All Products
Search
Document Center

:Why can't all the security group rules in a security group be displayed when I use an ECS API operation or ECS SDK to query the details of the security group?

Last Updated:Dec 15, 2020

Overview

This topic describes how to troubleshoot security group rules that cannot be displayed when you use APIs or SDKs to query security group rules.

Description

Alibaba Cloud reminds you that:

  • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
  • You can modify the configurations and data of instances including but not limited to Elastic Compute Service (ECS) and Relational Database Service (RDS) instances. Before the modification, we recommend that you create snapshots or enable RDS log backup.
  • If you have authorized or submitted sensitive information such as the logon account and password in the Alibaba Cloud Management Console, we recommend that you modify such information in a timely manner.

The SDK query method is similar to API query. Here, API query is used as an example.

How to query security groups by using APIs

There are two network types: Internet and Intranet. If you call the corresponding API operation to query DescribeSecurityGroupAttribute, Internet rules are displayed by default if no parameters for network type differentiation are required. If you need to view Intranet rules, for example, Intranet connection or financial cloud VPN firewall rules, you can configure Intranet security group rules. The NicType parameter needs to be provided at the same time, you can set its value to intranet. The following table describes the parameters.

Note: The same is true for querying through SDK. Upgrade to the latest version and use the corresponding method to set the NicType parameter value.

Parameter Type Required Description
Action String Yes The parameter specified in the system. Value: DescribeSecurityGroupAttribute
SecurityGroupId String Yes The ID of the destination security group.
RegionId String Yes The ID of the Region to which the destination security group belongs.
NicType String No Network Type: internet | intranet. The default value is internet.

Example Description

This topic takes Elastic Compute Service (ECS) as an example. By default, required parameters are the SecurityGroupId and RegionId. After submission, only the rules on the Internet are returned.

aliyuncli ecs DescribeSecurityGroupAttribute \
--SecurityGroupId [$SecurityGroup_ID] \
--RegionId [$Region_ID] \

Description

  • [$SecurityGroup_ID] indicates the ID of the security group to which the ECS instance belongs.
  • [$Region_ID] is the ID of the Region to which the destination security group belongs.

The following command output is returned.

Fixes

You must add the NicType parameter to the file and set the value to intranet. Run the following command:

aliyuncli ecs DescribeSecurityGroupAttribute \
--SecurityGroupId [$SecurityGroup_ID] \
--RegionId [$Region_ID] \
--Nictype intranet

A similar output is displayed. Check whether the system displays security group rules for intranet networks.

Application scope

  • ECS