Description
This operation allows you to revoke an outbound security group rule. Two approaches are supported to revoke the outbound security group access rules. One approach is to revoke the authorization rules for other security groups that are allowed to access the security group through a specified port. This occurs by adopting the specified protocol within this region (Classic network) and VPC. The other approach is to revoke the IP address range that is allowed to access this security group through a specified port. This occurs by adopting a specified protocol.
Note: Only the rules authorized by calling the Authorization interface can be deleted (parameter values are the same as during authorization).
The security group rules are constructed by one of the two sets of optional parameters:
- DestGroupOwnerAccount, DestGroupId, IpProtocol, PortRange, NicType, Policy
- DestCidrIp, IpProtocol, PortRange, NicType, Policy
An error will be reported if a matching rule cannot be found.
Request parameters
| Name | Type | Required | Description |
|---|---|---|---|
| Action | String | Yes | Value: RevokeSecurityGroupEgress. |
| SecurityGroupId | String | Yes | Indicates the ID of the source security group. |
| RegionId | String | Yes | Indicates the ID of the source region of the security group. |
| IpProtocol | String | Yes | Refers to the IP protocol, optional values:
|
| PortRange | String | Yes | Indicates the port number range relevant to the IP protocol.
|
| DestGroupId | String | No | Indicates the authorized destination of the security group within the same region. Either the SourceGroupId or SourceCidrIp parameter must be set. If both are set, SourceCidrIp is authorized by default. Multiple groups (up to 10) can be specified simultaneously, but have to be separated by commas. |
| DestGroupOwnerId | String | No | Indicates the ID of the Alibaba Cloud user of the destination security group on which security group rules are to be revoked across accounts. This parameter is optional. If it is not set, security groups of the same account are revoked by default. If DestCidrIp has already been set, this parameter is invalid. |
| DestCidrIp | String | No | Indicates the authorized destination IP address range, CIDR format is used to specify the IP address range. By default, the value is 0.0.0.0/0. This means no restriction will be applied. Other supported formats include 10.159.6.18/12. Only IPv4 is supported. |
| Policy | String | No | Refers to the authorization policy, optional values:
|
| NicType | String | No | Refers to the network type, optional values:
|
| Priority | Integer | No | Indicates the priority of the security group rule to be revoked. |
Return parameters
All parameters are public return parameters. For details, refer to Public Return Parameters.
Error code
| Error code | Description | Http status code | Meaning |
|---|---|---|---|
| InvalidRegionId.NotFound | The specified RegionId does not exist. | 404 | The specified RegionId does not exist. |
| MissingParameter | The input parameter RegionId that is mandatory for processing this request is not supplied. | 400 | The RegionId parameter is not specified. |
| InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | 404 | The specified SecurityGroupId does not exist. |
| MissingParameter | The input parameter SecurityGroupId that is mandatory for processing this request is not supplied. | 400 | The SecurityGroupId parameter is not specified. |
| InvalidIpProtocol.ValueNotSupported | The specified IpProtocol does not exist. | 400 | The specified IpProtocol parameter value is not supported. |
| MissingParameter | The input parameter IpProtocol that is mandatory for processing this request is not supplied. | 400 | The IpProtocol parameter is not specified. |
| InvalidPriority.Malformed | The specified parameter Priority is not valid. | 400 | The format of the Priority parameter is incorrect. |
| InvalidIpPortRange.Malformed | The specified parameter PortRange is not valid. | 400 | The format of PortRange is incorrect. |
| MissingParameter | The input parameter PortRange that is mandatory for processing this request is not supplied. | 400 | The PortRange parameter is not specified |
| InvalidDestGroupId.NotFound | The DestGroupId provided does not exist in our records. | 404 | The specified DestGroupId does not exist. |
| InvalidDestGroupId.Mismatch | NicType is required or NicType expects intrnet. | 403 | You must specify the NicType parameter or the NicType must be set to intranet. |
| InvalidDestCidrIp.Malformed | The specified parameter DestCidrIp is not valid. | 400 | The format of the DestCidrIp parameter is incorrect. |
| MissingParameter | The input parameter DestGroupId or DestCidrIp cannot be both blank. | 400 | The DestGroupId or DestCidrIp parameter is not specified. |
| InvalidPolicy.Malformed | The specified parameter Policy is not valid. | 400 | The format of the Policy parameter is incorrect. |
| InvalidNicType.ValueNotSupported | The specified NicType does not exist. | 400 | The specified NicType value is not supported. |
| InvalidDestGroupId.Mismatch | DestGroupOwnerAccount is required. | 403 | Another user’s DestGroup is specified, but the DestGroupOwnerUserAccount is not specified. |
| InvalidDestGroupOwnerUserAccount.Mismatch | The specified DestGroupId is not belong to the DestGroupOwnerAccount. | 403 | The specified DestGroup does not belong to the user specified in DestGroupOwnerUserAccount. |
Examples
Request example
- Revoke access permissions to other security groups.
https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress&SecurityGroupId=sg-94n63e80l&IpProtocol=all&DestGroupId=sg-94oi1r1bp&IpProtocol=tcp&PortRange=1/65535&Priority=1&<Public Request Parameters>
- Revoke access permissions to a specified range of IP addresses.
https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress&SecurityGroupId=sg-94n63e80l&IpProtocol=all&DestCidrIp=10.0.0.0/8&IpProtocol=tcp&PortRange=1/65535&Priority=1&<Public Request Parameters>
Return example
XML format
<RevokeSecurityGroupEgressResponse><RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId></RevokeSecurityGroupEgressResponse>
JSON format
{"RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"}