All Products
Search
Document Center

Elastic Compute Service:CreateSecurityGroup

Last Updated:Sep 29, 2024

Creates a security group. By default, a security group allows only instances in the security group to access each other. Access requests from outside the security group are denied. If you want to allow requests over the Internet or from instances in other security groups, you can call the AuthorizeSecurityGroup operation.

Operation description

Usage notes

Take note of the following items:

  • You can create up to 100 security groups in a single Alibaba Cloud region.
  • To create a security group of the Virtual Private Cloud (VPC) type, you must specify VpcId.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
ecs:CreateSecurityGroupcreate
  • SecurityGroup
    acs:ecs:{#regionId}:{#accountId}:securitygroup/*
  • VPC
    acs:vpc:{#regionId}:{#accountId}:vpc/{#vpcId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
RegionIdstringYes

The region ID of the security group. You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
DescriptionstringNo

The description of the security group. The description must be 2 to 256 characters in length. It cannot start with http:// or https://.

By default, this parameter is left empty.

testDescription
ClientTokenstringNo

The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests. The token can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000
SecurityGroupNamestringNo

The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. The name can contain Unicode characters under the Decimal Number category and the categories whose names contain Letter. The name can also contain colons (:), underscores (_), periods (.), and hyphens (-).

testSecurityGroupName
VpcIdstringNo

The ID of the VPC in which you want to create the security group.

Note The VpcId parameter is required only if you want to create security groups of the VPC type. In regions that support the classic network, you can create security groups of the classic network type without the need to specify the VpcId parameter.
vpc-bp1opxu1zkhn00gzv****
SecurityGroupTypestringNo

The type of the security group. Valid values:

  • normal: basic security group.
  • enterprise: advanced security group. For more information, see Advanced security groups.
enterprise
ServiceManagedbooleanNo

This parameter is not publicly available.

false
ResourceGroupIdstringNo

The ID of the resource group to which the security group belongs.

rg-bp67acfmxazb4p****
Tagarray<object>No

The tags to add to the security group.

objectNo

The tag that you want to add to the security group.

keystringNo

The key of the tag to add to the security group.

Note This parameter will be removed in the future. We recommend that you use Tag.N.key to ensure future compatibility.
null
KeystringNo

The key of tag N to add to the security group.

Valid values of N: 1 to 20. The tag key cannot be an empty string. The tag key can be up to 128 characters in length and cannot contain http:// or https://. The tag key cannot start with acs: or aliyun.

TestKey
ValuestringNo

The value of tag N to add to the security group.

Valid values of N: 1 to 20. The tag value can be an empty string. The tag value can be up to 128 characters in length and cannot contain http:// or https://.

TestValue
valuestringNo

The value of the tag to add to the security group.

Note This parameter will be removed in the future. We recommend that you use Tag.N.Value to ensure future compatibility.
null

Response parameters

ParameterTypeDescriptionExample
object
SecurityGroupIdstring

The ID of the security group.

sg-bp1fg655nh68xyz9****
RequestIdstring

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Sample success responses

JSONformat

{
  "SecurityGroupId": "sg-bp1fg655nh68xyz9****",
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status codeError codeError messageDescription
400InvalidDescription.MalformedThe specified parameter "Description" is not valid.The source description can be 2 to 256 characters in length. It cannot start with http:// and https://.
400InvalidSecurityGroupName.MalformedSpecified security group name is not valid.The specified SecurityGroupName parameter is invalid. This parameter is empty by default. If you specify a security group name, the name must be 2 to 128 characters in length and start with a letter. It can contain letters, digits, periods (.), underscores (_), and hyphens (-) and cannot start with http:// or https. The security group name is displayed in the ECS console.
400InvalidSecurityGroupDiscription.MalformedSpecified security group description is not valid.The specified security group description is invalid.
400IncorrectVpcStatusCurrent VPC status does not support this operation.The VPC is in a state that does not support the current operation.
400InvalidTagKey.MalformedSpecified tag key is not valid.The specified tag key is invalid.
400InvalidTagValue.MalformedSpecified tag value is not valid.The specified tag value is invalid.
400Duplicate.TagKeyThe Tag.N.Key contain duplicate key.The specified tag key already exists. Tag keys must be unique.
400InvalidTagKey.MalformedThe specified Tag.n.Key is not valid.The specified Tag.N.Key parameter is invalid.
400InvalidTagValue.MalformedThe specified Tag.n.Value is not valid.The specified tag value is invalid.
400InvalidParams.GroupTypeThe specified security group type is not valid.The specified SecurityGroupType parameter is invalid.
400InvalidParams.VpcIdGroupTypeOnly VPC instance supports enterprise level security group.Only ECS instances that reside in VPCs support advanced security groups.
403QuotaExceed.SecurityGroupThe maximum number of security groups is reached.The maximum number of security groups has been reached.
403InvalidVpcId.NotFoundThe VpcId must not empty when only support vpc vm.A VPC ID must be specified.
403IdempotentProcessingThe previous idempotent request(s) is still processing.A previous idempotent request is being processed. Try again later.
403QuotaExceed.Tags%sThe number of specified tags exceeds the upper limit. %s is a variable. An error message is dynamically returned based on call conditions.
403InvalidOperation.ResourceManagedByCloudProduct%sYou cannot modify security groups managed by cloud services.
404InvalidRegionId.NotFoundThe specified region does not exist.The specified RegionId parameter does not exist. Check whether the service is available in the specified region.
404InvalidVpcId.NotFoundSpecified VPC does not exist.The specified VPC ID does not exist.
404InvalidResourceGroup.NotFoundThe ResourceGroup provided does not exist in our records.The specified resource group does not exist.
404InvalidRegionId.NotFoundThe specified parameter RegionId is not valid.The specified RegionId parameter does not exist. Check whether the service is available in the specified region.
500InternalErrorThe request processing has failed due to some unknown error.An internal error has occurred. Try again later.
500InternalErrorThe request processing has failed due to some unknown error, exception or failure.An internal error has occurred. Try again later.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-09-23The Error code has changedView Change Details
2023-04-07The Error code has changedView Change Details