Deletes an inbound security group rule. After the rule is deleted, the access control implemented by it is revoked.

Description

In the security group-related API documents, traffic is sent by the source device and received at the destination device.

  • You can determine an inbound rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.
    • Parameters used to delete an inbound security group rule that controls access from a specified CIDR block: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp (optional), and SourceCidrIp.
      
          https://ecs.aliyuncs.com/?Action=RevokeSecurityGroup
          &SecurityGroupId=sg-bp67acfmxazb4p****
          &SourceCidrIp=10.0.0.0/8
          &IpProtocol=tcp
          &PortRange=80/80
          &NicType=intranet
          &Policy=accept
          &<Common request parameters>
          
    • Parameters used to delete an inbound security group rule that controls access to a specified security group: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp (optional), and SourceCidrIp.
      
          https://ecs.aliyuncs.com/?Action=RevokeSecurityGroup
          &SecurityGroupId=sg-bp67acfmxazb4p****
          &SourceGroupId=sg-bp67acfmxa123b****
          &IpProtocol=tcp
          &PortRange=80/80
          &NicType=intranet
          &Policy=accept
          &<Common request parameters>
          
    • Parameters used to delete an inbound security group rule that is associated with a prefix list: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp (optional), and SourceCidrIp.
      
          https://ecs.aliyuncs.com/?Action=RevokeSecurityGroup
          &SecurityGroupId=sg-bp67acfmxazb4p****
          &SourcePrefixListId=pl-x1j1k5ykzqlixdcy****
          &IpProtocol=tcp
          &PortRange=80/80
          &NicType=intranet
          &Policy=accept
          &<Common request parameters>
          
  • If the security group rule to be deleted does not exist, the RevokeSecurityGroup operation succeeds but no rule is deleted.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes RevokeSecurityGroup

The operation that you want to perform. Set the value to RevokeSecurityGroup.

IpProtocol String Yes all

The transport layer protocol. The values are case-sensitive. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all: All protocols are supported.
PortRange String Yes 1/200

The range of destination ports that correspond to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, which indicates all ports.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, which indicates all ports.
  • When IpProtocol is set to all, the port number range is -1/-1, which indicates all ports.
RegionId String Yes cn-hangzhou

The region ID of the destination security group. You can call the DescribeRegions operation to query the most recent region list.

SecurityGroupId String Yes sg-bp67acfmxazb4p****

The ID of the destination security group.

DestCidrIp String No 10.0.0.0/8

The destination IPv4 CIDR block. CIDR blocks and IPv4 addresses are supported. Default value: 0.0.0.0/0.

Ipv6DestCidrIp String No 2001:db8:1233:1a00::***

The destination IPv6 CIDR blocks. CIDR blocks and IPv6 addresses are supported.

Note You can specify only the IP addresses of instances in virtual private clouds (VPCs).

This parameter is empty by default.

SourceGroupId String No sg-bp67acfmxa123b****

The ID of the source security group. At least one of SourceGroupId and SourceCidrIp must be specified.

  • If SourceGroupId is specified but SourceCidrIp is not, the NicType parameter can be set only to intranet.
  • If both SourceGroupId and SourceCidrIp are specified, SourceCidrIp takes precedence.
SourceGroupOwnerId Long No 12345678910

The ID of the Alibaba Cloud account that manages the source security group when you delete a security group rule across accounts.

  • If both SourceGroupOwnerId and SourceGroupOwnerAccount are empty, access control is revoked for another security group managed by your account.
  • If SourceCidrIp is specified, the SourceGroupOwnerId parameter is ignored.
SourceGroupOwnerAccount String No Test@aliyun.com

The Alibaba Cloud account that manages the source security group when you delete a security group rule across accounts.

  • If both SourceGroupOwnerAccount and SourceGroupOwnerId are empty, access control is revoked for another security group managed by your account.
  • If SourceCidrIp is specified, the SourceGroupOwnerAccount parameter is ignored.
SourceCidrIp String No 10.0.0.0/8

The source IPv4 CIDR block to which you want to revoke access. CIDR blocks and IPv4 addresses are supported.

Default value: 0.0.0.0/0.

Ipv6SourceCidrIp String No 2001:db8:1234:1a00::***

The source IPv6 CIDR block to which you want to revoke access. CIDR blocks and IPv6 addresses are supported.

Note You can specify only the IP addresses of instances in VPCs.

This parameter is empty by default.

SourcePrefixListId String No pl-x1j1k5ykzqlixdcy****

The ID of the source prefix list to which you want to revoke access. You can call the DescribePrefixLists operation to query the IDs of avaialble prefix lists

Note:

  • If a security group is in the classic network, you cannot configure prefix lists in the security group rules. For information about limits on security groups and prefix lists, see Limits.
  • If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId parameter, this parameter is ignored.
SourcePortRange String No 80/80

The range of source ports that correspond to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, which indicates all ports.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, which indicates all ports.
  • When IpProtocol is set to all, the port number range is -1/-1, which indicates all ports.
Policy String No accept

The access control policy. Valid values:

  • accept: allows access.
  • drop: denies access and returns a rejection response.

Default value: accept.

Priority String No 1

The priority of the security group rule. Valid values: 1 to 100.

Default value : 1.

NicType String No intranet

The network interface controller (NIC) type of the security group rule when the security group is in the classic network. Valid values:

  • internet
  • intranet

Default value: internet.

The NicType parameter can be set only to intranet in the following cases:

  • If the security group is in a VPC, this parameter is set to intranet by default and cannot be modified.
  • If only SourceGroupId is specified, this parameter must be set to intranet.
ClientToken String No 123e4567-e89b-12d3-a456-426655440000

The client token that is used to ensure the idempotence of the request. You can use the client to generate the value that is unique among different requests. The ClientToken value can only contain ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

Description String No This is description.

The description of the security group rule.

Response parameters

Parameter Type Example Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The ID of the request.

Examples

Sample requests

https://ecs.aliyuncs.com/?Action=RevokeSecurityGroup
&SecurityGroupId=sg-bp67acfmxazb4p****
&SourceGroupId=sg-bp67acfmxa123b****
&SourceGroupOwnerAccount=Test@aliyun.com
&IpProtocol=all
&PortRange=80/80
&Priority=1
&<Common request parameters>

Sample success responses

XML format

<RevokeSecurityGroupResponse>
       <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</RevokeSecurityGroupResponse>

JSON format

{
    "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes

HTTP status code Error code Error message Description
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned because the specified security group does not exist within this account. Check whether the security group ID is correct.
400 InvalidSecurityGroupId.Malformed The specified SecurityGroupId is not valid. The error message returned because the specified SecurityGroupId parameter is invalid.
400 InvalidIpProtocol.ValueNotSupported The specified IpProtocol does not exist. The error message returned because the specified IpProtocol parameter is invalid.
400 InvalidIpPortRange.Malformed The specified parameter "PortRange" is not valid. The error message returned because the specified PortRange parameter is invalid.
404 InvalidSourceGroupId.NotFound The SourceGroupId provided does not exist in our records. The error message returned because the specified SourceGroupId parameter does not exist.
403 InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. The error message returned because the specified NIC type conflicts with the authorization record.
403 InvalidGroupAuthItem.NotFound Specified group authorized item does not exist in our records. The error message returned because the specified authorized security group does not exist.
400 InvalidSourceCidrIp.Malformed The specified parameter "SourceCidrIp" is not valid. The error message returned because the format of the SourceGroupId parameter is invalid.
400 MissingParameter The input parameter "SourceGroupId" or "SourceCidrIp" cannot be both blank. The error message returned because both the SourceGroupId and SourceCidrIp parameters are empty.
400 InvalidPolicy.Malformed The specified parameter "Policy" is not valid. The error message returned because the specified Policy parameter is invalid.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The error message returned because the specified NicType parameter does not exist.
400 InvalidSourceGroupId.Mismatch Specified security group and source group are not in the same VPC. The error message returned because the destination security group and the source security group do not belong to the same VPC.
400 VPCDisabled Can't use the SecurityGroup in VPC. The error message returned because the VPC does not support security groups.
500 InternalError The request processing has failed due to some unknown error. The error message returned because an internal error has occurred. Try again later. If the error persists, submit a ticket.
400 MissingParameter.Source One of the parameters SourceCidrIp, SourceGroupId or SourcePrefixListId must be specified. The error message returned because the SourceCidrIp, SourceGroupId, and SourcePrefixListId parameters are all empty. At least one of the parameters must be specified.
400 InvalidIpProtocol.ValueNotSupported The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. The error message returned because the specified IpProtocol parameter is invalid. The valid values of this parameter are tcp, udp, icmp, gre, and all.
400 InvalidPriority.Malformed The parameter Priority is invalid. The error message returned because the specified Priority parameter is invalid.
400 InvalidPriority.ValueNotSupported The parameter Priority is invalid. The error message returned because the specified Priority parameter is invalid.
400 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The error message returned because the destination security group is the same as the source security group.
400 InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidParam.SourceIp %s The error message returned because the specified SourceCidrIp parameter is invalid.
400 InvalidParam.DestIp %s The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6DestCidrIp %s The error message returned because the specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv6SourceCidrIp %s The error message returned because the specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv6 address under an IPv4 protocol by mistake.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv4 address under an IPv6 protocol by mistake.
400 ILLEGAL_IPV6_CIDR %s The error message returned because the specified IPv6 address is invalid.
400 InvalidSourcePortRange.Malformed The specified parameter "SourcePortRange" is not valid. The error message returned because the specified SourcePortRange parameter is invalid.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. The error message returned because the specified Description parameter is invalid.
403 InvalidOperation.ResourceManagedByCloudProduct %s The error message returned because the security groups managed by cloud services cannot be modified.
404 InvalidPrefixListId.NotFound The specified prefix list was not found. The error message returned because the prefix list does not exist.
404 NotSupported.GrayFunction The prefix list is a gray-scale function, not currently supported. The error message returned because this operation is not supported. The prefix list feature is in invitational preview.
400 NotSupported.ClassicNetworkPrefixList The prefix list is not supported when the network type of security group is classic. The error message returned because security groups in the classic network do not support prefix lists.

For a list of error codes, visit the API Error Center.