All Products
Search
Document Center

Elastic Compute Service:CreateSecurityGroup

Last Updated:Jun 29, 2026

Creates a security group.

Operation description

  • The default internal connectivity policy for a basic security group created by this operation is intra-group connectivity. You can modify this policy by calling ModifySecurityGroupPolicy.

  • The default internal connectivity policy for an advanced security group created by this operation is internal isolation, and this policy cannot be modified.

  • The number of security groups in a single region is limited. You can create a minimum of 100 security groups. For more information, see Security group limits.

  • To create a security group of the VPC type, you must specify the VpcId parameter.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:CreateSecurityGroup

create

*SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/*

*VPC

acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}

None None

Request parameters

Parameter

Type

Required

Description

Example

RegionId

string

Yes

The region ID of the security group. You can call DescribeRegions to query the most recent region list.

cn-hangzhou

Description

string

No

The description of the security group. The description must be 2 to 256 characters in length and cannot start with http:// or https://.

Default value: empty.

testDescription

ClientToken

string

No

The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but make sure that the token is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000

SecurityGroupName

string

No

The name of the security group. The name must be 2 to 128 characters in length and must start with a letter or a Chinese character. It cannot start with http:// or https://. The name can contain characters that are categorized as letter in Unicode, including Chinese characters and English letters, and digits. The name can also contain colons (:), underscores (_), periods (.), or hyphens (-).

testSecurityGroupName

VpcId

string

No

The ID of the VPC to which the security group belongs.

vpc-bp1opxu1zkhn00gzv****

SecurityGroupType

string

No

The type of the security group. Valid values:

Default value: normal.

enterprise

ServiceManaged

boolean

No

This parameter is not publicly available.

false

ResourceGroupId

string

No

The ID of the resource group to which the security group belongs.

rg-bp67acfmxazb4p****

Tag

array<object>

No

The tags to bind to the security group. Array length: 0 to 20.

object

No

The tag to bind to the security group.

key

string

No

The tag key of the security group.

Note

To improve compatibility, use the Tag.N.Key parameter.

null

Key

string

No

The tag key of the security group.

The tag key cannot be an empty string. The tag key can be up to 128 characters in length and cannot start with aliyun or acs:. It cannot contain http:// or https://.

TestKey

Value

string

No

The tag value of the security group.

The tag value can be an empty string. The tag value can be up to 128 characters in length and cannot contain http:// or https://.

TestValue

value

string

No

The tag value of the security group.

Note

To improve compatibility, use the Tag.N.Value parameter.

null

Response elements

Element

Type

Description

Example

object

SecurityGroupId

string

The security group ID.

sg-bp1fg655nh68xyz9****

RequestId

string

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Success response

JSON format

{
  "SecurityGroupId": "sg-bp1fg655nh68xyz9****",
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status code

Error code

Error message

Description

400 InvalidDescription.Malformed The specified parameter "Description" is not valid. The source description can be 2 to 256 characters in length. It cannot start with http:// and https://.
400 InvalidSecurityGroupDiscription.Malformed Specified security group description is not valid. The specified security group description is invalid.
400 IncorrectVpcStatus Current VPC status does not support this operation. The VPC is in a state that does not support the current operation.
400 InvalidTagKey.Malformed Specified tag key is not valid. The specified tag key is invalid.
400 InvalidTagValue.Malformed Specified tag value is not valid. The specified tag value is invalid.
400 Duplicate.TagKey The Tag.N.Key contain duplicate key. The specified tag key already exists. Tag keys must be unique.
400 InvalidParams.GroupType The specified security group type is not valid. The specified SecurityGroupType parameter is invalid.
400 InvalidParams.VpcIdGroupType Only VPC instance supports enterprise level security group. Only ECS instances that reside in VPCs support advanced security groups.
400 InvalidSecurityGroupName.Malformed The specified parameter SecurityGroupName is not valid. The specified SecurityGroupName parameter is not valid. This parameter is empty by default. If you specify a security group name, the name must be 2 to 128 characters in length and start with a letter. It can contain letters, digits, periods (.), underscores (_), and hyphens (-) and cannot start with http:// or https. The security group name is displayed in the ECS console.
500 InternalError The request processing has failed due to some unknown error.
500 ServiceUnavailable The service is unavailable, please try again later.
403 QuotaExceed.SecurityGroup The maximum number of security groups is reached. The maximum number of security groups has been reached.
403 InvalidVpcId.NotFound The VpcId must not empty when only support vpc vm. A VPC ID must be specified.
403 IncorrectVpcStatus Current VPC status does not support this operation.
403 IdempotentProcessing The previous idempotent request(s) is still processing. A previous idempotent request is being processed. Try again later.
403 QuotaExceed.Tags %s The number of specified tags exceeds the upper limit. %s is a variable. An error message is dynamically returned based on call conditions.
403 InvalidOperation.ResourceManagedByCloudProduct %s You cannot modify security groups managed by cloud services.
404 InvalidRegionId.NotFound The specified region does not exist. The specified RegionId parameter does not exist. Check whether the service is available in the specified region.
404 InvalidVpcId.NotFound Specified VPC does not exist. The specified VPC ID does not exist.
404 InvalidResourceGroup.NotFound The ResourceGroup provided does not exist in our records. The specified resource group does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.