Authorize the security group out direction permissions

Last Updated: Jul 25, 2017

Description

This operation allows you to set outbound access permissions of security group. When authorizing outboung security group access permissions, consider the following:

  • Supported authorization policies include accept and drop.
  • Different network types can be supported. For example, NicType can be set to Internet or Intranet.
  • Up to 100 authorization rules can be set for one security group.
  • Security group priorities are sorted by creation time in descending order.
  • Inter-group authorization can only be performed on the intranet. Therefore, you can only set NicType to Intranet.
  • Rule priority ranges from 1 to 100. The default value is 1, which is the highest priority. A greater value indicates a lower priority.
  • If the priorities of the authorization rules are the same, drop rules take precedence.
  • The security group rules contain one of the two sets of optional parameters:
    • DestGroupOwnerAccount, DestGroupId, IpProtocol, PortRange, NicType, Policy
    • DestCidrIp, IpProtocol, PortRange, NicType, Policy
  • An error will be reported if a matching rule already exists.

Two authorization methods are supported:

  • Open access permission for another security group in the same region (cross-user authorization is permitted).
  • Open access permission for the specified IP address range (CIDR format).

Request parameters

Name Type Required Description
Action String Yes Value: AuthorizeSecurityGroupEgress.
SecurityGroupId String Yes Indicates the source security group ID.
RegionId String Yes Indicates the source region ID of the security group
IpProtocol String Yes Refers to the IP protocol, optional values:
  • tcp
  • udp
  • icmp
  • gre
  • all
all indicates support for all four protocols.
PortRange String Yes This parameter indicates the port number range relevant to the IP protocol.
  • When the protocol is tcp or udp, the default port number range is 1-65535. For example, 1/200 means the port number range is 1-200. If the input value is 200/1, the interface call reports an error.
  • When the protocol is icmp, the port number range is -1/-1.
  • When the protocol is gre, the port number range is -1/-1.
  • When the protocol is all, the port number range is -1/-1.
DestGroupId String No Indicates the target security group ID within the same region. Either the DestGroupId or DestCidrIp must be set. If both are set, DestCidrIp is authorized by default. If this field is specified, but no DestCidrIp is specified, the NicType can only select intranet.
DestGroupOwnerId String No Refers to the Alibaba Cloud user account ID of the target security group when security groups are authorized across accounts. This parameter is optional. If it is not set, authorization is performed for security groups of the same account. If DestCidrIp has already been set, this parameter is invalid.
DestCidrIp String No The target IP address range, CIDR format is used to specify the IP address range. The default value is 0.0.0.0/0. This means no restriction will be applied. Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Policy String No Indicates the authorization policy, optional values:
  • accept
  • drop
The default value is accept.
Priority String No Indicates the authorization policy priority, optional values are 1-100. The default value is 1.
NicType String No Refers to the network type, optional values:
  • Internet
  • Intranet
The default value is Internet. In mutual security group authorization, you must specify the NicType as Intranet (namely, DestGroupId is specified, while DestCidrIp is not).
Description String No Indicates the security group rule description. Character length is restricted to a maximum of 512 characters.

Return parameters

All parameters are public return parameters. For details, refer to Public Return Parameters.

Error code

Error code Description Http status code Meaning
InvalidRegionId.NotFound The specified RegionId does not exist. 404 The specified RegionId does not exist.
MissingParameter The input parameter RegionId that is mandatory for processing this request is not supplied. 400 The RegionId parameter is not specified.
InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. 404 The specified SecurityGroupId does not exist.
MissingParameter The input parameter SecurityGroupId that is mandatory for processing this request is not supplied. 400 The SecurityGroupId parameter is not specified.
OperationDenied The specified IpProtocol does not exist or IpProtocol and PortRange do not match. 400 The IP protocol does not exist or the IP protocol does not match the port.
MissingParameter The input parameter IpProtocol that is mandatory for processing this request is not supplied. 400 The IpProtocol parameter is not specified.
InvalidIpProtocol.Malformed The specified parameter PortRange is not valid. 400 The IpProtocol format is incorrect.
InvalidPriority.Malformed The specified parameter Priority is not valid. 400 The format of the Priority parameter is incorrect.
MissingParameter The input parameter PortRange that is mandatory for processing this request is not supplied. 400 The PortRange parameter is not specified.
InvalidDestGroupId.Mismatch NicType is required or NicType expects intrnet. 403 You must specify the NicType parameter or the NicType must be set to intranet.
InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. 400 The format of the DestCidrIp parameter is incorrect.
MissingParameter The input parameter DestGroupId or DestCidrIp cannot be both blank. 403 The DestGroupId or DestCidrIp parameter is not specified.
InvalidPolicy.Malformed The specified parameter Policy is not valid. 400 The format of the Policy parameter is incorrect.
InvalidNicType.ValueNotSupported The specified NicType does not exist. 400 The specified NicType value is not supported.
AuthorizationLimitExceed The maximum number of authorization rules in the security group is exceeded. 403 The number of security group authorization rules has reached the limit.
InvalidParamter.Conflict The specified SecurityGroupId should be different from the DestGroupId. 403 The SecurityGroupId and DestGroupId are set as the same security group.
InvalidDestGroupId.Mismatch DestGroupOwnerUserAccount is required. 403 Another user’s DestGroup is specified, but the DestGroupOwnerUserAccount is not specified.
InvalidDestGroupId.Mismatch Specified security group and destination group are not in the same VPC. 403 The specified security group and target security group do not belong to the same VPC.
InvalidDestGroupOwnerUserAccount.Mismatch The specified DestGroupId is not belong to the DestGroupOwnerUserAccount. 403 The specified DestGroup does not belong to the user specified in DestGroupOwnerUserAccount.
InvalidDestGroupId.NotFound The DestGroupId provided does not exist in our records. 404 The specified DestGroup cannot be found.
InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. 400 The description is invalid. For example, it exceeds the maximum length

Examples

Request example

  • Configures access permissions for other security groups
  1. https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroupEgress
  2. &SecurityGroupId=sg-94n63e80l
  3. &IpProtocol=all
  4. &DestGroupId=sg-94oi1r1bp
  5. &IpProtocol=tcp
  6. &PortRange=1/65535
  7. &<Public Request Parameters>
  • Authorize access permissions to a specified range of IP addresses.
  1. https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroupEgress
  2. &SecurityGroupId=sg-94n63e80l
  3. &IpProtocol=all
  4. &DestCidrIp=10.0.0.0/8
  5. &IpProtocol=tcp
  6. &PortRange=1/65535
  7. &<Public Request Parameters>

Return example

XML format

  1. <AuthorizeSecurityGroupEgressResponse>
  2. <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
  3. </AuthorizeSecurityGroupEgressResponse>

JSON format

  1. {
  2. "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
  3. }
Thank you! We've received your feedback.