Deletes an outbound rule from a security group and revoke outbound permissions of the security group.

Description

The source is where the packet is coming from and the destination is where the packet is going to.

  • To revoke access permissions on specified IP address segments, you can specify the following request parameters: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp, and SourceCidrIp (optional).
    https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
    &SecurityGroupId=sg-94n63e80l
    &IpProtocol=all
    &DestCidrIp=10.0.0.0/8
    &PortRange=-1/-1
    &NicType=intranet
    &Policy=Allow
    &<Common request parameters>
  • To revoke access permissions on other security groups, you can specify the following request parameters: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp (optional), DestGroupOwnerAccount, and DestGroupId (optional).
    https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
    &SecurityGroupId=sg-F876FF7BA
    &DestGroupId=sg-1651FBB64
    &DestGroupOwnerAccount=test@aliyun.com
    &IpProtocol=tcp
    &PortRange=22/22
    &NicType=intranet
    &Policy=Drop
    &<Common request parameters>

Debugging

You can use API Explorer to perform debugging. API Explorer allows you to perform various operations to simplify API usage. For example, you can retrieve APIs, call APIs, and dynamically generate SDK example code.

Request parameters

Name Type Required Example Description
IpProtocol String Yes icmp

The transport layer protocol. The parameter value is case insensitive. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all: All protocols are supported.
PortRange String Yes 1/200

The range of destination ports relevant to the transport layer protocol. Valid values:

  • When IpProtocol is set to tcp or udp, the port number range is 1 to 65,535. Separate the starting port and the ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • ICMP: -1/-1.
  • GRE protocol: -1/-1.
  • All:-1/-1.
RegionId String Yes cn-hangzhou

The ID of the region where the source security group resides. You can call DescribeRegions to view the latest regions of Alibaba Cloud.

SecurityGroupId String Yes sg-securitygroupid1

The ID of the source security group.

Action String No RevokeSecurityGroupEgress

The operation that you want to perform. Set the value to RevokeSecurityGroupEgress.

ClientToken String No 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

A client token. It is used to ensure the idempotency of requests. The value of this parameter is generated by the client and is unique among different requests. The ClientToken parameter must be no more than 64 ASCII characters in length. For more information, see How to ensure idempotency.

Description String No FinanceJoshuaTest

The description of the security group rule.

DestCidrIp String No 0.0.0.0/0

The range of destination IP addresses. CIDR blocks and IPv4 addresses are supported. Default value: null.

DestGroupId String No sg-securitygroupid2

The ID of the destination security group from which you want to revoke access permissions.

You must specify either the DestGroupId parameter or the DestCidrIp parameter.

If DestGroupId is specified and DestCidrIp is not, the value of NicType can only be intranet. If both the DestGroupId and DestCidrIp parameters are set, the DestCidrIp parameter will take precedence.

DestGroupOwnerAccount String No FinanceJoshua

The Alibaba Cloud account that manages the destination security group.

  • If neither DestGroupOwnerAccount nor DestGroupOwnerId is specified, permissions of other security groups to access the instance are revoked.
  • If the DestCidrIp parameter is specified, the DestGroupOwnerAccount parameter will be ignored.
DestGroupOwnerId Long No 155780923770

The Alibaba Cloud account that manages the destination security group.

  • If neither DestGroupOwnerId nor DestGroupOwnerAccount is specified, permissions of other security groups to access the instance are revoked.
  • If the DestCidrIp parameter is specified, the DestGroupOwnerId parameter will be ignored.
Ipv6DestCidrIp String No 2001:db8:1234:1a00::XXX

The destination IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported.

Default value: null.

Note You can only specify IP addresses for VPC-connected instances.
Ipv6SourceCidrIp String No 2001:db8:1234:1a00::XXX

The source IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported.

Default value: null.

Note You can only specify IP addresses for VPC-connected instances.
NicType String No intranet

The NIC type. Valid values:

  • internet
  • intranet

If DestGroupId is specified and DestCidrIp is not, the value of NicType must be intranet. Default value: internet

Policy String No accept

The access control policy. Valid values:

  • accept: grants access.
  • drop: denies access and returns no responses.

Default value: accept

Priority String No 1

The priority of security group rules. Valid values: 1 to 100. Default value: 1.

SourceCidrIp String No 0.0.0.0/0

The range of source IP addresses. CIDR blocks and IPv4 addresses are supported. Default value: null.

SourcePortRange String No 1/200

The range of source ports relevant to the transport layer protocol. Valid values:

  • When IpProtocol is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and the ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When IpProtocol is set to icmp, the port number range is -1/-1, indicating that all values are valid.
  • When IpProtocol is set to gre, the port number range is -1/-1, indicating that all values are valid.
  • When IpProtocol is set to all, the port number range is -1/-1, indicating that all values are valid.

Response parameters

Name Type Example Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The ID of the request.

Examples

Sample requests

https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
&SecurityGroupId=sg-94n63e80l
&IpProtocol=all
&DestCidrIp=10.0.0.0/8
&PortRange=-1/-1
&NicType=intranet
&Policy=Allow
&<Common request parameters>

Successful response examples

XML format

<RevokeSecurityGroupEgressResponse>
  <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId> 
</RevokeSecurityGroupEgressResponse>

JSON format

{
	"RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes

HTTP status code Error code Error message Description
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned when the specified security group does not exist under this account. Check whether the security group ID is correct.
400 InvalidIpProtocol.ValueNotSupported The specified IpProtocol does not exist. The error message returned when the specified value of the IpProtocol parameter is invalid.
404 InvalidDestGroupId.NotFound The DestGroupId provided does not exist in our records. The error message returned when the specified destination security group does not exist.
403 InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. The error message returned when the specified NIC type does not exist.
403 InvalidGroupAuthItem.NotFound Specified group authorized item does not exist in our records. The error message returned when the specified group authorization entry does not exist.
400 InvalidPolicy.Malformed The specified parameter "Policy" is not valid. The error message returned when the specified parameter is invalid. Check whether the parameter is correct.
400 Invaliddestcidrip.Malformed The specified parameter "DestCidrIp" is not valid. The error message returned when the value of DestCidrIp is invalid. Check whether the parameter is correct.
400 MissingParameter.Dest Either DestCidrIp or DestGroupId must be specified. The error message returned when values of both DestCidrIp and DestGroupId are not specified.
400 InvalidParam.PortRange Please specify the PortRange or SourcePortRange in integer, less than 65535, and separate the range with ? /?. The error message returned when the range of destination or source port numbers is not specified. The port numbers must be smaller than 65,535. You must use a forward slash (/) to separate the source and destination ports.
400 InvalidIpProtocol.ValueNotSupported The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. The error message returned when the protocol type is not TCP, UDP, ICMP, GRE or All.
400 InvalidPriority.Malformed The parameter Priority is invalid. The error message returned when the rule priority is invalid.
400 InvalidPriority.ValueNotSupported The parameter Priority is invalid. The error message returned when the rule priority is invalid.
400 InvalidParam.SourceIp %s The error message returned when the source IP is invalid.
400 InvalidParam.DestIp %s The error message returned when the destination IP is invalid.
400 InvalidParam.Ipv6DestCidrIp %s The error message returned when the destination IP is not in IPv6.
400 InvalidParam.Ipv6SourceCidrIp %s The error message returned when the source IP is not in IPv6.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address %s The error message returned when IPv4 addresses conflict with IPv6 addresses.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address %s The error message returned when IPv4 addresses conflict with IPv6 addresses.
400 ILLEGAL_IPV6_CIDR %s The error message returned when the specified IPv6 CIDR block is invalid.

View error codes