All Products
Search
Document Center

Elastic Compute Service:JoinSecurityGroup

Last Updated:May 06, 2026

Adds an ECS instance or an elastic network interface to a security group.

Operation description

Note

This API is deprecated. We recommend calling the ModifyInstanceAttribute operation to add or remove an ECS instance from a security group, or calling the ModifyNetworkInterfaceAttribute operation to add or remove an elastic network interface (ENI) from a security group.

  • You cannot add an instance and an elastic network interface to a security group in the same call. The InstanceId and NetworkInterfaceId parameters are mutually exclusive.

  • The security group and the instance must be in the same Alibaba Cloud region.

  • The security group and the instance must have the same network type. If the network type is VPC, they must also belong to the same VPC.

  • You can add an instance to a security group only if the instance is in the Stopped or Running state.

  • An instance or an elastic network interface can belong to a maximum of five security groups. For more information, see Security group limitations.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:JoinSecurityGroup

update

*Instance

acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}

*SecurityGroup

acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}

None None

Request parameters

Parameter

Type

Required

Description

Example

SecurityGroupId

string

Yes

The ID of the security group. Call DescribeSecurityGroups to view your available security groups.

sg-bp67acfmxazb4p****

InstanceId

string

No

The ID of the instance.

Note

If you specify this parameter, you must leave NetworkInterfaceId empty.

i-bp67acfmxazb4p****

NetworkInterfaceId

string

No

The ID of the elastic network interface.

Note

If you specify this parameter, you must leave InstanceId empty.

eni-bp13kd656hxambfe****

RegionId

string

No

The ID of the region. Call DescribeRegions to view the latest list of Alibaba Cloud regions.

  • This parameter is optional when you add an instance to a security group.

  • This parameter is required when you add an elastic network interface to a security group. The value must be the ID of the region where the elastic network interface is located.

cn-hangzhou

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Success response

JSON format

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status code

Error code

Error message

Description

400 InstanceSecurityGroupLimitExceeded Exceeding the allowed amount of security groups that an instance can be in.
400 InvalidInstanceId.Mismatch Specified instance and security group are not in the same VPC. The specified instance and security group do not belong to the same VPC, or one of the following cases has occurred: 1. The security group is of the VPC network type but the instance is not. 2. The instance is of the VPC network type but the security group is not.
400 InvalidInstanceId.Malformed The specified parameter "InstanceId" is not valid.
400 InvalidOperation.NotSupportEnterpriseGroup The specified instance type doesn't support enterprise level security group.
400 InvalidOperation.MultiGroupType The specified instance can't join different types of security group.
400 InvalidOperation.InvalidEniState %s
400 InvalidOperation.EniAndGroupNotBelongSameUser %s
400 NotBelongUser %s You are not authorized to manage the specified resource.
400 MissingParameter.RegionId The specified RegionId should not be null. The RegionId parameter is required.
400 InvalidStatus.EniOrInstanceIsBeingCreated %s. The specified ECS instance or ENI is currently being created. Please wait for the creation process to complete and try again.
500 InternalError The request processing has failed due to some unknown error.
403 IncorrectInstanceStatus The current status of the resource does not support this operation.
403 InstanceLockedForSecurity The specified operation is denied as your instance is locked for security reasons.
403 SecurityGroupInstanceLimitExceeded The maximum number of instances in a security group is exceeded. The maximum number of instances in the specified security group has been reached.
403 InvalidInstanceId.AlreadyExists The specified instance already exists in the specified security group. The specified instance is already present in the specified security group.
403 AclLimitExceed %s The number of ACL rules for an ENI or instance exceeds the upper limit.
403 InstanceSecurityGroupLimitExceeded %s
403 InvalidOperation.NetworkInterfaceCountExceeded The maximum number of NetworkInterface in a enterprise level security group is exceeded. The number of NICs in the specified enterprise security group exceeds the limit.
403 InvalidOperation.ResourceManagedByCloudProduct %s You cannot modify security groups managed by cloud services.
403 InvalidOperation.InvalidEniType %s
403 InvalidOperation.VpcMismatch %s The operation is invalid. Check whether the VPC in the operation corresponds to other parameters.
403 InvalidOperation.EniServiceManaged %s The operation is invalid.
403 InvalidParam.Malformed %s Invalid parameter
403 InvalidParam.EniIdAndInstanceId.Conflict %s The InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified.
403 Forbidden.InstanceIsBeingCreated The specified instance is being created. The specified instance is being created.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist in this account. Check whether the security group ID is correct.
404 InvalidInstanceId.NotFound The specified InstanceId does not exist. The specified instanceId is invalid.
404 InvalidEniId.NotFound %s
409 InvalidOperation.Conflict Request was denied due to conflict with a previous request, please try again later.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.