AuthorizeSecurityGroup - Elastic Compute Service - Alibaba Cloud Documentation Center

Creates one or more inbound rules in a security group. You can use the created rules to allow or deny inbound traffic from other hosts to instances in the security group.

Description

When you call this operation, take note of the following items:

The total number of outbound and inbound rules in each security group cannot exceed 200. For more information, see the "Security group limits" section in Limits.
The valid value of Priority ranges from 1 to 100. A smaller value indicates a higher priority.
When multiple security group rules have the same priority, drop rules take precedence.
The source can be a CIDR block specified by SourceCidrIp, Ipv6SourceCidrIp, or SourcePrefixListId or can be Elastic Compute Service (ECS) instances in a security group specified by SourceGroupId.
Security groups cannot be referenced as authorization objects (destinations or sources) in rules of advanced security groups.
Up to 20 security groups can be referenced as authorization objects in rules of each basic security group.
If the specified security group rule already exists, the call to AuthorizeSecurityGroup is successful but no security group rule is created.
Parameters and their Permissions.N-prefixed counterparts cannot be specified at the same time. We recommend that you use the Permissions.N-prefixed parameters.
You can determine a security group rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.
- Parameters used to determine an inbound security group rule that controls access from a specific CIDR block: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, and SourceCidrIp. For a security group of the Virtual Private Cloud (VPC) type, you must set the NicType parameter to intranet. For a security group of the classic network type, you can set the NicType parameter to either internet or intranet. Sample request:
```
        http(s)://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup
        &SecurityGroupId=sg-bp67acfmxazb4p****
        &Permissions.1.SourceCidrIp=10.0.0.0/8
        &Permissions.1.IpProtocol=TCP
        &Permissions.1.PortRange=22/22
        &Permissions.1.NicType=intranet
        &Permissions.1.Policy=Accept
        &<Common request parameters>
        
```
- Parameters used to determine an inbound security group rule that controls access from a security group: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, SourceGroupOwnerAccount, and SourceGroupId. In this case, you must set the NicType parameter to intranet. For mutual access between security groups in the classic network, you can allow or deny another security group within the same region access to your security group. The security group that is allowed access to your security group can belong to your own Alibaba Cloud account or another Alibaba Cloud account specified by the SourceGroupOwnerAccount parameter. For mutual access between security groups in VPCs, you can allow or deny another security group within the same VPC access to your security group. Sample request:
```
        http(s)://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup
        &SecurityGroupId=sg-bp67acfmxazb4p****
        &Permissions.1.SourceGroupId=sg-1651FBB**
        &Permissions.1.SourceGroupOwnerAccount=test@aliyun.com
        &Permissions.1.IpProtocol=TCP
        &Permissions.1.PortRange=22/22
        &Permissions.1.NicType=intranet
        &Permissions.1.Policy=Drop
        &<Common request parameters>
        
```
- Parameters used to determine an inbound security group rule that controls access from a prefix list: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, and SourcePrefixListId. In this case, prefix lists support only security groups in VPCs. The NicType parameter must be set to intranet. Sample request:
```
        http(s)://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup
        &SecurityGroupId=sg-bp67acfmxazb4p****
        &Permissions.1.SourcePrefixListId=pl-x1j1k5ykzqlixdcy****
        &Permissions.1.SourceGroupOwnerAccount=test@aliyun.com
        &Permissions.1.IpProtocol=TCP
        &Permissions.1.PortRange=22/22
        &Permissions.1.NicType=intranet
        &Permissions.1.Policy=Drop
        &<Common request parameters>
       
```
For information about examples on security group rule settings, see Security groups for different use cases and Security group quintuple rules.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters


Parameter	Type	Required	Example	Description
Action	String	Yes	AuthorizeSecurityGroup	The operation that you want to perform. Set the value to AuthorizeSecurityGroup.
RegionId	String	Yes	cn-hangzhou	The region ID of the security group. You can call the DescribeRegions operation to query the most recent region list.
ClientToken	String	No	123e4567-e89b-12d3-a456-426655440000	The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that the value is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.
SecurityGroupId	String	Yes	sg-bp67acfmxazb4p****	The ID of the security group.
Permissions.N.Policy	String	No	accept	The action of security group rule N that determines whether to allow inbound access. Valid values: accept: allows access. drop: denies access and returns no responses. In this case, the request times out or the connection cannot be established. Default value: accept. Valid values of N: 1 to 100.
Permissions.N.Priority	String	No	1	The priority of security group rule N. A smaller value indicates a higher priority. Valid values: 1 to 100. Default value: 1. Valid values of N: 1 to 100.
Permissions.N.IpProtocol	String	No	ALL	The transport layer protocol of security group rule N. The value of this parameter is case-insensitive. Valid values: TCP UDP ICMP ICMPv6 GRE ALL: All protocols are supported. Valid values of N: 1 to 100.
Permissions.N.SourceCidrIp	String	No	10.0.0.0/8	The source IPv4 CIDR block for security group rule N. CIDR blocks and IPv4 addresses are supported. Valid values of N: 1 to 100.
Permissions.N.Ipv6SourceCidrIp	String	No	2001:250:6000::***	The source IPv6 CIDR block for security group rule N. CIDR blocks and IPv6 addresses are supported. Valid values of N: 1 to 100. Note The Permissions.N.Ipv6SourceCidrIp parameter is valid only when the source is ECS instances that reside in VPCs and that support IPv6 CIDR blocks. You cannot specify both this parameter and the `SourceCidrIp` parameter.
Permissions.N.SourceGroupId	String	No	sg-bp67acfmxazb4p****	The ID of the source security group to be referenced in security group rule N. At least one of `SourceGroupId`, `SourceCidrIp`, `Ipv6SourceCidrIp`, and `SourcePrefixListId` must be specified. If `SourceGroupId` is specified but `SourceCidrIp` or `Ipv6SourceCidrIp` is not specified, `NicType` must be set to `intranet`. If both `SourceGroupId` and `SourceCidrIp` are specified, `SourceCidrIp` takes precedence. Valid values of N: 1 to 100. Take note of the following items: Security groups cannot be referenced as destinations or sources in rules of advanced security groups. Up to 20 security groups can be referenced as destinations or sources in rules of each basic security group.
Permissions.N.SourcePrefixListId	String	No	pl-x1j1k5ykzqlixdcy****	The ID of the source prefix list to be referenced in security group rule N. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Valid values of N: 1 to 100. Take note of the following items: If a security group is in the classic network, you cannot reference prefix lists in the rules of the security group. For information about the limits on security groups and prefix lists, see the "Security group limits" section in Limits. If you specify the `SourceCidrIp`, `Ipv6SourceCidrIp`, or `SourceGroupId` parameter, this parameter is ignored.
Permissions.N.PortRange	String	No	80/80	The range of destination ports that correspond to the transport layer protocol for security group rule N. Valid values: When the Permissions.N.IpProtocol parameter is set to TCP or UDP, the port number range is 1 to 65535. Specify a port range in the format of <Start port number>/<End port number>. Example: 1/200. When the Permissions.N.IpProtocol parameter is set to ICMP, the port number range is -1/-1, which indicates all ports. When the Permissions.N.IpProtocol parameter is set to GRE, the port number range is -1/-1, which indicates all ports. When the Permissions.N.IpProtocol parameter is set to ALL, the port number range is -1/-1, which indicates all ports. For more information, see Typical applications of commonly used ports. Valid values of N: 1 to 100.
Permissions.N.DestCidrIp	String	No	10.0.0.0/8	The destination IPv4 CIDR block for security group rule N. CIDR blocks and IPv4 addresses are supported. This parameter is supported by quintuple rules. For more information, see Security group quintuple rules. Valid values of N: 1 to 100.
Permissions.N.Ipv6DestCidrIp	String	No	2001:250:6000::***	The destination IPv6 CIDR block for security group rule N. CIDR blocks and IPv6 addresses are supported. This parameter is supported by quintuple rules. For more information, see Security group quintuple rules. Valid values of N: 1 to 100. Note The Permissions.N.Ipv6DestCidrIp parameter is valid only when the destination is ECS instances that reside in VPCs and that support IPv6 CIDR blocks. You cannot specify both this parameter and the `DestCidrIp` parameter.
Permissions.N.SourcePortRange	String	No	7000/8000	The range of source ports that correspond to the transport layer protocol for security group rule N. Valid values: When the Permissions.N.IpProtocol parameter is set to TCP or UDP, the port number range is 1 to 65535. Specify a port range in the format of <Start port number>/<End port number>. Example: 1/200. When the Permissions.N.IpProtocol parameter is set to ICMP, the port number range is -1/-1, which indicates all ports. When the Permissions.N.IpProtocol parameter is set to GRE, the port number range is -1/-1, which indicates all ports. When the Permissions.N.IpProtocol parameter is set to ALL, the port number range is -1/-1, which indicates all ports. This parameter is supported by quintuple rules. For more information, see Security group quintuple rules. Valid values of N: 1 to 100.
Permissions.N.SourceGroupOwnerAccount	String	No	test@aliyun.com	The Alibaba Cloud account that manages the source security group when you set security group rule N across accounts. If both `SourceGroupOwnerAccount` and `SourceGroupOwnerId` are not specified, access permissions are configured for another security group managed by your account. If `SourceCidrIp` is specified, the `SourceGroupOwnerAccount` parameter is invalid. Valid values of N: 1 to 100.
Permissions.N.SourceGroupOwnerId	Long	No	1234567890	The ID of the Alibaba Cloud account that manages the source security group when you set security group rule N across accounts. If both `SourceGroupOwnerAccount` and `SourceGroupOwnerId` are not specified, access permissions are configured for another security group managed by your account. If `SourceCidrIp` is specified, the `SourceGroupOwnerAccount` parameter is invalid. Valid values of N: 1 to 100.
Permissions.N.NicType	String	No	intranet	The network interface controller (NIC) type of the security group rule when the security group is in the classic network. Valid values: internet: public NIC intranet: internal NIC If the security group is in a VPC, this parameter is set to intranet by default and cannot be changed. If you specify only DestGroupId when you configure access between security groups, this parameter must be set to intranet. Default value: internet. Valid values of N: 1 to 100.
Permissions.N.Description	String	No	This is description.	The description of security group rule N. The description must be 1 to 512 characters in length. Valid values of N: 1 to 100.
Policy	String	No	accept	This parameter is discontinued. Use `Permissions.N.Policy` to specify whether to allow inbound access.
Priority	String	No	1	This parameter is discontinued. Use `Permissions.N.Priority` to specify the rule priority.
IpProtocol	String	No	ALL	This parameter is discontinued. Use `Permissions.N.IpProtocol` to specify the transport layer protocol.
SourceCidrIp	String	No	10.0.0.0/8	This parameter is discontinued. Use `Permissions.N.SourceCidrIp` to specify the source IPv4 CIDR block.
Ipv6SourceCidrIp	String	No	2001:250:6000::***	This parameter is discontinued. Use `Permissions.N.Ipv6SourceCidrIp` to specify the source IPv6 CIDR block.
SourceGroupId	String	No	sg-bp67acfmxazb4p****	This parameter is discontinued. Use `Permissions.N.SourceGroupId` to specify the ID of the source security group.
SourcePrefixListId	String	No	pl-x1j1k5ykzqlixdcy****	This parameter is discontinued. Use `Permissions.N.SourcePrefixListId` to specify the ID of the source prefix list.
PortRange	String	No	22/22	This parameter is discontinued. Use `Permissions.N.PortRange` to specify the range of destination ports.
DestCidrIp	String	No	10.0.0.0/8	This parameter is discontinued. Use `Permissions.N.DestCidrIp` to specify the destination IPv4 CIDR block.
Ipv6DestCidrIp	String	No	2001:250:6000::***	This parameter is discontinued. Use `Permissions.N.Ipv6DestCidrIp` to specify the destination IPv6 CIDR block.
SourcePortRange	String	No	22/22	This parameter is discontinued. Use `Permissions.N.SourcePortRange` to specify the range of source ports.
SourceGroupOwnerAccount	String	No	test@aliyun.com	This parameter is discontinued. Use `Permissions.N.SourceGroupOwnerAccount` to specify the Alibaba Cloud account that manages the source security group.
SourceGroupOwnerId	Long	No	1234567890	This parameter is discontinued. Use `Permissions.N.SourceGroupOwnerId` to specify the ID of the Alibaba Cloud account that manages the source security group.
NicType	String	No	intranet	This parameter is discontinued. Use `Permissions.N.NicType` to specify the NIC type.
Description	String	No	This is description.	This parameter is discontinued. Use `Permissions.N.Description` to specify the description of security group rule N.

Response parameters


Parameter	Type	Example	Description
RequestId	String	473469C7-AA6F-4DC5-B3DB-A3DC0DE3****	The ID of the request.

Examples

Sample requests

http(s)://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup
&RegionId=cn-hangzhou
&ClientToken=123e4567-e89b-12d3-a456-426655440000
&SecurityGroupId=sg-bp67acfmxazb4p****
&Permissions.1.SourceCidrIp=10.0.0.0/8
&Permissions.1.IpProtocol=TCP
&Permissions.1.PortRange=22/22
&Permissions.1.NicType=intranet
&Permissions.1.Policy=accept
&Common request parameters

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<AuthorizeSecurityGroupResponse>
    <RequestId>473469C7-AA6F-4DC5-B3DB-A3DC0DE3****</RequestId>
</AuthorizeSecurityGroupResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
}

Error codes


HttpCode	Error code	Error message	Description
400	OperationDenied	The specified IpProtocol does not exist or IpProtocol and PortRange do not match.	The error message returned because the specified IpProtocol parameter does not exist or does not match the specified PortRange parameter.
400	InvalidIpProtocol.Malformed	The specified parameter PortRange is not valid.	The error message returned because the specified IpProtocol or PortRange parameter is invalid.
400	InvalidSourceCidrIp.Malformed	The specified parameter SourceCidrIp is not valid.	The error message returned because the specified source CIDR block is invalid.
400	InvalidPolicy.Malformed	The specified parameter Policy is not valid.	The error message returned because the specified Policy parameter is invalid.
400	InvalidNicType.ValueNotSupported	The specified NicType does not exist.	The error message returned because the specified NicType parameter does not exist.
400	InvalidSourceGroupId.Mismatch	Specified security group and source group are not in the same VPC.	The error message returned because the specified security group and the source security group do not belong to the same VPC.
400	InvalidSourceGroup.NotFound	Specified source security group does not exist.	The error message returned because the specified inbound security group rule does not exist or because relevant parameters are not specified.
400	InvalidPriority.Malformed	The parameter Priority is invalid.	The error message returned because the specified Priority parameter is invalid.
400	InvalidSecurityGroup.InvalidNetworkType	The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled.	The error message returned because the operation is not supported while the security group is of the current network type. You must enable ClassicLink for security groups in VPCs.
400	InvalidSecurityGroupId.Malformed	The specified parameter SecurityGroupId is not valid.	The error message returned because the specified SecurityGroupId parameter is invalid.
400	InvalidParamter.Conflict	The specified SourceCidrIp should be different from the DestCidrIp.	The error message returned because the value of SourceCidrIp is the same as that of DestCidrIp.
400	InvalidSourcePortRange.Malformed	The specified parameter SourcePortRange is not valid.	The error message returned because the specified SourcePortRange parameter is invalid.
400	InvalidDestCidrIp.Malformed	The specified parameter DestCidrIp is not valid.	The error message returned because the specified DestCidrIp parameter is invalid.
400	InvalidParameter.Conflict	IPv6 and IPv4 addresses cannot exist at the same time.	The error message returned because IPv6 addresses and IPv4 addresses are both specified.
400	InvalidParam.PrefixListAddressFamilyMismatch	The address family of the specified prefix list does not match the specified CidrIp.	The error message returned because the address family of the specified prefix list does not match that of the specified CIDR block.
400	NotSupported.ClassicNetworkPrefixList	The prefix list is not supported when the network type of security group is classic.	The error message returned because security groups in the classic network do not support prefix lists.
400	InvalidParam.SourceCidrIp	The specified param SourceCidrIp is not valid.	The error message returned because the specified SourceCidrIp parameter is invalid.
400	InvalidParam.DestCidrIp	The specified param DestCidrIp is not valid.	The error message returned because the specified DestCidrIp parameter is invalid.
400	MissingParameter	%s	The error message returned because a required parameter is not specified.
400	InvalidParam.Permissions	The specified parameter Permissions cannot coexist with other parameters.	The error message returned because a parameter with the Permissions prefix cannot be specified at the same time as the corresponding parameter without the Permissions prefix.
400	InvalidParam.DuplicatePermissions	There are duplicate permissions in the specified parameter Permissions.	The error message returned because the security group rules specified by the parameters with the Permissions prefix are duplicate.
403	InvalidSourceGroupId.Mismatch	NicType is required or NicType expects intranet.	The error message returned because the NicType parameter is not specified or is not set to intranet.
403	MissingParameter	The input parameter SourceGroupId or SourceCidrIp cannot be both blank.	The error message returned because at least one of the SourceGroupId and SourceCidrIp parameters must be specified.
403	AuthorizationLimitExceed	The limit of authorization records in the security group reaches.	The error message returned because the maximum number of rules in the security group has been reached.
403	InvalidParamter.Conflict	The specified SecurityGroupId should be different from the SourceGroupId.	The error message returned because the destination security group is the same as the source security group.
403	InvalidNetworkType.Mismatch	The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic).	The error message returned because the network type of the specified security group is different from that of the source security group.
403	InvalidNetworkType.Conflict	The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic).	The error message returned because the network type of the specified security group is different from that of the source security group.
403	InvalidOperation.ResourceManagedByCloudProduct	%s	The error message returned because security groups managed by cloud services cannot be modified.
403	LimitExceed.PrefixListAssociationResource	The number of resources associated with the prefix list exceeds the limit.	The error message returned because the maximum amount of resources that can be associated with the prefix list has been reached.
404	InvalidSecurityGroupId.NotFound	The specified SecurityGroupId does not exist.	The error message returned because the specified security group does not exist in this account. Check whether the security group ID is correct.
404	InvalidSourceGroupId.NotFound	The SourceGroupId provided does not exist in our records.	The error message returned because the specified SourceGroupId parameter does not exist.
404	InvalidPrefixListId.NotFound	The specified prefix list was not found.	The error message returned because the specified prefix list does not exist.
404	InvalidSecurityGroupId.NotFound	%s	The error message returned because the specified security group ID does not exist.
500	InternalError	The request processing has failed due to some unknown error.	The error message returned because an internal error has occurred. Try again later.

For a list of error codes, see Service error codes.