RevokeSecurityGroupEgress - API Reference| Alibaba Cloud Documentation Center

RevokeSecurityGroupEgress

Edit in GitHub

Last Updated: Jun 04, 2020 Edit in GitHub

You can call this operation to delete an outbound security group rule and revoke outbound permissions specified by this rule.

Description

In the security group-related API documents, inbound traffic refers to the traffic sent by the source device and received at the destination device.

You can determine a security group rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.

Parameters used to revoke access permissions on specified CIDR blocks: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp, and SourceCidrIp (optional).


    https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
    &SecurityGroupId=sg-bp67acfmxazb4ph***
    &IpProtocol=tcp
    &DestCidrIp=10.0.0.0/8
    &PortRange=-22/22
    &NicType=intranet
    &Policy=Allow
    &<Common request parameters>

Parameters used to revoke access permissions on other security groups: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp (optional), DestGroupOwnerAccount, and DestGroupId.


    https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
    &SecurityGroupId=sg-bp67acfmxazb4ph***
    &DestGroupId=sg-bp67acfmxazb4pi***
    &DestGroupOwnerAccount=test@aliyun.com
    &IpProtocol=tcp
    &PortRange=22/22
    &NicType=intranet
    &Policy=Drop
    &<Common request parameters>

If the security group rule to match does not exist, the RevokeSecurityGroupEgress operation succeeds but no rules are deleted.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	No	RevokeSecurityGroupEgress	The operation that you want to perform. Set the value to RevokeSecurityGroupEgress.
IpProtocol	String	Yes	tcp	The transport layer protocol. The value is case-insensitive. Valid values: icmp gre tcp udp all
PortRange	String	Yes	22/22	The range of destination ports relevant to transport layer protocols. Valid values: When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port and the end port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all ports are available. When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all ports are available. When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all ports are available.
RegionId	String	Yes	cn-hangzhou	The ID of the region to which the source security group belongs. You can call the DescribeRegions operation to query the most recent region list.
SecurityGroupId	String	Yes	sg-bp67acfmxazb4ph***	The ID of the source security group.
DestGroupId	String	No	sg-bp67acfmxazb4pi***	The ID of the destination security group from which you want to revoke access permissions. You must specify either DestGroupId or DestCidrIp. If DestGroupId is specified but DestCidrIp is not, the NicType parameter must be set to intranet. If DestGroupId and DestCidrIp are specified at the same time, the DestCidrIp parameter will take precedence.
DestGroupOwnerId	Long	No	12345678910	The ID of the Alibaba Cloud account that manages the destination security group when you delete security group rules across account. If neither DestGroupOwnerId nor DestGroupOwnerAccount is specified, the access permission is revoked from another security group managed by your account. If DestCidrIp is specified, the DestGroupOwnerId parameter is ignored.
DestGroupOwnerAccount	String	No	Test	The Alibaba Cloud account that manages the destination security group when you delete security group rules across account. If neither DestGroupOwnerAccount nor DestGroupOwnerId is specified, the access permission is revoked from another security group managed by your account. If DestCidrIp is specified, the DestGroupOwnerAccount parameter is ignored.
DestCidrIp	String	No	10.0.0.0/8	The range of destination IP addresses. CIDR blocks and IPv4 addresses are supported. This parameter is empty by default.
Ipv6DestCidrIp	String	No	2001:db8:1233:1a00::***	The range of destination IPv6 addresses. CIDR blocks and IPv6 addresses are supported. This parameter is empty by default. Note You can specify only the IP addresses of VPC-type instances.
SourceCidrIp	String	No	10.0.0.0/8	The range of source IP addresses. CIDR blocks and IPv4 addresses are supported. This parameter is empty by default.
Ipv6SourceCidrIp	String	No	2001:db8:1234:1a00::***	The range of source IPv6 addresses. CIDR blocks and IPv6 addresses are supported. This parameter is empty by default. Note You can specify only the IP addresses of VPC-type instances.
SourcePortRange	String	No	22/22	The range of source ports relevant to transport layer protocols. Valid values: When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port and the end port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all ports are available. When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all ports are available. When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all ports are available.
Policy	String	No	accept	The access control policy. Valid values: accept: grants access. drop: denies access without returning a rejection response. Default value: accept.
Priority	String	No	1	The priority of security group rules. Valid values: 1 to 100. Default value: 1.
NicType	String	No	intranet	The NIC type of security groups in the classic network. Valid values: internet intranet If the security group is in a VPC, the parameter is set to intranet by default and cannot be modified. If DestGroupId is specified but DestCidrIp is not, this parameter must be set to intranet. Default value: internet.
ClientToken	String	No	473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E	The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must ensure that it is unique among different requests. The ClientToken value can only contain ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.
Description	String	No	Test	The description of the security group rule.

Response parameters


Parameter	Type	Example	Description
RequestId	String	473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E	The ID of the request.

Examples

Sample requests

https://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
&SecurityGroupId=sg-bp67acfmxazb4ph***
&IpProtocol=tcp
&DestCidrIp=10.0.0.0/8
&PortRange=22/22
&NicType=intranet
&Policy=Allow
&<Common request parameters>

Sample success responses

XML format

<RevokeSecurityGroupEgressResponse>
       <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</RevokeSecurityGroupEgressResponse>

JSON format

{
    "RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes


HTTP status code	Error code	Error message	Description
404	InvalidSecurityGroupId.NotFound	The specified SecurityGroupId does not exist.	The error message returned because the specified SecurityGroupId parameter does not exist. Check whether the security group ID is correct.
400	InvalidIpProtocol.ValueNotSupported	The specified IpProtocol does not exist.	The error message returned because the specified IpProtocol parameter is invalid.
400	InvalidIpPortRange.Malformed	The specified parameter "PortRange" is not valid.	The error message returned because the specified PortRange parameter is invalid.
404	InvalidDestGroupId.NotFound	The DestGroupId provided does not exist in our records.	The error message returned because the specified DestGroupId parameter does not exist.
403	InvalidNicType.Mismatch	Specified nic type conflicts with the authorization record.	The error message returned because the specified NIC type conflicts with the authorization record.
403	InvalidGroupAuthItem.NotFound	Specified group authorized item does not exist in our records.	The error message returned because the specified group authorization entry does not exist.
400	InvalidDestCidrIp.sMalformed	The specified parameter "DestCidrIp" is not valid.	The error message returned because the specified DestCidrIp parameter is invalid.
400	MissingParameter	The input parameter "DestGroupId" or "DestCidrIp" cannot be both blank.	The error message returned because DestGroupId and DestCidrIp cannot be empty at the same time.
400	InvalidPolicy.Malformed	The specified parameter "Policy" is not valid.	The error message returned because the specified Policy parameter is invalid.
400	InvalidNicType.ValueNotSupported	The specified NicType does not exist.	The error message returned because the specified NicType parameter does not exist. Check whether the NIC type is correct.
400	InvalidDestGroupId.Mismatch	Specified security group and destination group are not in the same VPC.	The error message returned because the specified security group and the destination security group do not belong to the same VPC.
400	VPCDisabled	Can't use the SecurityGroup in VPC.	The error message returned because the current VPC does not support security groups.
403	InvalidSecurityGroup.IsSame	The authorized SecurityGroupId should be different from the DestGroupId.	The error message returned because the authorized security group and the destination security group cannot be the same.
500	InternalError	The request processing has failed due to some unknown error.	The error message returned because an internal error has occurred. Try again later. If the problem persists, submit a ticket.
400	InvalidDestCidrIp.Malformed	The specified parameter "DestCidrIp" is not valid.	The error message returned because the specified DestCidrIp parameter is invalid.
400	MissingParameter.Dest	Either DestCidrIp or DestGroupId must be specified.	The error message returned because DestCidrIp and DestGroupId cannot be empty at the same time.
400	InvalidIpProtocol.ValueNotSupported	The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All.	The error message returned because the IpProtocol parameter is not set to tcp, udp, icmp, gre, or all.
400	InvalidPriority.Malformed	The parameter Priority is invalid.	The error message returned because the specified Priority parameter is invalid.
400	InvalidPriority.ValueNotSupported	The parameter Priority is invalid.	The error message returned because the specified Priority parameter is invalid.
403	InvalidParamter.Conflict	The specified SecurityGroupId should be different from the SourceGroupId.	The error message returned because the authorized security group is the same as the source security group.
400	InvalidDestCidrIp.Malformed	The specified parameter DestCidrIp is not valid.	The error message returned because the specified DestCidrIp parameter is invalid.
400	InvalidParam.SourceIp	%s	The error message returned because the specified SourceCidrIp parameter is invalid.
400	InvalidParam.DestIp	%s	The error message returned because the specified DestCidrIp parameter is invalid.
400	InvalidParam.Ipv6DestCidrIp	%s	The error message returned because the specified Ipv6DestCidrIp parameter is invalid.
400	InvalidParam.Ipv6SourceCidrIp	%s	The error message returned because the specified Ipv6SourceCidrIp parameter is invalid.
400	InvalidParam.Ipv4ProtocolConflictWithIpv6Address	%s	The error message returned because the specified parameter value is invalid. Check whether you have entered an IPv6 address under an IPv4 protocol.
400	InvalidParam.Ipv6ProtocolConflictWithIpv4Address	%s	The error message returned because the specified parameter value is invalid. Check whether you have entered an IPv4 address under an IPv6 protocol.
400	ILLEGAL_IPV6_CIDR	%s	The error message returned because the specified IPv6 address is invalid.

For a list of error codes, visit the API Error Center.