Adds one or more inbound rules to a security group. You can use this operation to specify inbound access permissions for a security group, allowing or denying other devices from sending inbound traffic to instances in the security group, which enables fine-grained network access control.
Operation description
Before you begin
Quantity limit: The total number of security group rules (including inbound rules and outbound rules) across all security groups associated with a single network interface controller (NIC) cannot exceed 1,000. For more information, see Security group limits.
Priority settings: The priority (Priority) of inbound security group rules ranges from 1 to 100. A smaller number indicates a higher priority. If two security group rules have the same priority, the deny (drop) rule takes precedence. Access is denied first.
Notes
If the specified security group rule already exists, the call succeeds but no rule is added.
How to determine a rule
The following parameters are required to determine an inbound security group rule:
Source settings: Specify one of the following: SourceCidrIp (IPv4 address), Ipv6SourceCidrIp (IPv6 address), SourcePrefixListId (prefix list ID), or SourceGroupId (source security group).
Destination port range: PortRange.
Protocol type: IpProtocol.
Access policy: Policy.
Advanced security groups do not support authorization for access from other security groups. Basic security groups support a maximum of 20 authorized security groups.
Request examples
The following examples show how to add inbound rules with different sources to a security group in the China (Hangzhou) region:
-
Add access permissions for a specified IP address range.
"RegionId":"cn-hangzhou", // Specify the region. "SecurityGroupId":"sg-bp67acfmxazb4p****", // Specify the security group. "Permissions":[ { "SourceCidrIp":"10.0.0.0/8", // Specify the source IPv4 address. "PortRange":"22/22", // Specify the port range. "IpProtocol":"TCP", // Specify the protocol type. "Policy":"Accept" // Specify the access policy. } ] -
Add access permissions for another security group and a prefix list.
"RegionId":"cn-hangzhou", "SecurityGroupId":"sg-bp67acfmxazb4p****", "Permissions":[ { "SourceGroupId":"sg-bp17vs63txqxbd****", // Specify the source security group. "PortRange":"22/22", "IpProtocol":"TCP", "Policy":"Drop" },{ "SourcePrefixListId":"pl-x1j1k5ykzqlixdcy****", // Specify the source prefix list. "PortRange":"22/22", "IpProtocol":"TCP", "Policy":"Drop" } ]
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
ecs:AuthorizeSecurityGroup |
create |
*All Resource
|
|
None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| RegionId |
string |
Yes |
The region ID of the security group. You can call DescribeRegions to query the most recent region list. |
cn-hangzhou |
| RegionId |
string |
Yes |
The region ID of the security group. You can call DescribeRegions to query the most recent region list. |
cn-hangzhou |
| RegionId |
string |
Yes |
The region ID of the security group. You can call DescribeRegions to query the most recent region list. |
cn-hangzhou |
| ClientToken |
string |
No |
A client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence. |
123e4567-e89b-12d3-a456-426655440000 |
| ClientToken |
string |
No |
A client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence. |
123e4567-e89b-12d3-a456-426655440000 |
| SecurityGroupId |
string |
Yes |
The security group ID. |
sg-bp67acfmxazb4p**** |
| SecurityGroupId |
string |
Yes |
The security group ID. |
sg-bp67acfmxazb4p**** |
| Permissions |
array<object> |
No |
The security group rules. Array length: 1 to 100. |
|
|
object |
No |
The security group rule. |
||
| Policy |
string |
No |
Settings for access permissions. Valid values:
Default value: accept. |
accept |
| Priority |
string |
No |
The priority of the security group rule. A smaller value indicates a higher priority. Valid values: 1 to 100. Default value: 1. |
1 |
| IpProtocol |
string |
No |
The network layer or transport layer protocol. Two types of values are supported:
|
ALL |
| SourceCidrIp |
string |
No |
The source IPv4 CIDR block for which you want to set access permissions. Settings for CIDR format and IPv4 format address ranges are supported. |
10.0.0.0/8 |
| Ipv6SourceCidrIp |
string |
No |
The source IPv6 CIDR block for which you want to set access permissions. Settings for CIDR format and IPv6 format address ranges are supported. Note
This parameter is valid only for VPC-connected ECS instances that support IPv6. This parameter and |
2001:250:6000::*** |
| SourceGroupId |
string |
No |
The ID of the source security group for which you want to set access permissions.
|
sg-bp67acfmxazb4p**** |
| SourcePrefixListId |
string |
No |
The ID of the source prefix list for which you want to set access permissions. You can call DescribePrefixLists to query available prefix list IDs. Notes: If you specify For more information, see Security group limits. |
pl-x1j1k5ykzqlixdcy**** |
| PortRange |
string |
No |
The range of destination ports that correspond to the protocol for the security group. Valid values:
For more information about common ports, see Common scenarios for ports. |
80/80 |
| DestCidrIp |
string |
No |
The destination IPv4 CIDR block. CIDR blocks and IPv4 address ranges are supported. This parameter is used to support quintuple rules. For more information, see Security group quintuple rules. |
10.0.0.0/8 |
| Ipv6DestCidrIp |
string |
No |
The destination IPv6 CIDR block. CIDR format and IPv6 format address ranges are supported. This parameter is used to support quintuple rules. For more information, see Security group quintuple rules. Note
This parameter is valid only for VPC-connected ECS instances that support IPv6. This parameter and |
2001:250:6000::*** |
| SourcePortRange |
string |
No |
The range of source ports that correspond to the protocol for the security group. Valid values:
This parameter is used to support quintuple rules. For more information, see Security group quintuple rules. |
7000/8000 |
| SourceGroupOwnerAccount |
string |
No |
The Alibaba Cloud account that owns the source security group when you set a cross-account security group rule.
|
test@aliyun.com |
| SourceGroupOwnerId |
integer |
No |
The ID of the Alibaba Cloud account that owns the source security group when you set a cross-account security group rule.
|
1234567890 |
| NicType |
string |
No |
The network interface controller (NIC) type for a classic network type security group rule. Valid values:
For VPC security group rules, you do not need to set the network interface controller (NIC) type parameter. The default value is intranet, and only intranet is supported. When you set security groups to access each other (only DestGroupId is specified), only intranet is supported. Default value: internet. |
intranet |
| Description |
string |
No |
The description of the security group rule. The description must be 1 to 512 characters in length. |
This is description. |
| PortRangeListId |
string |
No |
The port address book ID.
You can invoke
|
prl-2ze9743**** |
Policy
deprecated
|
string |
No |
Deprecated. Use |
accept |
Priority
deprecated
|
string |
No |
Deprecated. Use |
1 |
IpProtocol
deprecated
|
string |
No |
Deprecated. Use |
ALL |
SourceCidrIp
deprecated
|
string |
No |
Deprecated. Use |
10.0.0.0/8 |
Ipv6SourceCidrIp
deprecated
|
string |
No |
Deprecated. Use |
2001:250:6000::*** |
SourceGroupId
deprecated
|
string |
No |
Deprecated. Use |
sg-bp67acfmxazb4p**** |
SourcePrefixListId
deprecated
|
string |
No |
Deprecated. Use |
pl-x1j1k5ykzqlixdcy**** |
PortRange
deprecated
|
string |
No |
Deprecated. Use |
22/22 |
DestCidrIp
deprecated
|
string |
No |
Deprecated. Use |
10.0.0.0/8 |
Ipv6DestCidrIp
deprecated
|
string |
No |
Deprecated. Use |
null |
SourcePortRange
deprecated
|
string |
No |
Deprecated. Use |
22/22 |
SourceGroupOwnerAccount
deprecated
|
string |
No |
Deprecated. Use |
test@aliyun.com |
SourceGroupOwnerId
deprecated
|
integer |
No |
Deprecated. Use |
1234567890 |
NicType
deprecated
|
string |
No |
Deprecated. Use |
intranet |
Description
deprecated
|
string |
No |
Deprecated. Use |
This is description. |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| RequestId |
string |
The request ID. |
473469C7-AA6F-4DC5-B3DB-A3DC0DE3**** |
Examples
Success response
JSON format
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | OperationDenied | The specified IpProtocol does not exist or IpProtocol and PortRange do not match. | The specified IP protocol does not exist or does not match the specified port range. |
| 400 | InvalidIpProtocol.Malformed | The specified parameter PortRange is not valid. | The specified IpProtocol or PortRange parameter is invalid. |
| 400 | InvalidSourceCidrIp.Malformed | The specified parameter SourceCidrIp is not valid. | The specified source CIDR block is invalid. |
| 400 | InvalidPolicy.Malformed | The specified parameter Policy is not valid. | The specified Policy parameter is invalid. |
| 400 | InvalidNicType.ValueNotSupported | The specified NicType does not exist. | The specified NicType parameter does not exist. |
| 400 | InvalidNicType.Mismatch | The specified NicType conflicts with the authorization record. | The specified NIC type does not match the existing rule. |
| 400 | InvalidSourceGroupId.Mismatch | Specified security group and source group are not in the same VPC. | The specified source and destination security groups do not belong to the same VPC. |
| 400 | InvalidSourceGroup.NotFound | Specified source security group does not exist. | The specified inbound security group rule does not exist, or required parameters are not specified. |
| 400 | InvalidPriority.Malformed | The parameter Priority is invalid. | The specified Priority parameter is invalid. |
| 400 | InvalidPriority.ValueNotSupported | The specified parameter %s is invalid. | The specified Priority parameter is invalid. |
| 400 | InvalidSecurityGroupDiscription.Malformed | The specified security group rule description parameter %s is not valid. | The specified security group rule description is invalid. |
| 400 | InvalidSecurityGroup.InvalidNetworkType | The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. | The operation is not supported while the security group is of the current network type. If the network type is VPC, ClassicLink must be enabled. |
| 400 | MissingParameter.Source | One of the parameters SourceCidrIp, Ipv6SourceCidrIp, SourceGroupId or SourcePrefixListId in %s must be specified. | At least one of the SourceCidrIp, SourceGroupId, and SourcePrefixListId parameters must be specified. |
| 400 | InvalidParam.PortRange | The specified parameter %s is not valid. It should be two integers less than 65535 in ?/? format. | The format of the port range is invalid. Specify the port range in the format of a slash separating two integers. |
| 400 | InvalidIpProtocol.ValueNotSupported | The parameter %s must be specified with case insensitive TCP, UDP, ICMP, GRE or All. | The specified Protocol parameter is invalid. You must set Protocol to a vaule that is case-insensitive, such as TCP, UDP, ICMP, GRE, and All. |
| 400 | InvalidSecurityGroupId.Malformed | The specified parameter SecurityGroupId is not valid. | The specified SecurityGroupId parameter is invalid. |
| 400 | InvalidParamter.Conflict | The specified SourceCidrIp should be different from the DestCidrIp. | The value of SourceCidrIp must be different from that of DestCidrIp. |
| 400 | InvalidSourcePortRange.Malformed | The specified parameter SourcePortRange is not valid. | The specified SourcePortRange parameter is invalid. |
| 400 | InvalidPortRange.Malformed | The specified parameter PortRange must set. | The PortRange parameter must be specified. |
| 400 | InvalidParam.SourceIp | The Parameters SourceCidrIp and Ipv6SourceCidrIp in %s cannot be set at the same time. | The SourceCidrIp and Ipv6SourceCidrIp parameters cannot be specified at the same time. |
| 400 | InvalidParam.DestIp | The Parameters DestCidrIp and Ipv6DestCidrIp in %s cannot be set at the same time. | The DestCidrIp and Ipv6DestCidrIp parameters cannot be specified at the same time. |
| 400 | InvalidParam.Ipv6DestCidrIp | The specified parameter %s is not valid. | The specified Ipv6DestCidrIp parameter is invalid. |
| 400 | InvalidParam.Ipv6SourceCidrIp | The specified parameter %s is not valid. | The specified Ipv6SourceCidrIp parameter is invalid. |
| 400 | InvalidParam.Ipv4ProtocolConflictWithIpv6Address | IPv6 address cannot be specified for IPv4-specific protocol. | IPv6 addresses cannot be specified for instances that use the IPv4 protocol. |
| 400 | InvalidParam.Ipv6ProtocolConflictWithIpv4Address | IPv4 address cannot be specified for IPv6-specific protocol. | IPv4 addresses cannot be specified for instances that use the IPv6 protocol. |
| 400 | InvalidParameter.Ipv6CidrIp | The specified Ipv6CidrIp is not valid. | The specified Ipv6CidrIp parameter is invalid. |
| 400 | InvalidGroupAuthParameter.OperationDenied | The security group can not authorize to enterprise level security group. | Security groups cannot be referenced as authorization objects (destinations or sources) in rules of advanced security groups. |
| 400 | InvalidDestCidrIp.Malformed | The specified parameter DestCidrIp is not valid. | The specified DestCidrIp parameter is invalid. |
| 400 | InvalidParameter.Conflict | IPv6 and IPv4 addresses cannot exist at the same time. | IPv6 and IPv4 addresses cannot be both specified. |
| 400 | InvalidParam.PrefixListAddressFamilyMismatch | The address family of the specified prefix list does not match the specified CidrIp. | The address family of the specified prefix list does not match that of the specified CIDR block. |
| 400 | NotSupported.ClassicNetworkPrefixList | The prefix list is not supported when the network type of security group is classic. | Security groups in the classic network do not support prefix lists. |
| 400 | AuthorizedGroupRule.LimitExceed | You have reached the limit on the number of group authorization rules that you can add to a security group.When authorization object of rule is security group, the limit is 20. | Up to 20 rules in which security groups are specified as authorization objects can be present in a basic security group. |
| 400 | InvalidParam.SourceCidrIp | The specified parameter %s is not valid. | The specified SourceCidrIp parameter is invalid. |
| 400 | InvalidParam.DestCidrIp | The specified parameter %s is not valid. | The specified DestCidrIp parameter is invalid. |
| 400 | MissingParameter | %s | A parameter is not specified. |
| 400 | InvalidParam.Permissions | The specified parameter Permissions cannot coexist with other parameters. | The specified Permissions parameter and other parameters are mutually exclusive. |
| 400 | InvalidParam.DuplicatePermissions | There are duplicate permissions in the specified parameter Permissions. | The specified Permissions parameter contains duplicate permissions. |
| 400 | InvalidGroupParameter.OperationDenied | The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified. | The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified. |
| 400 | InvalidParam.ProtocolNotSupportPortRangeList | The specified protocol does not support the port range list. | The specified protocol does not support the port list. |
| 400 | InvalidPortRangeListId.NotFound | The specified port range list was not found. | The specified port list was not found. |
| 401 | InvalidOperation.SecurityGroupNotAuthorized | The specified security group is not authorized to operate. | You do not have permission to operate the current security group. |
| 500 | InternalError | The request processing has failed due to some unknown error. | |
| 403 | InvalidSourceGroupId.Mismatch | NicType is required or NicType expects intranet. | The NicType parameter is not specified or is not set to intranet. |
| 403 | MissingParameter | The input parameter SourceGroupId or SourceCidrIp cannot be both blank. | At least one of the SourceGroupId and SourceCidrIp parameters must be specified. |
| 403 | AuthorizationLimitExceed | The limit of authorization records in the security group reaches. | |
| 403 | InvalidParamter.Conflict | The specified SecurityGroupId should be different from the SourceGroupId. | The destination security group is the same as the source security group. |
| 403 | InvalidNetworkType.Mismatch | The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). | The network type of the destination security group is different from that of the source security group. |
| 403 | InvalidNetworkType.Conflict | The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). | The network type of the destination security group is different from that of the source security group. |
| 403 | InvalidOperation.ResourceManagedByCloudProduct | %s | You cannot modify security groups managed by cloud services. |
| 403 | LimitExceed.PrefixListAssociationResource | The number of resources associated with the prefix list exceeds the limit. | The maximum number of resources that can be associated with the prefix list has been exceeded. |
| 404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The specified security group does not exist in this account. Check whether the security group ID is correct. |
| 404 | InvalidSourceGroupId.NotFound | The SourceGroupId provided does not exist in our records. | The specified SourceGroupId parameter does not exist. |
| 404 | InvalidPrefixListId.NotFound | The specified prefix list was not found. | The prefix list does not exist. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.