Removes an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) from a security group.
Operation description
This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an instance to or remove an instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.
Alibaba Cloud modified verification rules for the LeaveSecurityGroup operation on July 8, 2024. When you remove an ECS instance or ENI that does not belong to a security group from the security group, the "InvalidSecurityGroupAssociation.NotFound" error code is returned instead of a success response. Update the LeaveSecurityGroup operation to use the new verification rules with the new error code based on your business requirements.
You cannot remove an instance and an ENI from a security group at the same time. This indicates that you cannot specify
InstanceIdandNetworkInterfaceIdin one request.Before you remove an instance from a security group, the instance must be in the Stopped (Stopped) or Running (Running) state.
An instance or ENI must be added to at least one security group. If you remove an instance or ENI from the only security group, the removal request fails and an error is returned.
When you remove an instance or ENI that is not in a security group from the security group, the removal request fails and an error is returned.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
ecs:LeaveSecurityGroup |
update |
*Instance
*SecurityGroup
|
None | None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| SecurityGroupId |
string |
Yes |
The security group ID. |
sg-bp67acfmxazb4p**** |
| InstanceId |
string |
No |
The instance ID. Note
If you configure this parameter, you cannot configure |
i-bp67acfmxazb4p**** |
| NetworkInterfaceId |
string |
No |
The ENI ID. Note
If you configure this parameter, you cannot configure |
eni-bp13kd656hxambfe**** |
| RegionId |
string |
No |
The region ID. You can call the DescribeRegions operation to query the most recent region list.
|
cn-hangzhou |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| RequestId |
string |
The request ID. |
473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E |
Examples
Success response
JSON format
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}
Error response
JSON format
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | InvalidInstanceId.Malformed | The specified parameter "InstanceId" is not valid. | |
| 400 | MissingParameter.RegionId | The specified RegionId should not be null. | The RegionId parameter is required. |
| 400 | InvalidOperation.InvalidEniState | %s | |
| 400 | InvalidSecurityGroupAssociation.NotFound | %s. | The specified ECS or ENI is not associated with the specified security group. |
| 403 | InstanceLastSecurityGroup | The specified security group is the last security group for the instance. | The specified security group is the only security group to which the instance belongs. |
| 403 | IncorrectInstanceStatus | The current status of the resource does not support this operation. | |
| 403 | InstanceLockedForSecurity | The specified operation is denied as your instance is locked for security reasons. | |
| 403 | InstanceNotInSecurityGroup | The instance not in the group. | |
| 403 | InvalidOperation.ResourceManagedByCloudProduct | %s | You cannot modify security groups managed by cloud services. |
| 403 | InvalidOperation.AtLeastInOneGroup | %s | |
| 403 | InvalidOperation.EniServiceManaged | %s | The operation is invalid. |
| 403 | InvalidOperation.InvalidEniType | %s | |
| 403 | InvalidParam.Malformed | %s | Invalid parameter |
| 403 | InvalidParam.EniIdAndInstanceId.Conflict | %s | The InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified. |
| 404 | InvalidInstanceId.NotFound | The specified InstanceId does not exist. | The specified instanceId is invalid. |
| 404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The specified security group does not exist in this account. Check whether the security group ID is correct. |
| 404 | InvalidEniId.NotFound | %s | |
| 404 | InvalidVSwitchId.NotFound | The specified virtual switch %s does not exist. | The specified switch does not exist. |
| 504 | RequestTimeout | The request encounters an upstream server timeout. | |
| 409 | InvalidOperation.Conflict | Request was denied due to conflict with a previous request, please try again later. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.