RevokeSecurityGroup

Updated at:
Copy as MD

Deletes one or more inbound security group rules from a specified security group.

Operation description

Important Starting July 8, 2024, Alibaba Cloud adjusted the validation rules for this operation. When you attempt to delete a security group rule that does not exist, the operation now returns the error code "InvalidParam.SecurityGroupRuleId" instead of a success response. Update your error code handling to be compatible accordingly to avoid impact on your production workloads.
You can use one of the following methods to pass parameters to delete rules:

  • Specify security group rule IDs to delete rules (recommended).

    • If a specified security group rule ID does not exist, the API invocation fails.

  • Specify Permissions to delete rules.

    • If no matching security group rule exists, the invocation succeeds but no rule is deleted.

    • The following parameters are required to identify an inbound rule:
      • Source settings: Set one of SourceCidrIp (IPv4 address), Ipv6SourceCidrIp (IPv6 address), SourcePrefixListId (prefix list ID), or SourceGroupId (source security group).

      • Destination port range: PortRange.

      • Protocol type: IpProtocol.

      • Access policy: Policy.

Note

You cannot specify both security group rule IDs and Permissions at the same time.

Request examples

  • Delete by specifying security group rule IDs.

"SecurityGroupId":"sg-bp67acfmxazb4p****", // Specify the security group ID.
"SecurityGroupRuleId":["sgr-bpdfmk****","sgr-bpdfmg****"] // Specify the security group rule IDs.
  • Delete by specifying an IP address range.

"SecurityGroupId":"sg-bp67acfmxazb4p****",
"Permissions":[
  {
    "SourceCidrIp":"10.0.0.0/8", // Specify the source IP address range.
    "IpProtocol":"TCP", // Specify the protocol type.
    "PortRange":"80/80", // Specify the destination port range.
    "Policy":"accept" // Specify the access policy.
  }
]
  • Delete by specifying another security group.

"SecurityGroupId":"sg-bp67acfmxazb4p****",
"Permissions":[
  {
    "SourceGroupId":"sg-bp67acfmxa123b****", // Specify the source security group ID.
    "IpProtocol":"TCP,"
    "PortRange":"80/80",
    "Policy":"accept"
  ]
}
  • Delete by specifying a prefix list.

"SecurityGroupId":"sg-bp67acfmxazb4p****",
"Permissions":[
  {
    "SourcePrefixListId":pl-x1j1k5ykzqlixdcy****", // Specify the source prefix list ID.
    "IpProtocol":"TCP",
    "PortRange":"80/80",
    "Policy":"accept"
  }
]

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:RevokeSecurityGroup

delete

*SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}

  • ecs:tag
  • ecs:tag
  • ecs:tag
None

Request parameters

Parameter

Type

Required

Description

Example

RegionId

string

Yes

The region ID of the security group. You can call DescribeRegions to query the most recent region list.

cn-hangzhou

RegionId

string

Yes

The region ID of the security group. You can call DescribeRegions to query the most recent region list.

cn-hangzhou

ClientToken

string

No

A client token used to ensure the idempotence of the request. You can use the client to generate the token, but make sure that the token is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000

ClientToken

string

No

A client token used to ensure the idempotence of the request. You can use the client to generate the token, but make sure that the token is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000

SecurityGroupId

string

Yes

The security group ID.

sg-bp67acfmxazb4p****

SecurityGroupId

string

Yes

The security group ID.

sg-bp67acfmxazb4p****

SecurityGroupRuleId

array

No

The IDs of security group rules. Array length: 0 to 100.

string

No

The security group rule ID.

Note

This parameter is required when you delete rules by security group rule ID.

sgr-bp67acfmxa123b***

Permissions

array<object>

No

The security group rules. Array length: 0 to 100.

object

No

The security group rule.

Policy

string

No

The access permissions. Valid values:

  • accept: Accepts access.

  • drop: Deny access without returning any denial information. The request appears to timeout or the connection cannot be established.

Default value: accept.

accept

Priority

string

No

The priority of the security group rule. A smaller value indicates a higher priority. Valid values: 1 to 100.

Default value: 1.

1

IpProtocol

string

No

The protocol type. The value is case-insensitive. Valid values:

  • TCP.

  • UDP.

  • ICMP.

  • ICMPv6.

  • GRE.

  • ALL: all protocols.

TCP

SourceCidrIp

string

No

The source IPv4 Classless Inter-Domain Routing (CIDR) block from which you want to revoke access permissions. CIDR format and IPv4 address range are supported.

10.0.0.0/8

Ipv6SourceCidrIp

string

No

The source IPv6 Classless Inter-Domain Routing (CIDR) block from which you want to revoke access permissions. CIDR format and IPv6 address range are supported.

Note

This parameter is valid only for VPC-type ECS instances that support IPv6. You cannot specify both this parameter and SourceCidrIp.

2001:db8:1234:1a00::***

SourceGroupId

string

No

The ID of the source security group from which you want to revoke access permissions.

  • Set at least one of SourceGroupId, SourceCidrIp, Ipv6SourceCidrIp, or SourcePrefixListId.

  • If you specify SourceGroupId but do not specify the SourceCidrIp or Ipv6SourceCidrIp parameter, set NicType to intranet.

  • If you specify both SourceGroupId and SourceCidrIp, SourceCidrIp takes precedence by default.

Note:

  • Advanced security groups do not support authorization by security group access.

  • A maximum of 20 security groups can be authorized for a basic security group.

sg-bp67acfmxa123b****

SourcePrefixListId

string

No

The ID of the source prefix list from which you want to revoke access permissions. You can invoke DescribePrefixLists to query available prefix list IDs.

Note:

If you specify SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId, this parameter is ignored.

For more information, see Security group limits.

pl-x1j1k5ykzqlixdcy****

PortRange

string

No

The range of destination ports that correspond to the transport layer protocol. Valid values:

  • TCP/UDP: Valid values are 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.

  • ICMP: -1/-1.

  • GRE: -1/-1.

  • ALL: -1/-1.

1/200

DestCidrIp

string

No

The destination IPv4 CIDR block. CIDR blocks and IPv4 address range are supported.

This parameter is used for quintuple rules. For more information, see Security group quintuple rules.

10.0.0.0/8

Ipv6DestCidrIp

string

No

The destination IPv6 CIDR block. CIDR blocks and IPv6 address range are supported.

This parameter is used for quintuple rules. For more information, see Security group quintuple rules.

Note

This parameter is valid only for VPC-type ECS instances that support IPv6. You cannot specify both this parameter and DestCidrIp.

2001:db8:1233:1a00::***

SourcePortRange

string

No

The range of source ports that correspond to the transport layer protocol. Valid values:

  • TCP/UDP: Valid values are 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.

  • ICMP: -1/-1.

  • GRE: -1/-1.

  • ALL: -1/-1.

This parameter is used for quintuple rules. For more information, see Security group quintuple rules.

80/80

SourceGroupOwnerAccount

string

No

The Alibaba Cloud account that owns the source security group when you revoke a cross-account authorization security group rule.

  • If neither SourceGroupOwnerAccount nor SourceGroupOwnerId is set, the access permissions for another security group within your account are revoked.

  • If the SourceCidrIp parameter is set, the SourceGroupOwnerAccount parameter is ignored.

Test@aliyun.com

SourceGroupOwnerId

integer

No

The ID of the Alibaba Cloud account that owns the source security group when you revoke a cross-account authorization security group rule.

  • If neither SourceGroupOwnerId nor SourceGroupOwnerAccount is set, the access permissions for another security group within your account are revoked.

  • If the SourceCidrIp parameter is set, the SourceGroupOwnerId parameter is ignored.

12345678910

NicType

string

No

The network interface controller (NIC) type of the security group rule. For VPC-type security groups, you do not need to set the network type. The default value is intranet, and only intranet is supported.

Note

The classic network feature has been taken offline. For details, see Retirement notice. For classic network-type security group rules, valid values are:

  • internet: public network interface controller (NIC).

  • intranet: internal network interface controller (NIC).

intranet

Description

string

No

The description of the security group rule. The description must be 1 to 512 characters in length.

This is description.

PortRangeListId

string

No

The port list ID.

You can call DescribePortRangeLists to query available port list IDs.

If you specify Permissions.N.PortRange, this parameter is ignored.

For more information, see Security group limits.

prl-2ze9743****

Policy deprecated

string

No

Deprecated. Use Permissions.N.Policy to set the access permissions.

accept

Priority deprecated

string

No

Deprecated. Use Permissions.N.Priority to specify the rule priority.

1

IpProtocol deprecated

string

No

Deprecated. Use Permissions.N.IpProtocol to specify the protocol type.

ALL

SourceCidrIp deprecated

string

No

Deprecated. Use Permissions.N.SourceCidrIp to specify the source IPv4 Classless Inter-Domain Routing (CIDR) block.

10.0.0.0/8

Ipv6SourceCidrIp deprecated

string

No

Deprecated. Use Permissions.N.Ipv6SourceCidrIp to specify the source IPv6 Classless Inter-Domain Routing (CIDR) block.

2001:db8:1234:1a00::***

SourceGroupId deprecated

string

No

Deprecated. Use Permissions.N.SourceGroupId to specify the source security group ID.

sg-bp67acfmxa123b****

SourcePrefixListId deprecated

string

No

Deprecated. Use Permissions.N.SourcePrefixListId to specify the source prefix list ID.

pl-x1j1k5ykzqlixdcy****

PortRange deprecated

string

No

Deprecated. Use Permissions.N.PortRange to specify the port range.

1/200

DestCidrIp deprecated

string

No

Deprecated. Use Permissions.N.DestCidrIp to specify the destination IPv4 CIDR block.

10.0.0.0/8

Ipv6DestCidrIp deprecated

string

No

Deprecated. Use Permissions.N.Ipv6DestCidrIp to specify the destination IPv6 CIDR block.

2001:db8:1233:1a00::***

SourcePortRange deprecated

string

No

Deprecated. Use Permissions.N.SourcePortRange to specify the source port range.

80/80

SourceGroupOwnerAccount deprecated

string

No

Deprecated. Use Permissions.N.SourceGroupOwnerAccount to specify the Alibaba Cloud account that owns the source security group.

Test@aliyun.com

SourceGroupOwnerId deprecated

integer

No

Deprecated. Use Permissions.N.SourceGroupOwnerId to specify the ID of the Alibaba Cloud account that owns the source security group.

12345678910

NicType deprecated

string

No

Deprecated. Use Permissions.N.NicType to specify the network interface type.

intranet

Description deprecated

string

No

Deprecated. Use Permissions.N.Description to specify the rule description.

This is description.

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3****

Examples

Success response

JSON format

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
}

Error codes

HTTP status code

Error code

Error message

Description

400 InvalidSecurityGroupId.Malformed The specified parameter SecurityGroupId is not valid. The specified SecurityGroupId parameter is invalid.
400 InvalidIpProtocol.ValueNotSupported The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. The specified IpProtocol parameter is invalid. The valid values of this parameter are tcp, udp, icmp, gre, and all.
400 InvalidIpPortRange.Malformed The specified parameter PortRange is not valid.
400 InvalidSourceCidrIp.Malformed The specified parameter SourceCidrIp is not valid. The specified source CIDR block is invalid.
400 MissingParameter The input parameter SourceGroupId or SourceCidrIp cannot be both blank.
400 InvalidPolicy.Malformed The specified parameter %s is not valid. The specified Policy parameter is invalid.
400 InvalidNicType.ValueNotSupported The specified parameter %s is not valid. The specified NicType parameter is invalid.
400 InvalidSourceGroupId.Mismatch Specified security group and source group are not in the same VPC. The specified source and destination security groups do not belong to the same VPC.
400 MissingParameter.Source One of the parameters SourceCidrIp, Ipv6SourceCidrIp, SourceGroupId or SourcePrefixListId in %s must be specified. At least one of the SourceCidrIp, SourceGroupId, and SourcePrefixListId parameters must be specified.
400 InvalidParam.PortRange The specified parameter %s is not valid. It should be two integers less than 65535 in ?/? format. The format of the port range is invalid. Specify the port range in the format of a slash separating two integers.
400 InvalidPriority.Malformed The parameter Priority is invalid. The specified Priority parameter is invalid.
400 InvalidPriority.ValueNotSupported The specified parameter %s is invalid. The specified Priority parameter is invalid.
400 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId.
400 InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. The specified DestCidrIp parameter is invalid.
400 InvalidParam.SourceIp The Parameters SourceCidrIp and Ipv6SourceCidrIp in %s cannot be set at the same time. The SourceCidrIp and Ipv6SourceCidrIp parameters cannot be specified at the same time.
400 InvalidParam.DestIp The Parameters DestCidrIp and Ipv6DestCidrIp in %s cannot be set at the same time. The DestCidrIp and Ipv6DestCidrIp parameters cannot be specified at the same time.
400 InvalidParam.Ipv6DestCidrIp The specified parameter %s is not valid. The specified Ipv6DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6SourceCidrIp The specified parameter %s is not valid. The specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address IPv6 address cannot be specified for IPv4-specific protocol. IPv6 addresses cannot be specified for instances that use the IPv4 protocol.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address IPv4 address cannot be specified for IPv6-specific protocol. IPv4 addresses cannot be specified for instances that use the IPv6 protocol.
400 InvalidParameter.Ipv6CidrIp The specified Ipv6CidrIp is not valid. The specified Ipv6CidrIp parameter is invalid.
400 InvalidGroupAuthParameter.OperationDenied The security group can not authorize to enterprise level security group. Security groups cannot be referenced as authorization objects (destinations or sources) in rules of advanced security groups.
400 InvalidPortRange.Malformed The specified parameter PortRange must set. The PortRange parameter must be specified.
400 InvalidSourcePortRange.Malformed The specified parameter SourcePortRange is not valid. The specified SourcePortRange parameter is invalid.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. The specified security group rule description is invalid.
400 NotSupported.ClassicNetworkPrefixList The prefix list is not supported when the network type of security group is classic. Security groups in the classic network do not support prefix lists.
400 InvalidParam.SourceCidrIp The specified parameter %s is not valid. The specified SourceCidrIp parameter is invalid.
400 InvalidParam.DestCidrIp The specified parameter %s is not valid. The specified DestCidrIp parameter is invalid.
400 InvalidParam.Permissions The specified parameter Permissions cannot coexist with other parameters. The specified Permissions parameter and other parameters are mutually exclusive.
400 InvalidParam.DuplicatePermissions There are duplicate permissions in the specified parameter Permissions. The specified Permissions parameter contains duplicate permissions.
400 InvalidSecurityGroupId.NotFound The specified parameter SecurityGroupId is not valid. The specified security group does not exist in this account. Check whether the security group ID is correct.
400 InvalidParam.SecurityGroupRuleId The specified parameter SecurityGroupRuleId is not valid. The specified SecurityGroupRuleId parameter is invalid.
400 InvalidParam.SecurityGroupRuleIdRepeated The specified parameter SecurityGroupRuleId is repeated. The SecurityGroupRuleId parameter has duplicate values.
400 InvalidGroupParameter.OperationDenied The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified. The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified.
400 InvalidSecurityGroupRule.RuleNotExist The specified rule does not exist. The specified security group rule does not exist.
400 InvalidParam.ProtocolNotSupportPortRangeList The specified protocol does not support the port range list. The specified protocol does not support the port list.
400 InvalidPortRangeListId.NotFound The specified port range list was not found. The specified port list was not found.
400 InvalidSecurityGroup.InvalidNetworkType The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. The operation is not supported while the security group is of the current network type. If the network type is VPC, ClassicLink must be enabled.
401 InvalidOperation.SecurityGroupNotAuthorized The specified security group is not authorized to operate. You do not have permission to operate the current security group.
500 InternalError The request processing has failed due to some unknown error.
403 InvalidNicType.Mismatch The specified NicType conflicts with the authorization record.
403 InvalidGroupAuthItem.NotFound Specified group authorized item does not exist in our records.
403 InvalidOperation.ResourceManagedByCloudProduct %s You cannot modify security groups managed by cloud services.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist in this account. Check whether the security group ID is correct.
404 InvalidSourceGroupId.NotFound The SourceGroupId provided does not exist in our records. The specified SourceGroupId parameter does not exist.
404 InvalidPrefixListId.NotFound The specified prefix list was not found. The prefix list does not exist.
404 InvalidSecurityGroupRuleId.NotFound The specified SecurityGroupRuleId is not exists. The specified SecurityGroupRuleId parameter does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.