ModifySecurityGroupRule - API Reference| Alibaba Cloud Documentation Center

Description

You can determine an inbound rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.

Parameters used to authorize access permissions on specified IP address segments: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp, and SourceCidrIp (optional).
Parameters used to authorize access permissions on other security groups: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp (optional), DestGroupOwnerAccount, and DestGroupId.

Debugging

You can use API Explorer to perform debugging. API Explorer allows you to perform various operations to simplify API usage. For example, you can retrieve APIs, call APIs, and dynamically generate SDK example code.

Request parameters


Name	Type	Required	Example	Description
IpProtocol	String	Yes	icmp	The transport layer protocol. This parameter value is case-insensitive. Valid values: icmp gre tcp udp all: All protocols are supported.
PortRange	String	Yes	80/80	The range of destination ports relevant to the transport layer protocol. Valid values: When IpProtocol is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and the ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When IpProtocol is set to icmp, the port number range is -1/-1, indicating that all values are valid. When IpProtocol is set to gre, the port number range is -1/-1, indicating that all values are valid. When IpProtocol is set to all, the port number range is -1/-1, indicating that all values are valid.
RegionId	String	Yes	cn-hangzhou	The ID of the region where the destination security group resides. You can call DescribeRegions to view the latest regions of Alibaba Cloud.
SecurityGroupId	String	Yes	sg-securitygroupid1	The ID of the destination security group.
Action	String	No	ModifySecurityGroupRule	The operation that you want to perform. Set the value to ModifySecurityGroupRule.
ClientToken	String	No	123e4567-e89b-12d3-a456-426655440000	A client token. It is used to ensure the idempotency of requests. The value of this parameter is generated by the client and is unique among different requests. The ClientToken parameter must be no more than 64 ASCII characters in length. For more information, see How to ensure idempotency.
Description	String	No	FinanceDept	The description of a security group rule. The description must be 1 to 512 characters in length.
DestCidrIp	String	No	10.0.0.0/8	The range of destination IP addresses. CIDR blocks and IPv4 addresses are supported. Default value: 0.0.0.0/0.
Ipv6DestCidrIp	String	No	2001:db8:1234:1a00::XXX	The destination IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported. Note You can only specify IP addresses for VPC-connected instances. Default value: null.
Ipv6SourceCidrIp	String	No	2001:db8:1234:1a00::XXX	The source IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported. Note You can only specify IP addresses for VPC-connected instances. Default value: null.
NicType	String	No	intranet	The NIC type. Valid values: internet intranet When DestGroupId is specified and DestCidrIp is not, the value of NicType can only be intranet. Default value: internet.
Policy	String	No	accept	The access control policy. Valid values: accept: grants access. drop: denies access and returns no responses. Default value: accept.
Priority	String	No	1	The priority of security group rules. Valid values: 1 to 100. Default value: 1.
SourceCidrIp	String	No	0.0.0.0/0	The range of source IP addresses. CIDR blocks and IPv4 addresses are supported. Default value: 0.0.0.0/0.
SourceGroupId	String	No	sg-securitygroupid2	The ID of the source security group to which you want to grant access permissions. Either the SourceGroupId parameter or the SourceCidrIp parameter must be specified. If SourceGroupId is specified and SourceCidrIp is not, the value of NicType can only be intranet. If both the SourceGroupId and SourceCidrIp parameters are set, the SourceCidrIp parameter will take precedence.
SourceGroupOwnerAccount	String	No	FinanceJoshua	The Alibaba Cloud account that manages the source security group when you set security group rules for different accounts. If neither SourceGroupOwnerAccount nor SourceGroupOwnerID is specified, access permissions for other security groups are set. If the SourceCidrIp parameter is specified, the SourceGroupOwnerAccount parameter will be ignored.
SourceGroupOwnerId	Long	No	155780923770	The Alibaba Cloud account that manages the source security group when you set security group rules for different accounts. If neither SourceGroupOwnerId nor SourceGroupOwnerAccount is specified, access permissions for other security groups are set. If the SourceCidrIp parameter is specified, the SourceGroupOwnerId parameter will be ignored.
SourcePortRange	String	No	80/80	The range of source ports relevant to the transport layer protocol. Valid values: When IpProtocol is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and the ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When IpProtocol is set to icmp, the port number range is -1/-1, indicating that all values are valid. When IpProtocol is set to gre, the port number range is -1/-1, indicating that all values are valid. When IpProtocol is set to all, the port number range is -1/-1, indicating that all values are valid.

Response parameters


Name	Type	Example	Description
RequestId	String	473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E	The ID of the request.

Examples

Sample requests

https://ecs.aliyuncs.com/?Action=ModifySecurityGroupRule
&SecurityGroupId=sg-F876FF7BA
&SourceGroupId=sg-1651FBB64
&SourceGroupOwnerAccount=test@aliyun.com
&IpProtocol=tcp
&PortRange=80/80
&Policy=allow
&Description=ThisIsANewSecurityGroupRule.
&<Common request parameters>

Successful response examples

XML format

<ModifySecurityGroupRuleResponse>
  <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId> 
</ModifySecurityGroupRuleResponse>

JSON format

{
	"RequestId":"CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes


HTTP status code	Error code	Error message	Description
404	InvalidSecurityGroupId.NotFound	The specified SecurityGroupId does not exist.	The error message returned when the specified security group does not exist under this account. Check whether the security group ID is correct.
400	OperationDenied	The specified IpProtocol does not exist or IpProtocol and PortRange do not match.	The error message returned when the specified IP does not exist or does not match the port range.
400	InvalidIpProtocol.Malformed	The specified parameter "PortRange" is not valid.	The error message returned when the format of the IpProtocol parameter is invalid.
403	MissingParameter	The input parameter "SourceGroupId" or "SourceCidrIp" cannot be both blank.	The error message returned when the SourceGroupId and SourceCidrIp parameters are empty.
400	InvalidPolicy.Malformed	The specified parameter "Policy" is not valid.	The error message returned when the specified parameter is invalid. You need to check whether the parameter is correct.
400	InvalidNicType.Mismatch	Specified nic type conflicts with the authorization record.	The error message returned when the specified NIC type does not exist.
403	InvalidParamter.Conflict	The specified SecurityGroupId should be different from the SourceGroupId.	The error message returned when a specified security group is the same as the source security group.
400	InvalidPriority.Malformed	The parameter Priority is invalid.	The error message returned when the rule priority is invalid.
400	InvalidPriority.ValueNotSupported	The parameter Priority is invalid.	The error message returned when the rule priority is invalid.
400	InvalidSecurityGroupDiscription.Malformed	The specified security group rule description is not valid.	The error message returned when the description of the specified security group is invalid.
404	SecurityGroupRule.NotFound	The target security group rule not exist.	The error message returned when rules for the destination security group do not exist.
400	MissingParameter.Source	Either SourceCidrIp or SourceGroupId must be specified.	The error message returned when the SourceGroupId and SourceCidrIp parameters are empty.
400	InvalidParam.PortRange	Please specify the PortRange or SourcePortRange in integer, less than 65535, and separate the range with ? /?.	The error message returned when the range of destination or source port numbers is not specified. The port numbers must be smaller than 65,535. Use a forward slash (/) to separate the source and destination ports.
400	InvalidIpProtocol.ValueNotSupported	The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All.	The error message returned when the protocol type is not TCP, UDP, ICMP, GRE or all.
400	InvalidParam.SourceIp	%s	The error message returned when the source IP address is invalid.
400	InvalidParam.DestIp	%s	The error message returned when the destination IP address is invalid.
400	InvalidParam.Ipv6DestCidrIp	%s	The error message returned when the destination IPv6 CIDR block is invalid.
400	InvalidParam.Ipv6SourceCidrIp	%s	The error message returned when the source IPv6 CIDR block is invalid.
400	InvalidParam.Ipv4ProtocolConflictWithIpv6Address	%s	The error message returned when IPv4 addresses conflict with IPv6 addresses.
400	InvalidParam.Ipv6ProtocolConflictWithIpv4Address	%s	The error message returned when IPv6 addresses conflict with IPv4 addresses.
400	ILLEGAL_IPV6_CIDR	%s	The error message returned when the specified IPv6 address range is invalid.

View error codes