Delete outbound security group rules by calling RevokeSecurityGroupEgress - Elastic Compute Service - Alibaba Cloud - Elastic Compute Service

Deletes one or more outbound security group rules from a specified security group.

Operation description

Important On July 8, 2024, Alibaba Cloud adjusted the validation rules for this operation. When you attempt to delete a security group rule that does not exist, the operation now returns the error code "InvalidSecurityGroupRule.RuleNotExist" instead of a success response. Ensure that your application is compatible with this error code to avoid impacts on your online services.

You can use one of the following methods to pass parameters to delete security group rules:

Delete rules by specifying security group rule IDs (recommended).
- If the specified security group rule ID does not exist, an error is returned.
Delete rules by specifying the Permissions parameter.
- If the matching security group rule does not exist, the invoke succeeds but no rule is deleted.
- The following parameters are required to delete a security group rule:
  - Destination settings: Specify one of DestCidrIp (IPv4 address), Ipv6DestCidrIp (IPv6 address), DestPrefixListId (prefix list ID), or DestGroupId (destination security group).
  - Destination port range: PortRange.
  - Protocol type: IpProtocol.
  - Access policy: Policy.

Note

You cannot specify both security group rule IDs and the Permissions parameter at the same time.

Request examples

Delete by security group rule ID.

"SecurityGroupId":"sg-bp67acfmxazb4p****", // Specify the security group ID.
"SecurityGroupRuleId":["sgr-bpdfmk****","sgr-bpdfmg****"] // Specify the security group rule IDs.

Delete by IP address CIDR block.

"SecurityGroupId":"sg-bp67acfmxazb4ph***",
"Permissions":[
  {
    "IpProtocol":"TCP", // Specify the protocol type.
    "DestCidrIp":"10.0.0.0/8", // Specify the destination IP address CIDR block.
    "PortRange":"22/22", // Specify the destination port range.
    "Policy":"accept" // Specify the access policy.
  }
]

Delete by destination security group.

"SecurityGroupId":"sg-bp67acfmxazb4ph***",
"Permissions":[
  {
    "DestGroupId":"sg-bp67acfmxa123b****", // Specify the destination security group ID.
    "IpProtocol":"TCP",
    "PortRange":"22/22",
    "Policy":"accept"
  }
]

Delete by prefix list.

"SecurityGroupId":"sg-bp67acfmxazb4ph***",
"Permissions":[
  {
    "IpProtocol":"TCP",
    "DestPrefixListId":"pl-x1j1k5ykzqlixdcy****", // Specify the destination prefix list ID.
    "PortRange":"22/22",
    "Policy":"accept",
  }
]
```.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:RevokeSecurityGroupEgress

delete

*SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}

ecs:tag
ecs:tag
ecs:tag

None

Request parameters

Parameter	Type	Required	Description	Example
RegionId	string	Yes	The region ID of the security group. You can call DescribeRegions to query the most recent region list.	cn-hangzhou
RegionId	string	Yes	安全组所属地域 ID。您可以调用 DescribeRegions 查看最新的阿里云地域列表。	cn-hangzhou
RegionId	string	Yes	安全组所属地域 ID。您可以调用 DescribeRegions 查看最新的阿里云地域列表。	cn-hangzhou
ClientToken	string	No	A client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.	473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E
ClientToken	string	No	保证请求幂等性。从您的客户端生成一个参数值，确保不同请求间该参数值唯一。ClientToken 只支持 ASCII 字符，且不能超过 64 个字符。更多详情，请参见如何保证幂等性。	473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E
SecurityGroupId	string	Yes	The security group ID.	sg-bp67acfmxazb4p****
SecurityGroupId	string	Yes	安全组 ID。	sg-bp67acfmxazb4p****
SecurityGroupRuleId	array	No	The array of security group rule IDs. Array length: 0 to 100.
	string	No	The security group rule ID. Note This parameter is required when you delete rules by security group rule ID.	sgr-bp67acfmxa123b***
Permissions	array<object>	No	The array of security group rules. Array length: 0 to 100.
	object	No	The security group rule.
Policy	string	No	The access permissions. Valid values: accept: Accepts access. drop: Denies access without returning a deny response. The request timeout or the connection cannot be established. Default value: accept.	accept
Priority	string	No	The priority of the security group rule. A smaller value indicates a higher priority. Valid values: 1 to 100. Default value: 1.	1
IpProtocol	string	No	The protocol type. The value is case-insensitive. Valid values: TCP. UDP. ICMP. ICMPv6. GRE. ALL: all protocols.	TCP
DestCidrIp	string	No	The destination IPv4 Classless Inter-Domain Routing (CIDR) block for which you want to revoke access permissions. CIDR format and IPv4 address range are supported.	10.0.0.0/8
Ipv6DestCidrIp	string	No	The destination IPv6 Classless Inter-Domain Routing (CIDR) block for which you want to revoke access permissions. CIDR format and IPv6 address range are supported. Note This parameter is valid only for ECS instances that reside in VPCs and support IPv6. You cannot configure this parameter and `DestCidrIp` in Settings at the same time.	2001:db8:1233:1a00::***
DestGroupId	string	No	The ID of the destination security group for which you want to revoke access permissions. Specify at least one of `DestGroupId`, `DestCidrIp`, `Ipv6DestCidrIp`, or `DestPrefixListId`. If you specify `DestGroupId` but do not specify `DestCidrIp`, the `NicType` parameter can only be set to intranet. If you specify both `DestGroupId` and `DestCidrIp`, `DestCidrIp` takes precedence. Note: Advanced security groups do not support authorization for other security groups. A maximum of 20 security groups can be authorized for a basic security group.	sg-bp67acfmxa123b****
DestPrefixListId	string	No	The ID of the destination prefix list for which you want to revoke access permissions. You can invoke DescribePrefixLists to query available prefix list IDs. Note: Prefix lists are not supported when the network type of the security group is classic network. For more information about the limits on security groups and prefix lists, see Security group limits. You cannot configure prefix lists in Settings for classic network security groups. If you specify one of `DestCidrIp`, `Ipv6DestCidrIp`, or `DestGroupId`, this parameter is ignored.	pl-x1j1k5ykzqlixdcy****
PortRange	string	No	The range of destination ports that correspond to the transport layer protocol for the security group. Valid values: TCP/UDP: Valid values are 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200. ICMP: -1/-1. GRE: -1/-1. ALL: -1/-1.	22/22
SourceCidrIp	string	No	The source IPv4 CIDR block. CIDR format and IPv4 address range are supported. This parameter is used to support quintuple rules. For more information, see Security group quintuple rules.	10.0.0.0/8
Ipv6SourceCidrIp	string	No	The source IPv6 CIDR block. CIDR format and IPv6 address range are supported. This parameter is used to support quintuple rules. For more information, see Security group quintuple rules. Note This parameter is valid only for ECS instances that reside in VPCs and support IPv6. You cannot configure this parameter and `DestCidrIp` in Settings at the same time.	2001:db8:1234:1a00::***
SourcePortRange	string	No	The range of source ports that correspond to the transport layer protocol for the security group. Valid values: TCP/UDP: Valid values are 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200. ICMP: -1/-1. GRE: -1/-1. ALL: -1/-1. This parameter is used to support quintuple rules. For more information, see Security group quintuple rules.	22/22
DestGroupOwnerAccount	string	No	The Alibaba Cloud account that manages the destination security group when you revoke a cross-account authorization security group rule. If neither `DestGroupOwnerAccount` nor `DestGroupOwnerId` is configured in Settings, the rule is considered to revoke access permissions for another security group within your account. If `DestCidrIp` is specified, this parameter is ignored.	Test@aliyun.com
DestGroupOwnerId	string	No	The ID of the Alibaba Cloud account that manages the destination security group when you revoke a cross-account authorization security group rule. If neither `DestGroupOwnerId` nor `DestGroupOwnerAccount` is configured in Settings, the rule is considered to revoke access permissions for another security group within your account. If `DestCidrIp` is specified, this parameter is ignored.	12345678910
NicType	string	No	The network interface controller (NIC) type of the security group rule when the security group is in the classic network. Valid values: internet: public NIC. intranet: internal NIC. For VPC-type security group rules, you do not need to configure the NIC type in Settings. The default value is intranet, and only intranet is supported. When you revoke an authorization rule between security groups (when `DestGroupId` is specified), this parameter can only be set to intranet. Default value: internet.	intranet
Description	string	No	The description of the security group rule. The description must be 1 to 512 characters in length.	This is description.
PortRangeListId	string	No	The port list ID. You can invoke `DescribePortRangeLists` to query available port list IDs. If you specify `Permissions.N.PortRange`, this parameter is ignored. Port lists are not supported when the network type of the security group is classic network. You cannot configure port lists in Settings for classic network security groups. For more information about the limits on security groups and port lists, see Security group limits.	prl-2ze9743****
Policy `deprecated`	string	No	Deprecated. Use `Permissions.N.Policy` to configure the access permissions in Settings.	accept
Priority `deprecated`	string	No	Deprecated. Use `Permissions.N.Priority` to specify the rule priority.	1
IpProtocol `deprecated`	string	No	Deprecated. Use `Permissions.N.IpProtocol` to specify the protocol type.	TCP
DestCidrIp `deprecated`	string	No	Deprecated. Use `Permissions.N.DestCidrIp` to specify the destination IPv4 Classless Inter-Domain Routing (CIDR) block.	10.0.0.0/8
Ipv6DestCidrIp `deprecated`	string	No	Deprecated. Use `Permissions.N.Ipv6DestCidrIp` to specify the destination IPv6 Classless Inter-Domain Routing (CIDR) block.	2001:db8:1233:1a00::***
DestGroupId `deprecated`	string	No	Deprecated. Use `Permissions.N.DestGroupId` to specify the destination security group ID.	sg-bp67acfmxa123b****
DestPrefixListId `deprecated`	string	No	Deprecated. Use `Permissions.N.DestPrefixListId` to specify the destination prefix list ID.	pl-x1j1k5ykzqlixdcy****
PortRange `deprecated`	string	No	Deprecated. Use `Permissions.N.PortRange` to specify the port range.	22/22
SourceCidrIp `deprecated`	string	No	Deprecated. Use `Permissions.N.SourceCidrIp` to specify the source IPv4 CIDR block.	10.0.0.0/8
Ipv6SourceCidrIp `deprecated`	string	No	Deprecated. Use `Permissions.N.Ipv6SourceCidrIp` to specify the source IPv6 CIDR block.	2001:db8:1234:1a00::***
SourcePortRange `deprecated`	string	No	Deprecated. Use `Permissions.N.SourcePortRange` to specify the source port range.	22/22
DestGroupOwnerAccount `deprecated`	string	No	Deprecated. Use `Permissions.N.DestGroupOwnerAccount` to specify the Alibaba Cloud account that manages the destination security group.	Test@aliyun.com
DestGroupOwnerId `deprecated`	integer	No	Deprecated. Use `Permissions.N.DestGroupOwnerId` to specify the ID of the Alibaba Cloud account that manages the destination security group.	12345678910
NicType `deprecated`	string	No	Deprecated. Use `Permissions.N.NicType` to specify the network interface type.	intranet
Description `deprecated`	string	No	Deprecated. Use `Permissions.N.Description` to specify the rule description.	This is description.

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	473469C7-AA6F-4DC5-B3DB-A3DC0DE3****

Examples

Success response

JSON format

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidIpProtocol.ValueNotSupported	The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All.	The specified IpProtocol parameter is invalid. The valid values of this parameter are tcp, udp, icmp, gre, and all.
400	InvalidIpPortRange.Malformed	The specified parameter PortRange is not valid.
400	InvalidDestCidrIp.sMalformed	The specified parameter DestCidrIp is not valid.	The specified DestCidrIp parameter is invalid.
400	MissingParameter	The input parameter DestGroupId or DestCidrIp cannot be both blank.
400	InvalidPolicy.Malformed	The specified parameter %s is not valid.	The specified Policy parameter is invalid.
400	InvalidNicType.ValueNotSupported	The specified parameter %s is not valid.	The specified NicType parameter is invalid.
400	InvalidDestGroupId.Mismatch	Specified security group and destination group are not in the same VPC.	The specified source and destination security groups do not belong to the same VPC.
400	InvalidDestCidrIp.Malformed	The specified parameter DestCidrIp is not valid.	The specified DestCidrIp parameter is invalid.
400	MissingParameter.Dest	One of the parameters DestCidrIp, Ipv6DestCidrIp, DestGroupId or DestPrefixListId in %s must be specified.	Specify at least one of the DestCidrIp, Ipv6DestCidrIp, DestGroupId, and DestPrefixListId parameters.
400	InvalidParam.PortRange	The specified parameter %s is not valid. It should be two integers less than 65535 in ?/? format.	The format of the port range is invalid. Specify the port range in the format of a slash separating two integers.
400	InvalidPriority.Malformed	The parameter Priority is invalid.	The specified Priority parameter is invalid.
400	InvalidPriority.ValueNotSupported	The specified parameter %s is invalid.	The specified Priority parameter is invalid.
400	InvalidParam.SourceIp	The Parameters SourceCidrIp and Ipv6SourceCidrIp in %s cannot be set at the same time.	The SourceCidrIp and Ipv6SourceCidrIp parameters cannot be specified at the same time.
400	InvalidParam.DestIp	The Parameters DestCidrIp and Ipv6DestCidrIp in %s cannot be set at the same time.	The DestCidrIp and Ipv6DestCidrIp parameters cannot be specified at the same time.
400	InvalidParam.Ipv6DestCidrIp	The specified parameter %s is not valid.	The specified Ipv6DestCidrIp parameter is invalid.
400	InvalidParam.Ipv6SourceCidrIp	The specified parameter %s is not valid.	The specified Ipv6SourceCidrIp parameter is invalid.
400	InvalidParam.Ipv4ProtocolConflictWithIpv6Address	IPv6 address cannot be specified for IPv4-specific protocol.	IPv6 addresses cannot be specified for instances that use the IPv4 protocol.
400	InvalidParam.Ipv6ProtocolConflictWithIpv4Address	IPv4 address cannot be specified for IPv6-specific protocol.	IPv4 addresses cannot be specified for instances that use the IPv6 protocol.
400	InvalidParameter.Ipv6CidrIp	The specified Ipv6CidrIp is not valid.	The specified Ipv6CidrIp parameter is invalid.
400	InvalidGroupAuthParameter.OperationDenied	The security group can not authorize to enterprise level security group.	Security groups cannot be referenced as authorization objects (destinations or sources) in rules of advanced security groups.
400	InvalidSecurityGroupId.Malformed	The specified parameter SecurityGroupId is not valid.	The specified SecurityGroupId parameter is invalid.
400	InvalidPortRange.Malformed	The specified parameter PortRange must set.	The PortRange parameter must be specified.
400	InvalidSourcePortRange.Malformed	The specified parameter SourcePortRange is not valid.	The specified SourcePortRange parameter is invalid.
400	InvalidSecurityGroupDiscription.Malformed	The specified security group rule description is not valid.	The specified security group rule description is invalid.
400	NotSupported.ClassicNetworkPrefixList	The prefix list is not supported when the network type of security group is classic.	Security groups in the classic network do not support prefix lists.
400	InvalidParam.SourceCidrIp	The specified parameter %s is not valid.	The specified SourceCidrIp parameter is invalid.
400	InvalidParam.DestCidrIp	The specified parameter %s is not valid.	The specified DestCidrIp parameter is invalid.
400	InvalidParam.Permissions	The specified parameter Permissions cannot coexist with other parameters.	The specified Permissions parameter and other parameters are mutually exclusive.
400	InvalidParam.DuplicatePermissions	There are duplicate permissions in the specified parameter Permissions.	The specified Permissions parameter contains duplicate permissions.
400	InvalidParam.SecurityGroupRuleId	The specified parameter SecurityGroupRuleId is not valid.	The specified SecurityGroupRuleId parameter is invalid.
400	InvalidParam.SecurityGroupRuleIdRepeated	The specified parameter SecurityGroupRuleId is repeated.	The SecurityGroupRuleId parameter has duplicate values.
400	InvalidGroupParameter.OperationDenied	The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified.	The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified.
400	InvalidSecurityGroupRule.RuleNotExist	The specified rule does not exist.	The specified security group rule does not exist.
400	InvalidParam.ProtocolNotSupportPortRangeList	The specified protocol does not support the port range list.	The specified protocol does not support the port list.
400	InvalidPortRangeListId.NotFound	The specified port range list was not found.	The specified port list was not found.
401	InvalidOperation.SecurityGroupNotAuthorized	The specified security group is not authorized to operate.	You do not have permission to operate the current security group.
403	InvalidNicType.Mismatch	Specified nic type conflicts with the authorization record.
403	InvalidGroupAuthItem.NotFound	Specified group authorized item does not exist in our records.
403	InvalidSecurityGroup.IsSame	The authorized SecurityGroupId should be different from the DestGroupId.	The ID of the source security group is the same as that of the destination security group.
403	InvalidParamter.Conflict	The specified SecurityGroupId should be different from the SourceGroupId.	The destination security group is the same as the source security group.
403	InvalidOperation.ResourceManagedByCloudProduct	%s	You cannot modify security groups managed by cloud services.
404	InvalidSecurityGroupId.NotFound	The specified SecurityGroupId does not exist.	The specified security group does not exist in this account. Check whether the security group ID is correct.
404	InvalidDestGroupId.NotFound	The DestGroupId provided does not exist in our records.
404	InvalidSecurityGroupRuleId.NotFound	The specified SecurityGroupRuleId is not exists.	The specified SecurityGroupRuleId parameter does not exist.
404	InvalidPrefixListId.NotFound	The specified prefix list was not found.	The prefix list does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.