Revoke an out direction security group rule

Last Updated: Jul 25, 2017

Description

This operation allows you to revoke an outbound security group rule. Two approaches are supported to revoke the outbound security group access rules. One approach is to revoke the authorization rules for other security groups that are allowed to access the security group through a specified port. This occurs by adopting the specified protocol within this region (Classic network) and VPC. The other approach is to revoke the IP address range that is allowed to access this security group through a specified port. This occurs by adopting a specified protocol.

Note: Only the rules authorized by calling the Authorization interface can be deleted (parameter values are the same as during authorization).

The security group rules are constructed by one of the two sets of optional parameters:

  • DestGroupOwnerAccount, DestGroupId, IpProtocol, PortRange, NicType, Policy
  • DestCidrIp, IpProtocol, PortRange, NicType, Policy

An error will be reported if a matching rule cannot be found.

Request parameters

Name Type Required Description
Action String Yes Value: RevokeSecurityGroupEgress.
SecurityGroupId String Yes Indicates the ID of the source security group.
RegionId String Yes Indicates the ID of the source region of the security group.
IpProtocol String Yes Refers to the IP protocol, optional values:
  • tcp
  • udp
  • icmp
  • gre
  • all
all indicates support for all four protocols.
PortRange String Yes Indicates the port number range relevant to the IP protocol.
  • When the protocol is tcp or udp, the default port number range is 1-65535. For example, 1/200 means the port number range is 1-200. If the input value is 200/1, the interface call reports an error.
  • When the protocol is icmp, the port number range is -1/-1.
  • When the protocol is gre, the port number range is -1/-1.
  • When the protocol is all, the port number range is -1/-1.
DestGroupId String No Indicates the authorized destination of the security group within the same region. Either the SourceGroupId or SourceCidrIp parameter must be set. If both are set, SourceCidrIp is authorized by default. Multiple groups (up to 10) can be specified simultaneously, but have to be separated by commas.
DestGroupOwnerId String No Indicates the ID of the Alibaba Cloud user of the destination security group on which security group rules are to be revoked across accounts. This parameter is optional. If it is not set, security groups of the same account are revoked by default. If DestCidrIp has already been set, this parameter is invalid.
DestCidrIp String No Indicates the authorized destination IP address range, CIDR format is used to specify the IP address range. By default, the value is 0.0.0.0/0. This means no restriction will be applied. Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Policy String No Refers to the authorization policy, optional values:
  • accept
  • drop
The default value is accept.
NicType String No Refers to the network type, optional values:
  • Internet
  • Intranet
The default value is Internet. In mutual security group authorization, you must specify the NicType as Intranet (namely, DestGroupId is specified, while DestCidrIp is not specified).
Priority Integer No Indicates the priority of the security group rule to be revoked.

Return parameters

All parameters are public return parameters. For details, refer to Public Return Parameters.

Error code

Error code Description Http status code Meaning
InvalidRegionId.NotFound The specified RegionId does not exist. 404 The specified RegionId does not exist.
MissingParameter The input parameter RegionId that is mandatory for processing this request is not supplied. 400 The RegionId parameter is not specified.
InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. 404 The specified SecurityGroupId does not exist.
MissingParameter The input parameter SecurityGroupId that is mandatory for processing this request is not supplied. 400 The SecurityGroupId parameter is not specified.
InvalidIpProtocol.ValueNotSupported The specified IpProtocol does not exist. 400 The specified IpProtocol parameter value is not supported.
MissingParameter The input parameter IpProtocol that is mandatory for processing this request is not supplied. 400 The IpProtocol parameter is not specified.
InvalidPriority.Malformed The specified parameter Priority is not valid. 400 The format of the Priority parameter is incorrect.
InvalidIpPortRange.Malformed The specified parameter PortRange is not valid. 400 The format of PortRange is incorrect.
MissingParameter The input parameter PortRange that is mandatory for processing this request is not supplied. 400 The PortRange parameter is not specified
InvalidDestGroupId.NotFound The DestGroupId provided does not exist in our records. 404 The specified DestGroupId does not exist.
InvalidDestGroupId.Mismatch NicType is required or NicType expects intrnet. 403 You must specify the NicType parameter or the NicType must be set to intranet.
InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. 400 The format of the DestCidrIp parameter is incorrect.
MissingParameter The input parameter DestGroupId or DestCidrIp cannot be both blank. 400 The DestGroupId or DestCidrIp parameter is not specified.
InvalidPolicy.Malformed The specified parameter Policy is not valid. 400 The format of the Policy parameter is incorrect.
InvalidNicType.ValueNotSupported The specified NicType does not exist. 400 The specified NicType value is not supported.
InvalidDestGroupId.Mismatch DestGroupOwnerAccount is required. 403 Another user’s DestGroup is specified, but the DestGroupOwnerUserAccount is not specified.
InvalidDestGroupOwnerUserAccount.Mismatch The specified DestGroupId is not belong to the DestGroupOwnerAccount. 403 The specified DestGroup does not belong to the user specified in DestGroupOwnerUserAccount.

Examples

Request example

  • Revoke access permissions to other security groups.
  1. https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
  2. &SecurityGroupId=sg-94n63e80l
  3. &IpProtocol=all
  4. &DestGroupId=sg-94oi1r1bp
  5. &IpProtocol=tcp
  6. &PortRange=1/65535
  7. &Priority=1
  8. &<Public Request Parameters>
  • Revoke access permissions to a specified range of IP addresses.
  1. https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
  2. &SecurityGroupId=sg-94n63e80l
  3. &IpProtocol=all
  4. &DestCidrIp=10.0.0.0/8
  5. &IpProtocol=tcp
  6. &PortRange=1/65535
  7. &Priority=1
  8. &<Public Request Parameters>

Return example

XML format

  1. <RevokeSecurityGroupEgressResponse>
  2. <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
  3. </RevokeSecurityGroupEgressResponse>

JSON format

  1. {
  2. "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
  3. }
Thank you! We've received your feedback.