Creates an inbound security group rule. You can use the created rule to allow or deny inbound traffic from other devices to Elastic Compute Service (ECS) instances in the security group.
Description
In the security group-related API documents, inbound traffic refers to the traffic that is sent by the source device and received at the destination device.
When you call this operation, take note of the following items:
- The total number of outbound and inbound security group rules in each security group cannot exceed 200.
- The valid value of Priority ranges from 1 to 100. A smaller value indicates a higher priority.
- When multiple security group rules have the same priority, drop rules take precedence.
- The source devices can belong to a CIDR block specified by SourceCidrIp, Ipv6SourceCidrIp, or SourcePrefixListId or can be ECS instances in a security group specified by SourceGroupId.
- If the rule that you want to create matches an existing rule, after the AuthorizeSecurityGroup operation is called, no rule is created.
- You can determine a security group rule by specifying one of the following groups
of parameters. You cannot determine a security group rule by specifying only one parameter.
- Parameters used to specify an inbound security group rule that controls access from
a specific CIDR block: IpProtocol, PortRange, SourcePortRange (optional), NicType,
Policy, and SourceCidrIp. For a security group in the classic network, you can set
the NicType parameter to internet or intranet. For a security group in a virtual private
cloud (VPC), you must set the NicType parameter to intranet.
https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup &SecurityGroupId=sg-F876FF7** &SourceCidrIp=10.0.0.0/8 &IpProtocol=tcp &PortRange=22/22 &NicType=intranet &Policy=accept &<Common request parameters>
- Parameters used to specify an inbound security group rule that controls access to
another security group: IpProtocol, PortRange, SourcePortRange (optional), NicType,
Policy, SourceGroupOwnerAccount, and SourceGroupId. In this case, you must set the
NicType parameter to intranet. For mutual access between security groups in the classic
network, you can allow or deny another security group in the same region access to
your security group. The security group that is allowed access to your security group
can belong to your own Alibaba Cloud account or another Alibaba Cloud account specified
by the SourceGroupOwnerAccount parameter. For mutual access between security groups
in VPCs, you can allow or deny another security group in the same VPC access to your
security group.
https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup &SecurityGroupId=sg-F876FF7** &SourceGroupId=sg-1651FBB** &SourceGroupOwnerAccount=test@aliyun.com &IpProtocol=tcp &PortRange=22/22 &NicType=intranet &Policy=drop &<Common request parameters>
- Parameters used to specify an inbound security group rule in which a prefix list is
referenced: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, and
SourcePrefixListId. In this case, prefix lists support only security groups in VPCs.
NicType must be set to intranet.
https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup &SecurityGroupId=sg-F876FF7** &SourcePrefixListId=pl-x1j1k5ykzqlixdcy**** &SourceGroupOwnerAccount=test@aliyun.com &IpProtocol=tcp &PortRange=22/22 &NicType=intranet &Policy=drop &<Common request parameters>
- Parameters used to specify an inbound security group rule that controls access from
a specific CIDR block: IpProtocol, PortRange, SourcePortRange (optional), NicType,
Policy, and SourceCidrIp. For a security group in the classic network, you can set
the NicType parameter to internet or intranet. For a security group in a virtual private
cloud (VPC), you must set the NicType parameter to intranet.
- For information about examples on security group rule settings, see Security groups for different use cases and Security group quintuple rules.
Debugging
Request parameters
Parameter | Type | Required | Example | Description |
---|---|---|---|---|
Action | String | Yes | AuthorizeSecurityGroup |
The operation that you want to perform. Set the value to AuthorizeSecurityGroup. |
RegionId | String | Yes | cn-hangzhou |
The region ID of the security group. You can call the DescribeRegions operation to query the most recent region list. |
SecurityGroupId | String | Yes | sg-bp67acfmxazb4p**** |
The ID of the destination security group. |
IpProtocol | String | Yes | all |
The transport layer protocol. The values of this parameter are case-sensitive. Valid values:
Note IpProtocol can be set to icmp only for IPv4 addresses.
|
PortRange | String | Yes | 22/22 |
The range of destination ports that correspond to the transport layer protocol. Valid values:
For more information, see Common ports used by applications. |
SourceGroupId | String | No | sg-bp67acfmxazb4p**** |
The ID of the source security group. At least one of
Take note of the following items:
|
SourceGroupOwnerId | Long | No | 1234567890 |
The ID of the Alibaba Cloud account that manages the source security group when you set a security group rule across accounts.
|
SourceGroupOwnerAccount | String | No | test@aliyun.com |
The Alibaba Cloud account that manages the source security group when you set a security group rule across accounts.
|
SourceCidrIp | String | No | 10.0.0.0/8 |
The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported. This parameter is empty by default. |
Ipv6SourceCidrIp | String | No | 2001:250:6000::*** |
The source IPv6 CIDR block to which you want to control access. CIDR blocks and IPv6 addresses are supported. Note Only IPv6 addresses in VPCs are supported. You cannot specify both Ipv6SourceCidrIp
and
SourceCidrIp .
This parameter is empty by default. |
SourcePrefixListId | String | No | pl-x1j1k5ykzqlixdcy**** |
The ID of the source prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Take note of the following items:
|
SourcePortRange | String | No | 22/22 |
The range of source ports that correspond to the transport layer protocol. Valid values:
|
DestCidrIp | String | No | 10.0.0.0/8 |
The destination IPv4 CIDR block. CIDR blocks and IPv4 addresses are supported. This parameter is empty by default. |
Ipv6DestCidrIp | String | No | 2001:250:6000::*** |
The destination IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported. Note Only IPv6 addresses in VPCs are supported. You cannot specify both Ipv6DestCidrIp
and
DestCidrIp .
This parameter is empty by default. |
Policy | String | No | accept |
The authorization policy. Valid values:
|
Priority | String | No | 1 |
The priority of the security group rule. A smaller value indicates a higher priority. Valid values: 1 to 100. Default value: 1. |
NicType | String | No | intranet |
The network interface controller (NIC) type of the security group rule when the security group is in the classic network. Valid values:
Default value: internet. |
ClientToken | String | No | 123e4567-e89b-12d3-a456-426655440000 |
The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that it is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence. |
Description | String | No | This is description. |
The description of the security group rule. The description must be 1 to 512 characters in length. |
Response parameters
Parameter | Type | Example | Description |
---|---|---|---|
RequestId | String | 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E |
The ID of the request. |
Examples
Sample requests
https://ecs.aliyuncs.com/?Action=AuthorizeSecurityGroup
&SecurityGroupId=sg-bp67acfmxazb4p****
&SourceCidrIp=10.0.0.0/8
&IpProtocol=tcp
&PortRange=22/22
&NicType=intranet
&Policy=accept
&<Common request parameters>
Sample success responses
XML
format
HTTP/1.1 200 OK
Content-Type:application/xml
<AuthorizeSecurityGroupResponse>
<RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</AuthorizeSecurityGroupResponse>
JSON
format
HTTP/1.1 200 OK
Content-Type:application/json
{
"RequestId" : "CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | OperationDenied | The specified IpProtocol does not exist or IpProtocol and PortRange do not match. | The error message returned because the specified IpProtocol parameter does not exist or does not match the specified port range. |
400 | InvalidIpProtocol.Malformed | The specified parameter "PortRange" is not valid. | The error message returned because the specified IpProtocol or PortRange parameter is invalid. |
400 | InvalidSourceCidrIp.Malformed | The specified parameter "SourceCidrIp" is not valid. | The error message returned because the specified SourceCidrIp parameter is invalid. |
400 | InvalidPolicy.Malformed | The specified parameter "Policy" is not valid. | The error message returned because the specified Policy parameter is invalid. |
400 | InvalidNicType.ValueNotSupported | The specified NicType does not exist. | The error message returned because the specified NicType parameter does not exist. |
400 | InvalidNicType.Mismatch | Specified nic type conflicts with the authorization record. | The error message returned because the specified NIC type does not match the authorization object of the security group rule. |
400 | InvalidSourceGroupId.Mismatch | Specified security group and source group are not in the same VPC. | The error message returned because the destination security group and the source security group do not belong to the same VPC. |
400 | InvalidSourceGroup.NotFound | Specified source security group does not exist. | The error message returned because the specified inbound security group rule does not exist or because relevant parameters are not specified. |
400 | VPCDisabled | Can't use the SecurityGroup in VPC. | The error message returned because the VPC does not support security groups. |
400 | InvalidPriority.Malformed | The parameter Priority is invalid. | The error message returned because the specified Priority parameter is invalid. |
400 | InvalidPriority.ValueNotSupported | The parameter Priority is invalid. | The error message returned because the specified Priority parameter is invalid. |
400 | InvalidNicType.ValueNotSupported | The specified NicType is not valid. | The error message returned because the specified NicType parameter does not exist. |
400 | InvalidSecurityGroupDiscription.Malformed | The specified security group rule description is not valid. | The error message returned because the specified Description parameter is invalid. |
400 | InvalidSecurityGroup.InvalidNetworkType | The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. | The error message returned because the operation is not supported while the security group is of the current network type. If the network type is VPC, ClassicLink must be enabled. |
400 | MissingParameter.Source | One of the parameters SourceCidrIp, SourceGroupId or SourcePrefixListId must be specified. | The error message returned because the SourceCidrIp, SourceGroupId, and SourcePrefixListId parameters are all empty. At least one of these parameters must be specified. |
400 | InvalidIpProtocol.ValueNotSupported | The parameter IpProtocol must be specified with case insensitive TCP, UDP, ICMP, GRE or All. | The error message returned because the specified IpProtocol parameter is invalid. The valid values of this parameter are tcp, udp, icmp, gre, and all. |
400 | InvalidSecurityGroupId.Malformed | The specified parameter "SecurityGroupId" is not valid. | The error message returned because the specified SecurityGroupId parameter is invalid. |
400 | InvalidParamter.Conflict | The specified SourceCidrIp should be different from the DestCidrIp. | The error message returned because the value of SourceCidrIp is the same as that of DestCidrIp. |
400 | InvalidSourcePortRange.Malformed | The specified parameter "SourcePortRange" is not valid. | The error message returned because the specified SourcePortRange parameter is invalid. |
400 | InvalidParam.SourceIp | %s | The error message returned because the specified SourceCidrIp parameter is invalid. |
400 | InvalidParam.DestIp | %s | The error message returned because the specified DestCidrIp parameter is invalid. |
400 | InvalidParam.Ipv6DestCidrIp | %s | The error message returned because the specified Ipv6DestCidrIp parameter is invalid. |
400 | InvalidParam.Ipv6SourceCidrIp | %s | The error message returned because the specified Ipv6SourceCidrIp parameter is invalid. |
400 | InvalidParam.Ipv4ProtocolConflictWithIpv6Address | %s | The error message returned because the specified parameter is invalid. Check whether you have entered an IPv6 address under an IPv4 protocol by mistake. |
400 | InvalidParam.Ipv6ProtocolConflictWithIpv4Address | %s | The error message returned because the specified parameter is invalid. Check whether you have entered an IPv4 address under an IPv6 protocol by mistake. |
400 | ILLEGAL_IPV6_CIDR | %s | The error message returned because the specified IPv6 address is invalid. |
400 | InvalidDestCidrIp.Malformed | The specified parameter DestCidrIp is not valid. | The error message returned because the specified DestCidrIp parameter is invalid. |
400 | InvalidParam.PrefixListAddressFamilyMismatch | The address family of the specified prefix list does not match the specified CidrIp. | The error message returned because the address family of the specified prefix list does not match that of the specified CIDR block. |
400 | NotSupported.ClassicNetworkPrefixList | The prefix list is not supported when the network type of security group is classic. | The error message returned because security groups in the classic network do not support prefix lists. |
500 | InternalError | The request processing has failed due to some unknown error. | The error message returned because an internal error has occurred. Try again later. If the error persists, submit a ticket. |
500 | InvalidGressFlow.Malformed | The specified parameter GressFlow is not valid,it cause by internal,try calling again. | The error message returned because the specified GressFlow parameter is invalid. |
403 | InvalidSourceGroupId.Mismatch | NicType is required or NicType expects intranet. | The error message returned because the NicType parameter is not specified or is not set to intranet. |
403 | MissingParameter | The input parameter "SourceGroupId" or "SourceCidrIp" cannot be both blank. | The error message returned because both the SourceGroupId and SourceCidrIp parameters are empty. |
403 | AuthorizationLimitExceed | The limit of authorization records in the security group reaches. | The error message returned because the maximum number of rules in the security group has been reached. |
403 | InvalidParamter.Conflict | The specified SecurityGroupId should be different from the SourceGroupId. | The error message returned because the destination security group is the same as the source security group. |
403 | InvalidNetworkType.Mismatch | The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). | The error message returned because the network type of the destination security group is different from that of the source security group. |
403 | InvalidNetworkType.Conflict | The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). | The error message returned because the network type of the destination security group is different from that of the source security group. |
403 | InvalidOperation.ResourceManagedByCloudProduct | %s | The error message returned because you cannot modify security groups managed by cloud services. |
403 | LimitExceed.PrefixListAssociationResource | The number of resources associated with the prefix list exceeds the limit. | The error message returned because the maximum amount of resources that can be associated with the prefix list has been reached. |
404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The error message returned because the specified security group does not exist within this account. Check whether the security group ID is correct. |
404 | InvalidSourceGroupId.NotFound | The SourceGroupId provided does not exist in our records. | The error message returned because the specified SourceGroupId parameter does not exist. |
404 | InvalidPrefixListId.NotFound | The specified prefix list was not found. | The error message returned because the specified prefix list does not exist. |
404 | NotSupported.GrayFunction | The prefix list is a gray-scale function, not currently supported. | The error message returned because this operation is not supported while the prefix list feature is in invitational preview. |
For a list of error codes, visit the API Error Center.