol>TCP</IpProtocol>
			      <SourcePortRange></SourcePortRange>
			      <SourceGroupOwnerAccount></SourceGroupOwnerAccount>
			      <Policy>Accept</Policy>
			      <CreateTime>2018-12-12T07:28:38Z</CreateTime>
			      <SourceGroupId></SourceGroupId>
			      <DestGroupOwnerAccount></DestGroupOwnerAccount>
			      <Ipv6SourceCidrIp></Ipv6SourceCidrIp>
			      <SourceGroupName></SourceGroupName>
		    </Permission>
		    <Permission>
			      <SourceCidrIp>10.0.0.0/8</SourceCidrIp>
			      <Description></Description>
			      <DestCidrIp></DestCidrIp>
			      <NicType>intranet</NicType>
			      <DestGroupName></DestGroupName>
			      <PortRange>-1/-1</PortRange>
			      <DestGroupId></DestGroupId>
			      <Ipv6DestCidrIp></Ipv6DestCidrIp>
			      <Direction>ingress</Direction>
			      <Priority>1</Priority>
			      <IpProtocol>ICMP</IpProtocol>
			      <SourcePortRange>-1/-1</SourcePortRange>
			      <SourceGroupOwnerAccount></SourceGroupOwnerAccount>
			      <Policy>Accept</Policy>
			      <CreateTime>2018-12-12T07:28:38Z</CreateTime>
			      <SourceGroupId></SourceGroupId>
			      <DestGroupOwnerAccount></DestGroupOwnerAccount>
			      <Ipv6SourceCidrIp></Ipv6SourceCidrIp>
			      <SourceGroupName></SourceGroupName>
		    </Permission>
	  </Permissions>
	  <VpcId>vpc-bp1opxu1zkhn00gzv2***</VpcId>
</DescribeSecurityGroupAttributeResponse>

JSON format

{
	"SecurityGroupId":"sg-bp1gxw6bznjjvhu3g***",
	"Description":"FinanceDept",
	"SecurityGroupName":"FinanceJoshua",
	"InnerAccessPolicy":"Accept",
	"RequestId":"A72322C1-47C0-491E-8088-8B17E4EA859F",
	"RegionId":"cn-hangzhou",
	"Permissions":{
		"Permission":[
			{
				"SourceCidrIp":"10.0.0.0/8",
				"Description":"",
				"DestCidrIp":"",
				"NicType":"intranet",
				"DestGroupName":"",
				"PortRange":"22/22",
				"DestGroupId":"",
				"Ipv6DestCidrIp":"",
				"Direction":"ingress",
				"Priority":1,
				"IpProtocol":"TCP",
				"SourcePortRange":"",
				"SourceGroupOwnerAccount":"",
				"Policy":"Accept",
				"CreateTime":"2018-12-12T07:28:38Z",
				"SourceGroupId":"",
				"DestGroupOwnerAccount":"",
				"Ipv6SourceCidrIp":"",
				"SourceGroupName":""
			},
			{
				"SourceCidrIp":"0.0.0.0/0",
				"Description":"",
				"DestCidrIp":"",
				"NicType":"intranet",
				"DestGroupName":"",
				"PortRange":"443/443",
				"DestGroupId":"",
				"Ipv6DestCidrIp":"",
				"Direction":"ingress",
				"Priority":1,
				"IpProtocol":"TCP",
				"SourcePortRange":"",
				"SourceGroupOwnerAccount":"",
				"Policy":"Accept",
				"CreateTime":"2018-12-12T07:28:38Z",
				"SourceGroupId":"",
				"DestGroupOwnerAccount":"",
				"Ipv6SourceCidrIp":"",
				"SourceGroupName":""
			},
			{
				"SourceCidrIp":"0.0.0.0/0",
				"Description":"",
				"DestCidrIp":"",
				"NicType":"intranet",
				"DestGroupName":"",
				"PortRange":"80/80",
				"DestGroupId":"",
				"Ipv6DestCidrIp":"",
				"Direction":"ingress",
				"Priority":1,
				"IpProtocol":"TCP",
				"SourcePortRange":"",
				"SourceGroupOwnerAccount":"",
				"Policy":"Accept",
				"CreateTime":"2018-12-12T07:28:38Z",
				"SourceGroupId":"",
				"DestGroupOwnerAccount":"",
				"Ipv6SourceCidrIp":"",
				"SourceGroupName":""
			},
			{
				"SourceCidrIp":"10.0.0.0/8",
				"Description":"",
				"DestCidrIp":"",
				"NicType":"intranet",
				"DestGroupName":"",
				"PortRange":"-1/-1",
				"DestGroupId":"",
				"Ipv6DestCidrIp":"",
				"Direction":"ingress",
				"Priority":1,
				"IpProtocol":"ICMP",
				"SourcePortRange":"-1/-1",
				"SourceGroupOwnerAccount":"",
				"Policy":"Accept",
				"CreateTime":"2018-12-12T07:28:38Z",
				"SourceGroupId":"",
				"DestGroupOwnerAccount":"",
				"Ipv6SourceCidrIp":"",
				"SourceGroupName":""
			}
		]
	},
	"VpcId":"vpc-bp1opxu1zkhn00gzv2***"
}

Error codes

HTTP status code Error code Error message Description
404 InvalidRegionId.NotFound The specified RegionId does not exist. The error message returned because the specified RegionId parameter does not exist.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned because the specified SecurityGroupId parameter does not exist. Check whether the security group ID is correct.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The error message returned because the specified NicType parameter does not exist. Check whether the NIC type is correct.
500 InternalError The request processing has failed due to some unknown error. The error message returned because an internal error has occurred. Try again later. If the problem persists, submit a ticket.
400 InvalidParamter Invalid Parameter The error message returned because the specified parameter is invalid.

For a list of error codes, visit the API Error Center.