All Products
Search
Document Center

Elastic Compute Service:ModifySecurityGroupRule

Last Updated:Jun 29, 2026

Modifies an inbound security group rule of a specified security group.

Operation description

When you modify a security group rule by specifying the security group rule ID, take note of the following limits:

  • The authorization object of a security group rule can be an IPv4 Classless Inter-Domain Routing (CIDR) block (or IP address), an IPv6 CIDR block (or IP address), a security group, or a prefix list. You cannot use this operation to change the type of the authorization object of an existing security group rule. For example, if the original authorization object type is an IPv4 CIDR block, you can change it to another IPv4 CIDR block (or IP address), but you cannot change it to an IPv6 CIDR block (or IP address), a security group, or a prefix list.

  • You cannot change a field value from a non-empty value to an empty value. To modify security group rules in this case, increase a new rule and then delete the current rule.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:ModifySecurityGroupRule

update

*All Resource

*

  • ecs:SecurityGroupIpProtocols
  • ecs:SecurityGroupSourceCidrIps
None

Request parameters

Parameter

Type

Required

Description

Example

RegionId

string

Yes

The region ID of the security group. You can call DescribeRegions to query the most recent region list.

cn-hangzhou

RegionId

string

Yes

The region ID of the security group. You can call DescribeRegions to query the most recent region list.

cn-hangzhou

ClientToken

string

No

A client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but make sure that the token is unique among different requests. The ClientToken parameter supports only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000

SecurityGroupId

string

Yes

The security group ID.

sg-bp67acfmxazb4p****

SecurityGroupRuleId

string

No

The security group rule ID. You can call DescribeSecurityGroupAttribute to query security group rule IDs.

sgr-bp67acfmxa123b***

Policy

string

No

The access permissions. Valid values:

  • accept: Accepts access.

  • drop: Denies access and does not return a deny response.

Default value: accept.

accept

Priority

string

No

The priority of the security group rule. Valid values: 1 to 100.

Default value: 1.

1

IpProtocol

string

No

The network-layer or transport-layer protocol. Two types of values are supported:

  1. Case-insensitive protocol names. Valid values:

  • ICMP

  • GRE

  • TCP

  • UDP

  • ALL: all protocols are supported.

  1. Protocol numbers that comply with IANA specifications, which are integers from 0 to 255. The following regions currently support this feature:

  • Philippines

  • UK (London)

  • Malaysia

  • China (Hohhot)

  • China (Qingdao)

  • US (Virginia)

  • Singapore

ALL

SourceCidrIp

string

No

Settings for the source IPv4 CIDR block for the access permissions. Classless Inter-Domain Routing (CIDR) format and IPv4 format IP address ranges are supported.

Default value: null.

10.0.0.0/8

Ipv6SourceCidrIp

string

No

Settings for the source IPv6 CIDR block for the access permissions. Classless Inter-Domain Routing (CIDR) format and IPv6 format IP address ranges are supported.

Note

Only VPC-type IP addresses are supported. This parameter and SourceCidrIp cannot be specified at the same time.

Default value: null.

2001:db8:1233:1a00::***

SourceGroupId

string

No

Settings for the ID of the source security group for the access permissions. Specify at least one of SourceGroupId and SourceCidrIp.

  • If SourceGroupId is specified but SourceCidrIp is not, the NicType parameter can only be set to intranet.

  • If both SourceGroupId and SourceCidrIp are specified, SourceCidrIp takes precedence by default.

sg-bp67acfmxa123b****

SourcePrefixListId

string

No

Settings for the ID of the source prefix list for the access permissions. You can invoke DescribePrefixLists to query available prefix list IDs.

This parameter is ignored if you specify one of SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId.

pl-x1j1k5ykzqlixdcy****

PortRange

string

No

The range of destination ports that correspond to the transport-layer protocol of the security group. Valid values:

  • TCP/UDP: valid values are 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.

  • ICMP: -1/-1.

  • GRE: -1/-1.

  • ALL: -1/-1.

80/80

DestCidrIp

string

No

The destination IPv4 Classless Inter-Domain Routing (CIDR) block. CIDR format and IPv4 format IP address ranges are supported.

Default value: null.

10.0.0.0/8

Ipv6DestCidrIp

string

No

Settings for the destination IPv6 CIDR block. Classless Inter-Domain Routing (CIDR) format and IPv6 format IP address ranges are supported.

Note

Only VPC-type IP addresses are supported. This parameter and DestCidrIp cannot be specified at the same time.

Default value: null.

2001:db8:1234:1a00::***

SourcePortRange

string

No

The range of source ports that correspond to the transport-layer protocol of the security group. Valid values:

  • TCP/UDP: valid values are 1 to 65535. Separate the start port and the end port with a forward slash (/). Example: 1/200.

  • ICMP: -1/-1.

  • GRE: -1/-1.

  • ALL: -1/-1.

80/80

SourceGroupOwnerAccount

string

No

Settings for the Alibaba Cloud account that owns the source security group when you configure a cross-account security group rule for access permissions.

  • If neither SourceGroupOwnerAccount nor SourceGroupOwnerId is configured, the rule is configured for the access permissions of your other security groups.

  • If the SourceCidrIp parameter is specified, the SourceGroupOwnerAccount parameter is invalid.

EcsforCloud@Alibaba.com

SourceGroupOwnerId

integer

No

Settings for the Alibaba Cloud account ID that owns the source security group when you configure a cross-account security group rule for access permissions.

  • If neither SourceGroupOwnerId nor SourceGroupOwnerAccount is configured, the rule is configured for the access permissions of your other security groups.

  • If the SourceCidrIp parameter is specified, the SourceGroupOwnerId parameter is invalid.

12345678910

NicType

string

No

The network interface controller (NIC) type.

Note

When you modify a rule by specifying the security group rule ID, this parameter cannot be modified. To make such a change, add a new rule and then delete the current rule.

intranet

Description

string

No

The description of the security group rule. The description must be 1 to 512 characters in length.

This is a new security group rule.

PortRangeListId

string

No

The port address book ID.

You can call DescribePortRangeLists to query available port address book IDs.

This parameter is ignored if you specify the PortRange parameter.

For more information, see Security group limits.

prl-2ze9743****

Response elements

Element

Type

Description

Example

object

RequestId

string

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Success response

JSON format

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status code

Error code

Error message

Description

400 OperationDenied The specified IpProtocol does not exist or IpProtocol and PortRange do not match. The specified IP protocol does not exist or does not match the specified port range.
400 InvalidIpProtocol.Malformed The specified parameter PortRange is not valid. The specified IpProtocol or PortRange parameter is invalid.
400 InvalidSourceCidrIp.Malformed The specified parameter SourceCidrIp is not valid. The specified source CIDR block is invalid.
400 InvalidPolicy.Malformed The specified parameter Policy is not valid. The specified Policy parameter is invalid.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The specified NicType parameter does not exist.
400 InvalidNicType.Mismatch The specified NicType conflicts with the authorization record. The specified NIC type does not match the existing rule.
400 InvalidSourceGroupId.Mismatch Specified security group and source group are not in the same VPC. The specified source and destination security groups do not belong to the same VPC.
400 InvalidSourceGroup.NotFound Specified source security group does not exist. The specified inbound security group rule does not exist, or required parameters are not specified.
400 InvalidPriority.Malformed The parameter Priority is invalid. The specified Priority parameter is invalid.
400 InvalidPriority.ValueNotSupported The parameter Priority is invalid. The specified Priority parameter is invalid.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. The specified security group rule description is invalid.
400 MissingParameter.Source One of the parameters SourceCidrIp, SourceGroupId or SourcePrefixListId must be specified. The source of the security group rule must be specified. Specify any of the SourceCidrIp, SourceGroupId, or SourcePrefixListId parameters.
400 InvalidParam.PortRange The specified parameter %s is not valid. It should be two integers less than 65535 in ?/? format. The format of the port range is invalid. Specify the port range in the format of a slash separating two integers.
400 InvalidIpProtocol.ValueNotSupported The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. The specified IpProtocol parameter is invalid. The valid values of this parameter are tcp, udp, icmp, gre, and all.
400 InvalidParam.SourceIp The Parameters SourceCidrIp and Ipv6SourceCidrIp in %s cannot be set at the same time. The SourceCidrIp and Ipv6SourceCidrIp parameters cannot be specified at the same time.
400 InvalidParam.DestIp The Parameters DestCidrIp and Ipv6DestCidrIp in %s cannot be set at the same time. The DestCidrIp and Ipv6DestCidrIp parameters cannot be specified at the same time.
400 InvalidParam.Ipv6DestCidrIp The specified parameter %s is not valid. The specified Ipv6DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6SourceCidrIp The specified parameter %s is not valid. The specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address IPv6 address cannot be specified for IPv4-specific protocol. IPv6 addresses cannot be specified for instances that use the IPv4 protocol.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address IPv4 address cannot be specified for IPv6-specific protocol. IPv4 addresses cannot be specified for instances that use the IPv6 protocol.
400 InvalidParameter.Ipv6CidrIp The specified Ipv6CidrIp is not valid. The specified Ipv6CidrIp parameter is invalid.
400 InvalidParam.DestCidrIp The specified parameter %s is not valid. The specified DestCidrIp parameter is invalid.
400 InvalidSourcePortRange.Malformed The specified parameter SourcePortRange is not valid. The specified SourcePortRange parameter is invalid.
400 InvalidSecurityGroupId.Malformed The specified parameter SecurityGroupId is not valid. The specified SecurityGroupId parameter is invalid.
400 InvalidParam.SourceCidrIp The specified param SourceCidrIp is not valid. The specified SourceCidrIp parameter is invalid.
400 InvalidParameter.Conflict IPv6 and IPv4 addresses cannot exist at the same time. IPv6 and IPv4 addresses cannot be both specified.
400 InvalidParam.SecurityGroupRuleId The specified parameter SecurityGroupRuleId is not valid. The specified SecurityGroupRuleId parameter is invalid.
400 InvalidOperation.ModifySgRuleEntityType The source or destination type of the rules cannot be modified. The type of the source or destination in the rule cannot be modified.
400 AuthorizationLimitExceed The limit of authorization records in the security group reaches. The security group has reached the maximum number of rules that can be added to it.
400 InvalidParam.ProtocolAndPortRangeMismatch The specified Protocol and PortRange do not match. The protocol and the port range do not match.
400 InvalidParam.ProtocolAndAddressFamilyMismatch The specified Protocol and address family do not match. The protocol and the address family do not match.
400 InvalidParam.PrefixListAddressFamilyMismatch The address family of the prefix list does not match the rule. The address family of the prefix list and the rule do not match.
400 InvalidParam.InvalidModifyRuleRequest The request parameters are illegal. The request parameter is invalid.
400 InvalidOperation.ModifyNicType NicType is not allowed to modify. The NicType parameter cannot be modified.
400 InvalidParamter.Conflict The specified SourceCidrIp should be different from the DestCidrIp. The value of SourceCidrIp must be different from that of DestCidrIp.
400 InvalidOperation.RuleDuplicate %s. The rule being modified will be duplicated with an existing rule.
400 InvalidParam.ProtocolNotSupportPortRangeList The specified protocol does not support the port range list. The specified protocol does not support the port list.
400 InvalidSourceOrDestGroupId.DirectionMissmatch The specified SourceGroupId or DestGroupId does not match the direction of the rule. The specified SourceGroupId or DestGroupId does not match the direction of the security group rule.
400 InvalidOperation.ModifyPortRangeType The PortRange type is not allowed to be modified. You cannot modify a rule from using the port list to not using it, and vice versa. The port range type of a security group rule cannot be modified. You cannot change a rule from using the port list to not using, and vice versa.
400 InvalidPortRangeListId.NotFound The specified port range list was not found. The specified port list was not found.
500 InternalError The request processing has failed due to some unknown error.
403 InvalidSourceGroupId.Mismatch NicType is required or NicType expects intrnet.
403 MissingParameter The input parameter SourceGroupId or SourceCidrIp cannot be both blank. At least one of the SourceGroupId and SourceCidrIp parameters must be specified.
403 AuthorizationLimitExceed The limit of authorization records in the security group reaches.
403 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The destination security group is the same as the source security group.
403 InvalidNetworkType.Mismatch The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). The network type of the destination security group is different from that of the source security group.
403 InvalidOperation.ResourceManagedByCloudProduct %s You cannot modify security groups managed by cloud services.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist in this account. Check whether the security group ID is correct.
404 InvalidSourceGroupId.NotFound The SourceGroupId provided does not exist in our records. The specified SourceGroupId parameter does not exist.
404 SecurityGroupRule.NotFound The target security group rule not exist.
404 InvalidPrefixListId.NotFound The specified prefix list was not found. The prefix list does not exist.
404 InvalidSecurityGroupRuleId.NotFound The specified SecurityGroupRuleId is not exists. The specified SecurityGroupRuleId parameter does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.