If you have authorized internal network communication between ECS instances for different accounts in the same region, you can revoke security group authorization as specified in this topic.

Prerequisites

Alibaba Cloud CLI is used to call ECS APIs. Make sure that you have installed Alibaba Cloud CLI. For more information, see Alibaba Cloud CLI Installation Guide.

Background information

As specified in this topic, you can call RevokeSecurityGroup to revoke an authorized security group rule. You must prepare the following items:
  • Account name: the name of the account that you use to log on to the ECS console.
  • Security group ID for the ECS instance: the ID of the security group to which the instance involved belongs. You can view this item in the ECS console or by calling DescribeSecurityGroupReferences.
  • Region ID for the ECS instance: See Regions and zones. cn-beijing is used in this example.

The following table lists the information of two accounts.

Account Account name Security group Security group ID
Account A a@aliyun.com sg1 sg-bp1azkttqpldxgtedXXX
Account B b@aliyun.com sg2 sg-bp15ed6xe1yxeycg7XXX

After revoking the authorization for internal network communication between ECS instances for different accounts, you can re-authorize the communication.

Procedure

  1. Run the following command for Account A:
    aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgtedXXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp15ed6xe1yxeycg7XXX --SourceGroupOwnerAccount b@aliyun.com --NicType intranet
  2. Run the following command for Account B:
    aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg7XXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp1azkttqpldxgtedXXX --SourceGroupOwnerAccount a@aliyun.com --NicType intranet