You can call this operation to create an outbound security group rule. This operation allows or denies the outbound traffic from the instances in the security group to other devices.

Description

In the security group-related API documents, inbound traffic refers to the traffic sent by the source device and received at the destination device.

When you call this operation, take note of the following points:

  • The maximum number of outbound and inbound security group rules in total is 200.
  • You can set Policy to accept or drop.
  • The value of Priority ranges from 1 to 100. A smaller value indicates a higher priority.
  • When several security group rules have the same priority, drop rules will take precedence.
  • The destination device can belong to a specified CIDR block (DestCidrIp) or can be an ECS instance that belongs to another security group (DestGroupId).
  • If the rule to be created matches an existing rule, the AuthorizeSecurityGroupEgress operation succeeds but no rules are created.
  • You can determine a security group rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.
    • Parameters used to grant access permissions to specified CIDR blocks: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, and DestCidrIp.
      
              https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroupEgress
              &SecurityGroupId=sg-bp67acfmxazb4ph***
              &IpProtocol=icmp
              &DestCidrIp=10.0.0.0/8
              &PortRange=-1/-1
              &NicType=intranet
              &Policy=Allow
              &<Common request parameters>
              
    • Parameters used to grant access permissions to other security groups: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestGroupOwnerAccount, and DestGroupId.
      
              https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroupEgress
              &SecurityGroupId=sg-bp67acfmxazb4ph***
              &DestGroupId=sg-bp67acfmxazb4pi***
              &DestGroupOwnerAccount=Test@aliyun.com
              &IpProtocol=tcp
              &PortRange=22/22
              &NicType=intranet
              &Policy=Drop
              &<Common request parameters>
              

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes AuthorizeSecurityGroupEgress

The operation that you want to perform. Set the value to AuthorizeSecurityGroupEgress.

IpProtocol String Yes all

The transport layer protocol. This parameter is case-sensitive. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all
PortRange String Yes 80/80

The range of destination ports relevant to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all ports are available.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all ports are available.
  • When IpProtocol is set to all, the port number range is -1/-1, indicating that all ports are available.
RegionId String Yes cn-hangzhou

The region ID of the source security group. You can call the DescribeRegions operation to query the most recent region list.

SecurityGroupId String Yes sg-bp67acfmxazb4p****

The ID of the source security group.

DestGroupId String No sg-bp67acfmxazb4p****

The ID of the source security group for which you want to configure access permissions.

  • Either DestGroupId or DestCidrIp must be specified.
  • If DestGroupId is specified but DestCidrIp is not, the NicType parameter must be set to intranet.
  • If DestGroupId and DestCidrIp are specified at the same time, the DestCidrIp parameter takes precedence.
DestGroupOwnerId Long No 12345678910

The ID of the Alibaba Cloud account that manages the destination security group when you set a security group rule across accounts.

  • If neither DestGroupOwnerId nor DestGroupOwnerAccount is specified, access permissions are configured for another security group managed by your account.
  • If DestCidrIp is specified, the DestGroupOwnerId parameter is ignored.
DestGroupOwnerAccount String No Test@aliyun.com

The Alibaba Cloud account that manages the destination security group when you set a security group rule across accounts.

  • If neither DestGroupOwnerAccount nor DestGroupOwnerId is specified, access permissions are configured for another security group managed by your account.
  • If DestCidrIp is specified, the DestGroupOwnerAccount parameter is ignored.
DestCidrIp String No 10.0.0.0/8

The range of destination IP addresses. CIDR blocks and IPv4 addresses are supported.

This parameter is empty by default.

Ipv6DestCidrIp String No 2001:db8:1233:1a00::***

The range of destination IPv6 addresses. CIDR blocks and IPv6 addresses are supported.

This parameter is empty by default.

Note You can specify only the IP addresses of VPC-type instances.
SourceCidrIp String No 10.0.0.0/8

The range of source IP addresses. CIDR blocks and IPv4 addresses are supported.

This parameter is empty by default.

Ipv6SourceCidrIp String No 2001:db8:1234:1a00::***

The range of source IPv6 addresses. CIDR blocks and IPv6 addresses are supported.

This parameter is empty by default.

Note You can specify only the IP addresses of VPC-type instances.
SourcePortRange String No 80/80

The range of source ports relevant to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all ports are available.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all ports are available.
  • When IpProtocol is set to all, the port number range is -1/-1, indicating that all ports are available.
Policy String No accept

The access control policy. Default value: accept. Valid values:

  • accept: grants access.
  • drop: denies access without returning a rejection response.

Default value: accept.

Priority String No 1

The priority of security group rules. Valid values: 1 to 100.

Default value: 1.

NicType String No intranet

The NIC type of security group rules in the classic network. Valid values:

  • internet
  • intranet
    • If the security group is in a VPC, the parameter is set to intranet by default and cannot be modified.
    • If DestGroupId is specified but DestCidrIp is not, this parameter must be set to intranet.

Default value: internet.

ClientToken String No 123e4567-e89b-12d3-a456-426655440000

The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must ensure that it is unique among different requests. The ClientToken value can only contain ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

Description String No testDescription

The description of the security group rule. The description must be 1 to 512 characters in length.

Response parameters

Parameter Type Example Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The ID of the request.

Examples

Sample requests

https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroupEgress
&SecurityGroupId=sg-Fbp67acfmxazb4p****
&DestGroupId=sg-bp67acfmxazb4p****
&DestGroupOwnerAccount=Test@aliyun.com
&IpProtocol=all
&PortRange=22/22
&NicType=intranet
&Policy=Drop
&<Common request parameters>

Sample success responses

XML format

<AuthorizeSecurityGroupEgressResponse>
      <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</AuthorizeSecurityGroupEgressResponse>

JSON format

{
    "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes

HTTP status code Error code Error message Description
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned because the specified security group does not exist under this account. Check whether the security group ID is correct.
404 InvalidDestGroupId.NotFound The DestGroupId provided does not exist in our records. The error message returned because the specified DestGroupId parameter does not exist.
400 OperationDenied The specified IpProtocol does not exist or IpProtocol and PortRange do not match. The error message returned because the specified IpProtocol parameter does not exist or does not match the specified PortRange parameter.
400 InvalidIpProtocol.Malformed The specified parameter "PortRange" is not valid. The error message returned because the specified PortRange parameter is invalid.
403 InvalidDestGroupId.Mismatch NicType is required or NicType expects intranet. The error message returned because the NicType parameter is not specified or is not set to intranet.
400 InvalidDestCidrIp.Malformed The specified parameter "DestCidrIp" is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
403 MissingParameter The input parameter "DestGroupId" or "DestCidrIp" cannot be both blank. The error message returned because the DestGroupId and DestCidrIp parameters cannot be empty at the same time.
400 InvalidPolicy.Malformed The specified parameter "Policy" is not valid. The error message returned because the specified Policy parameter is invalid.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The error message returned because the specified NicType parameter does not exist. Check whether the NIC type is correct.
400 InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. The error message returned because the specified NIC type conflicts with the security group rule.
403 AuthorizationLimitExceed The limit of authorization records in the security group reaches. The error message returned because the maximum number of authorized security group rules has been reached. Check whether the authorization rule is valid.
403 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The error message returned because the authorized security group is the same as the source security group.
400 InvalidDestGroupId.Mismatch Specified security group and destination group are not in the same VPC. The error message returned because the specified security group and the destination security group do not belong to the same VPC.
400 InvalidDestGroup.NotFound Specified destination security group does not exist. The error message returned because the specified DestGroupId parameter does not exist.
400 VPCDisabled Can't use the SecurityGroup in VPC. The error message returned because the current VPC does not support security groups.
400 InvalidPriority.Malformed The parameter Priority is invalid. The error message returned because the specified Priority parameter is invalid.
400 InvalidPriority.ValueNotSupported The parameter Priority is invalid. The error message returned because the specified Priority parameter is invalid.
400 InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
500 InternalError The request processing has failed due to some unknown error. The error message returned because an internal error has occurred. Try again later. If the problem persists, submit a ticket.
403 InvalidNetworkType.Conflict The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). The error message returned because the network type of the specified security group is different from that of the source group.
403 InvalidSecurityGroup.IsSame The authorized SecurityGroupId should be different from the DestGroupId. The error message returned because the authorized security group is the same as the destination group.
400 InvalidDestCidrIp.Malformed The parameter DestCidrIp is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
403 InvalidNetworkType.Conflict The parameter SecurityGroup network type should be same with SourceGroup network type (vpc or classic). The error message returned because the network type of the specified security group is different from that of the source group.
400 InvalidNicType.ValueNotSupported The parameter NicType is not valid. The error message returned because the specified NicType parameter is invalid.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. The error message returned because the specified Description parameter is invalid.
400 InvalidSecurityGroup.InvalidNetworkType The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. The error message returned because the operation is not supported by security groups of the current network type. Check the network type of the security group. If the network type is VPC, ClassicLink must be enabled.
400 MissingParameter.Dest Either DestCidrIp or DestGroupId must be specified. The error message returned because DestCidrIp and DestGroupId cannot be empty at the same time.
400 InvalidIpProtocol.ValueNotSupported The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. The error message returned because the IpProtocol parameter is not set to tcp, udp, icmp, gre, or all.
400 InvalidSecurityGroupId.Malformed The specified parameter "SecurityGroupId" is not valid. The error message returned because the specified SecurityGroupId parameter is invalid.
400 InvalidParamter.Conflict The specified SourceCidrIp should be different from the DestCidrIp. The error message returned because SourceCidrIp cannot be set to the same value as DestCidrIp.
500 InvalidGressFlow.Malformed The specified parameter GressFlow is not valid,it cause by internal,try calling again. The error message returned because the specified GressFlow parameter is invalid.
400 InvalidSourcePortRange.Malformed The specified parameter "SourcePortRange" is not valid. The error message returned because the specified SourcePortRange parameter is invalid.
400 InvalidParam.SourceIp %s The error message returned because the specified SourceCidrIp parameter is invalid.
400 InvalidParam.DestIp %s The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6DestCidrIp %s The error message returned because the specified Ipv6DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6SourceCidrIp %s The error message returned because the specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv6 address under an IPv4 protocol.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv4 address under an IPv6 protocol.
400 ILLEGAL_IPV6_CIDR %s The error message returned because the specified IPv6 address is invalid.

For a list of error codes, visit the API Error Center.