Modifies an inbound security group rule of a specified security group.
Operation description
When you modify a security group rule by specifying the security group rule ID, take note of the following limits:
-
The authorization object of a security group rule can be an IPv4 Classless Inter-Domain Routing (CIDR) block (or IP address), an IPv6 CIDR block (or IP address), a security group, or a prefix list. You cannot use this operation to change the type of the authorization object of an existing security group rule. For example, if the original authorization object type is an IPv4 CIDR block, you can change it to another IPv4 CIDR block (or IP address), but you cannot change it to an IPv6 CIDR block (or IP address), a security group, or a prefix list.
-
You cannot change a field value from a non-empty value to an empty value. To modify security group rules in this case, increase a new rule and then delete the current rule.
Try it now
Test
RAM authorization
|
Action |
Access level |
Resource type |
Condition key |
Dependent action |
|
ecs:ModifySecurityGroupRule |
update |
*All Resource
|
|
None |
Request parameters
|
Parameter |
Type |
Required |
Description |
Example |
| RegionId |
string |
Yes |
The region ID of the security group. You can call DescribeRegions to query the most recent region list. |
cn-hangzhou |
| RegionId |
string |
Yes |
The region ID of the security group. You can call DescribeRegions to query the most recent region list. |
cn-hangzhou |
| ClientToken |
string |
No |
A client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but make sure that the token is unique among different requests. The ClientToken parameter supports only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence. |
123e4567-e89b-12d3-a456-426655440000 |
| SecurityGroupId |
string |
Yes |
The security group ID. |
sg-bp67acfmxazb4p**** |
| SecurityGroupRuleId |
string |
No |
The security group rule ID. You can call DescribeSecurityGroupAttribute to query security group rule IDs. |
sgr-bp67acfmxa123b*** |
| Policy |
string |
No |
The access permissions. Valid values:
Default value: accept. |
accept |
| Priority |
string |
No |
The priority of the security group rule. Valid values: 1 to 100. Default value: 1. |
1 |
| IpProtocol |
string |
No |
The network-layer or transport-layer protocol. Two types of values are supported:
|
ALL |
| SourceCidrIp |
string |
No |
Settings for the source IPv4 CIDR block for the access permissions. Classless Inter-Domain Routing (CIDR) format and IPv4 format IP address ranges are supported. Default value: null. |
10.0.0.0/8 |
| Ipv6SourceCidrIp |
string |
No |
Settings for the source IPv6 CIDR block for the access permissions. Classless Inter-Domain Routing (CIDR) format and IPv6 format IP address ranges are supported. Note
Only VPC-type IP addresses are supported. This parameter and Default value: null. |
2001:db8:1233:1a00::*** |
| SourceGroupId |
string |
No |
Settings for the ID of the source security group for the access permissions. Specify at least one of
|
sg-bp67acfmxa123b**** |
| SourcePrefixListId |
string |
No |
Settings for the ID of the source prefix list for the access permissions. You can invoke DescribePrefixLists to query available prefix list IDs. This parameter is ignored if you specify one of |
pl-x1j1k5ykzqlixdcy**** |
| PortRange |
string |
No |
The range of destination ports that correspond to the transport-layer protocol of the security group. Valid values:
|
80/80 |
| DestCidrIp |
string |
No |
The destination IPv4 Classless Inter-Domain Routing (CIDR) block. CIDR format and IPv4 format IP address ranges are supported. Default value: null. |
10.0.0.0/8 |
| Ipv6DestCidrIp |
string |
No |
Settings for the destination IPv6 CIDR block. Classless Inter-Domain Routing (CIDR) format and IPv6 format IP address ranges are supported. Note
Only VPC-type IP addresses are supported. This parameter and Default value: null. |
2001:db8:1234:1a00::*** |
| SourcePortRange |
string |
No |
The range of source ports that correspond to the transport-layer protocol of the security group. Valid values:
|
80/80 |
| SourceGroupOwnerAccount |
string |
No |
Settings for the Alibaba Cloud account that owns the source security group when you configure a cross-account security group rule for access permissions.
|
EcsforCloud@Alibaba.com |
| SourceGroupOwnerId |
integer |
No |
Settings for the Alibaba Cloud account ID that owns the source security group when you configure a cross-account security group rule for access permissions.
|
12345678910 |
| NicType |
string |
No |
The network interface controller (NIC) type. Note
When you modify a rule by specifying the security group rule ID, this parameter cannot be modified. To make such a change, add a new rule and then delete the current rule. |
intranet |
| Description |
string |
No |
The description of the security group rule. The description must be 1 to 512 characters in length. |
This is a new security group rule. |
| PortRangeListId |
string |
No |
The port address book ID. You can call This parameter is ignored if you specify the PortRange parameter. For more information, see Security group limits. |
prl-2ze9743**** |
Response elements
|
Element |
Type |
Description |
Example |
|
object |
|||
| RequestId |
string |
The request ID. |
473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E |
Examples
Success response
JSON format
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}
Error codes
|
HTTP status code |
Error code |
Error message |
Description |
|---|---|---|---|
| 400 | OperationDenied | The specified IpProtocol does not exist or IpProtocol and PortRange do not match. | The specified IP protocol does not exist or does not match the specified port range. |
| 400 | InvalidIpProtocol.Malformed | The specified parameter PortRange is not valid. | The specified IpProtocol or PortRange parameter is invalid. |
| 400 | InvalidSourceCidrIp.Malformed | The specified parameter SourceCidrIp is not valid. | The specified source CIDR block is invalid. |
| 400 | InvalidPolicy.Malformed | The specified parameter Policy is not valid. | The specified Policy parameter is invalid. |
| 400 | InvalidNicType.ValueNotSupported | The specified NicType does not exist. | The specified NicType parameter does not exist. |
| 400 | InvalidNicType.Mismatch | The specified NicType conflicts with the authorization record. | The specified NIC type does not match the existing rule. |
| 400 | InvalidSourceGroupId.Mismatch | Specified security group and source group are not in the same VPC. | The specified source and destination security groups do not belong to the same VPC. |
| 400 | InvalidSourceGroup.NotFound | Specified source security group does not exist. | The specified inbound security group rule does not exist, or required parameters are not specified. |
| 400 | InvalidPriority.Malformed | The parameter Priority is invalid. | The specified Priority parameter is invalid. |
| 400 | InvalidPriority.ValueNotSupported | The parameter Priority is invalid. | The specified Priority parameter is invalid. |
| 400 | InvalidSecurityGroupDiscription.Malformed | The specified security group rule description is not valid. | The specified security group rule description is invalid. |
| 400 | MissingParameter.Source | One of the parameters SourceCidrIp, SourceGroupId or SourcePrefixListId must be specified. | The source of the security group rule must be specified. Specify any of the SourceCidrIp, SourceGroupId, or SourcePrefixListId parameters. |
| 400 | InvalidParam.PortRange | The specified parameter %s is not valid. It should be two integers less than 65535 in ?/? format. | The format of the port range is invalid. Specify the port range in the format of a slash separating two integers. |
| 400 | InvalidIpProtocol.ValueNotSupported | The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. | The specified IpProtocol parameter is invalid. The valid values of this parameter are tcp, udp, icmp, gre, and all. |
| 400 | InvalidParam.SourceIp | The Parameters SourceCidrIp and Ipv6SourceCidrIp in %s cannot be set at the same time. | The SourceCidrIp and Ipv6SourceCidrIp parameters cannot be specified at the same time. |
| 400 | InvalidParam.DestIp | The Parameters DestCidrIp and Ipv6DestCidrIp in %s cannot be set at the same time. | The DestCidrIp and Ipv6DestCidrIp parameters cannot be specified at the same time. |
| 400 | InvalidParam.Ipv6DestCidrIp | The specified parameter %s is not valid. | The specified Ipv6DestCidrIp parameter is invalid. |
| 400 | InvalidParam.Ipv6SourceCidrIp | The specified parameter %s is not valid. | The specified Ipv6SourceCidrIp parameter is invalid. |
| 400 | InvalidParam.Ipv4ProtocolConflictWithIpv6Address | IPv6 address cannot be specified for IPv4-specific protocol. | IPv6 addresses cannot be specified for instances that use the IPv4 protocol. |
| 400 | InvalidParam.Ipv6ProtocolConflictWithIpv4Address | IPv4 address cannot be specified for IPv6-specific protocol. | IPv4 addresses cannot be specified for instances that use the IPv6 protocol. |
| 400 | InvalidParameter.Ipv6CidrIp | The specified Ipv6CidrIp is not valid. | The specified Ipv6CidrIp parameter is invalid. |
| 400 | InvalidParam.DestCidrIp | The specified parameter %s is not valid. | The specified DestCidrIp parameter is invalid. |
| 400 | InvalidSourcePortRange.Malformed | The specified parameter SourcePortRange is not valid. | The specified SourcePortRange parameter is invalid. |
| 400 | InvalidSecurityGroupId.Malformed | The specified parameter SecurityGroupId is not valid. | The specified SecurityGroupId parameter is invalid. |
| 400 | InvalidParam.SourceCidrIp | The specified param SourceCidrIp is not valid. | The specified SourceCidrIp parameter is invalid. |
| 400 | InvalidParameter.Conflict | IPv6 and IPv4 addresses cannot exist at the same time. | IPv6 and IPv4 addresses cannot be both specified. |
| 400 | InvalidParam.SecurityGroupRuleId | The specified parameter SecurityGroupRuleId is not valid. | The specified SecurityGroupRuleId parameter is invalid. |
| 400 | InvalidOperation.ModifySgRuleEntityType | The source or destination type of the rules cannot be modified. | The type of the source or destination in the rule cannot be modified. |
| 400 | AuthorizationLimitExceed | The limit of authorization records in the security group reaches. | The security group has reached the maximum number of rules that can be added to it. |
| 400 | InvalidParam.ProtocolAndPortRangeMismatch | The specified Protocol and PortRange do not match. | The protocol and the port range do not match. |
| 400 | InvalidParam.ProtocolAndAddressFamilyMismatch | The specified Protocol and address family do not match. | The protocol and the address family do not match. |
| 400 | InvalidParam.PrefixListAddressFamilyMismatch | The address family of the prefix list does not match the rule. | The address family of the prefix list and the rule do not match. |
| 400 | InvalidParam.InvalidModifyRuleRequest | The request parameters are illegal. | The request parameter is invalid. |
| 400 | InvalidOperation.ModifyNicType | NicType is not allowed to modify. | The NicType parameter cannot be modified. |
| 400 | InvalidParamter.Conflict | The specified SourceCidrIp should be different from the DestCidrIp. | The value of SourceCidrIp must be different from that of DestCidrIp. |
| 400 | InvalidOperation.RuleDuplicate | %s. | The rule being modified will be duplicated with an existing rule. |
| 400 | InvalidParam.ProtocolNotSupportPortRangeList | The specified protocol does not support the port range list. | The specified protocol does not support the port list. |
| 400 | InvalidSourceOrDestGroupId.DirectionMissmatch | The specified SourceGroupId or DestGroupId does not match the direction of the rule. | The specified SourceGroupId or DestGroupId does not match the direction of the security group rule. |
| 400 | InvalidOperation.ModifyPortRangeType | The PortRange type is not allowed to be modified. You cannot modify a rule from using the port list to not using it, and vice versa. | The port range type of a security group rule cannot be modified. You cannot change a rule from using the port list to not using, and vice versa. |
| 400 | InvalidPortRangeListId.NotFound | The specified port range list was not found. | The specified port list was not found. |
| 500 | InternalError | The request processing has failed due to some unknown error. | |
| 403 | InvalidSourceGroupId.Mismatch | NicType is required or NicType expects intrnet. | |
| 403 | MissingParameter | The input parameter SourceGroupId or SourceCidrIp cannot be both blank. | At least one of the SourceGroupId and SourceCidrIp parameters must be specified. |
| 403 | AuthorizationLimitExceed | The limit of authorization records in the security group reaches. | |
| 403 | InvalidParamter.Conflict | The specified SecurityGroupId should be different from the SourceGroupId. | The destination security group is the same as the source security group. |
| 403 | InvalidNetworkType.Mismatch | The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). | The network type of the destination security group is different from that of the source security group. |
| 403 | InvalidOperation.ResourceManagedByCloudProduct | %s | You cannot modify security groups managed by cloud services. |
| 404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The specified security group does not exist in this account. Check whether the security group ID is correct. |
| 404 | InvalidSourceGroupId.NotFound | The SourceGroupId provided does not exist in our records. | The specified SourceGroupId parameter does not exist. |
| 404 | SecurityGroupRule.NotFound | The target security group rule not exist. | |
| 404 | InvalidPrefixListId.NotFound | The specified prefix list was not found. | The prefix list does not exist. |
| 404 | InvalidSecurityGroupRuleId.NotFound | The specified SecurityGroupRuleId is not exists. | The specified SecurityGroupRuleId parameter does not exist. |
See Error Codes for a complete list.
Release notes
See Release Notes for a complete list.