You can call this operation to delete an inbound rule from a security group, revoking the inbound permissions specified by this rule.

Description

The source is where the packet is coming from and the destination is where the packet is going to.

You can determine an inbound rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.

  • Parameters used to revoke access permissions from specified IP address segments: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp, and SourceCidrIp (optional).
  • Parameters used to revoke access permissions from other security groups: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp (optional), DestGroupOwnerAccount, and DestGroupId.

Debugging

Alibaba Cloud provides OpenAPI Explorer to simplify API usage. You can use OpenAPI Explorer to search for APIs, call APIs, and dynamically generate SDK example code.

Request parameters

Parameter Type Required Example Description
IpProtocol String Yes all

The transport layer protocol. This parameter is case-sensitive. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all: All protocols are supported.
PortRange String Yes 1/200

The range of destination port numbers relevant to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start number and the end number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all values are valid.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all values are valid.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all values are valid.
RegionId String Yes cn-hangzhou

The ID of the region where the destination security group resides. You can call the DescribeRegions operation to query the latest region list.

SecurityGroupId String Yes sg-securitygroupid1

The ID of the destination security group.

Action String No RevokeSecurityGroup

The operation that you want to perform. For API requests using the HTTP and HTTPS methods, Action is required. Set the value to RevokeSecurityGroup.

ClientToken String No 123e4567-e89b-12d3-a456-426655440000

The client token that is used to ensure the idempotence of the request. You can use the client to generate this value, but you must ensure that it is unique among different requests. The token can contain only ASCII characters, and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

Description String No FinanceJoshuaTest

The description of the security group rule.

DestCidrIp String No 10.0.0.0/8

The range of destination IP addresses. CIDR blocks and IPv4 addresses are supported. Default value: 0.0.0.0/0.

Ipv6DestCidrIp String No 2001:db8:1234:1a00::XXX

The destination IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported.

Note You can only specify the IP addresses of ECS instances in VPCs.

Default value: null

Ipv6SourceCidrIp String No 2001:db8:1234:1a00::XXX

The source IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported.

Note You can only specify the IP addresses of ECS instances in VPCs.

Default value: null

NicType String No intranet

The type of the NIC. Valid values:

  • internet
  • intranet

If SourceGroupId is specified and SourceCidrIp is not, the value of NicType can only be intranet. Default value: internet.

Policy String No accept

The access control policy. Valid values:

  • accept: grants access.
  • drop: denies access and returns no responses.

Default value: accept

Priority String No 1

The priority of the security group rule. Valid values: 1 to 100.

Default value: 1

SourceCidrIp String No 10.0.0.0/8

The range of source IP addresses. CIDR blocks and IPv4 addresses are supported. Default value: 0.0.0.0/0.

SourceGroupId String No sg-securitygroupid2

The ID of the source security group on which access permissions are to be revoked.

Either SourceGroupId or SourceCidrIp must be specified.

If SourceGroupId is specified and SourceCidrIp is not, the value of NicType can only be intranet. If both the SourceGroupId and SourceCidrIp parameters are specified, the SourceCidrIp parameter will take precedence.

SourceGroupOwnerAccount String No FinanceJoshua

The Alibaba Cloud account that manages the source security group.

  • If neither SourceGroupOwnerAccount nor SourceGroupOwnerId is specified, access permissions on your other security groups to the destination security group are revoked.
  • If SourceCidrIp is specified, the SourceGroupOwnerAccount parameter is ignored.
SourceGroupOwnerId Long No 155780923770

The ID of the Alibaba Cloud account that manages the source security group.

  • If neither SourceGroupOwnerId nor SourceGroupOwnerAccount is specified, access permissions on your other security groups to the destination security group are revoked.
  • If SourceCidrIp is specified, the SourceGroupOwnerId parameter is ignored.
SourcePortRange String No 1/200

The range of source port numbers relevant to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start number and the end number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all values are valid.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all values are valid.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all values are valid.

Response parameters

Parameter Type Example Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The ID of the request.

Examples

Sample requests

https://ecs.aliyuncs.com/?Action=RevokeSecurityGroup
&SecurityGroupId=C0003E8B-B930-4F59-ADC0-0E209A9012B0
&SourceGroupId=sg-F876FF7BA
&SourceGroupOwnerAccount=test@aliyun.com
&IpProtocol=tcp
&PortRange=1/65535
&Priority=1
&<Common request parameters>

Sample success responses

XML format

<RevokeSecurityGroupResponse>
  <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</RevokeSecurityGroupResponse>

JSON format

{
	"RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes

HTTP status code Error code Error message Description
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned because the specified security group does not exist under this account. Check whether the security group ID is correct.
400 InvalidSecurityGroupId.Malformed The specified SecurityGroupId is not valid. The error message returned because the specified security group ID is invalid.
400 InvalidIpProtocol.ValueNotSupported The specified IpProtocol does not exist. The error message returned because the specified IpProtocol parameter is invalid.
400 InvalidIpPortRange.Malformed The specified parameter "PortRange" is not valid. The error message returned because the specified range of port numbers is wrong.
404 InvalidSourceGroupId.NotFound The SourceGroupId provided does not exist in our records. The error message returned because the specified inbound security group does not exist.
403 InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. The error message returned because the specified NIC type does not exist.
403 InvalidGroupAuthItem.NotFound Specified group authorized item does not exist in our records. The error message returned because the specified authorized security group does not exist.
400 InvalidSourceCidrIp.Malformed The specified parameter "SourceCidrIp" is not valid. The error message returned because the format of the SourceGroupId parameter is invalid.
400 MissingParameter The input parameter "SourceGroupId" or "SourceCidrIp" cannot be both blank. The error message returned because neither the SourceGroupId parameter nor the SourceCidrIp parameter is specified.
400 InvalidPolicy.Malformed The specified parameter "Policy" is not valid. The error message returned because the specified Policy parameter is invalid. Check whether the parameter is correct.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The error message returned because the specified NicType parameter does not exist. Check whether the NicType parameter is correct.
400 InvalidSourceGroupId.Mismatch Specified security group and source group are not in the same VPC. The error message returned because the specified destination security group and source security group are not in the same VPC.
400 VPCDisabled Can't use the SecurityGroup in VPC. The error message returned because the VPC does not support security groups.
500 InternalError The request processing has failed due to some unknown error. The error message returned because an internal error has occurred. Try again later. If the problem persists, submit a ticket.
400 MissingParameter.Source Either SourceCidrIp or SourceGroupId must be specified. The error message returned because neither the SourceGroupId parameter nor the SourceCidrIp parameter is specified.
400 InvalidParam.PortRange Please specify the PortRange or SourcePortRange in integer, less than 65535, and separate the range with ? /?. The error message returned because the range of destination or source port numbers is not specified. The port number must be smaller than 65,535. Use a forward slash (/) to separate the start number and end number of the port number range.
400 InvalidIpProtocol.ValueNotSupported The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. The error message returned because the protocol type is not tcp, udp, icmp, gre, or all.
400 InvalidPriority.Malformed The parameter Priority is invalid. The error message returned because the rule priority is invalid.
400 InvalidPriority.ValueNotSupported The parameter Priority is invalid. The error message returned because the rule priority is invalid.
400 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The error message returned because the specified security group is the same as the source security group.
400 InvalidParam.SourceIp %s The error message returned because the source IP address is invalid.
400 InvalidParam.DestIp %s The error message returned because the destination IP address is invalid.
400 InvalidParam. Ipv6DestCidrIp %s The error message returned because the destination IP address is not in IPv6.
400 InvalidParam.Ipv6SourceCidrIp %s The error message returned because the source IP address is not in IPv6.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address %s The error message returned because IPv4 addresses has conflicted with IPv6 addresses.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address %s The error message returned because IPv4 addresses has conflicted with IPv6 addresses.
400 ILLEGAL_IPV6_CIDR %s The error message returned because the specified IPv6 CIDR block is invalid.

View error codes