Modifies the description of an outbound rule of a security group. This operation can be called to modify only the description of an outbound security group rule. If you want to modify other information such as the policy, port range, and authorization object of the rule, log on to the Elastic Compute Service (ECS) console.

Description

You can determine an outbound rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.

  • Parameters used to specify an outbound security group rule that controls access to a specific CIDR block: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, SourceCidrIp (optional), and DestCidrIp.
    
        https://ecs.aliyuncs.com/?Action=ModifySecurityGroupEgressRule
        &SecurityGroupId=sg-bp67acfmxazb4p****
        &DestCidrIp=10.0.0.0/8
        &IpProtocol=tcp
        &PortRange=80/80
        &Policy=allow
        &Description=This is a new security group rule.
        &<Common request parameters>
        
  • Parameters used to specify an outbound security group rule that controls access to other security groups: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, SourceCidrIp (optional), and DestGroupId.
    
        https://ecs.aliyuncs.com/?Action=ModifySecurityGroupEgressRule
        &SecurityGroupId=sg-bp67acfmxazb4p****
        &DestGroupId=sg-bp67acfmxa123b****
        &IpProtocol=tcp
        &PortRange=80/80
        &Policy=allow
        &Description=This is a new security group rule.
        &<Common request parameters>
        
  • Parameters used to specify an outbound security group rule in which a prefix list is referenced: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, SourceCidrIp (optional), and DestPrefixListId.
    
        https://ecs.aliyuncs.com/?Action=ModifySecurityGroupEgressRule
        &SecurityGroupId=sg-bp67acfmxazb4p****
        &DestPrefixListId=pl-x1j1k5ykzqlixdcy****
        &IpProtocol=tcp
        &PortRange=80/80
        &Policy=allow
        &Description=This is a new security group rule.
        &<Common request parameters>
        

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifySecurityGroupEgressRule

The operation that you want to perform. Set the value to ModifySecurityGroupEgressRule.

RegionId String Yes cn-hangzhou

The region ID of the source security group. You can call the DescribeRegions operation to query the most recent region list.

SecurityGroupId String Yes sg-bp67acfmxazb4p****

The ID of the source security group.

IpProtocol String Yes tcp

The transport layer protocol. The values of this parameter are case-insensitive. Valid values:

  • icmp
  • gre
  • tcp
  • udp
  • all: All protocols are supported.
PortRange String Yes 80/80

The range of destination ports that correspond to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port number and the end port number with a forward slash (/). Example: 1/200.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, which indicates all ports.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, which indicates all ports.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1, which indicates all ports.
DestGroupId String No sg-bp67acfmxa123b****

The ID of the destination security group. You must specify at least one of the DestGroupId and DestCidrIp parameters.

  • If DestGroupId is specified but DestCidrIp is not specified, the NicType parameter must be set to intranet.
  • If both DestGroupId and DestCidrIp are specified, DestCidrIp takes precedence.
DestGroupOwnerId Long No 1234567890

The ID of the Alibaba Cloud account (UID) that manages the destination security group.

DestGroupOwnerAccount String No EcsforCloud@Alibaba.com

The logon name of the Alibaba Cloud account that manages the destination security group.

DestCidrIp String No 10.0.0.0/8

The destination IPv4 CIDR block. CIDR blocks and IPv4 addresses are supported.

This parameter is empty by default.

Ipv6DestCidrIp String No 2001:db8:1233:1a00::***

The destination IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported.

Note Only the IP addresses of instances in virtual private clouds (VPCs) are supported. You cannot specify both the Ipv6DestCidrIp parameter and the DestCidrIp parameter.

This parameter is empty by default.

SourceCidrIp String No 10.0.0.0/8

The source IPv4 CIDR block. CIDR blocks and IPv4 addresses are supported.

This parameter is empty by default.

Ipv6SourceCidrIp String No 2001:db8:1234:1a00::***

The source IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported.

Note Only the IP addresses of instances in VPCs are supported. You cannot specify both the Ipv6SourceCidrIp parameter and the SourceCidrIp parameter.

This parameter is empty by default.

DestPrefixListId String No pl-x1j1k5ykzqlixdcy****

The ID of the destination prefix list. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

If you specify DestCidrIp, Ipv6DestCidrIp, or DestGroupId, this parameter is ignored.

SourcePortRange String No 80/80

The range of source ports that correspond to the transport layer protocol. Valid values:

  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start port number and the end port number with a forward slash (/). Example: 1/200.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, which indicates all ports.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, which indicates all ports.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1, which indicates all ports.
Policy String No accept

The authorization policy. Valid values:

  • accept: allows access.
  • drop: denies access and returns no responses.

Default value: accept.

Priority String No 1

The priority of the security group rule. Valid values: 1 to 100.

Default: 1.

NicType String No intranet

The network interface controller (NIC) type of the security group rule when the security group is in the classic network. Valid values:

  • internet: public NIC
  • intranet: private NIC

Default value: internet.

The NicType parameter must be set to intranet in the following cases:

  • If the security group is in a VPC, this parameter is required and must be set to intranet.
  • If you specify only DestGroupId when you configure access between security groups, this parameter must be set to intranet.
ClientToken String No 123e4567-e89b-12d3-a456-426655440000

The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that it is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

Description String No This is a new securitygroup rule.

The description of the security group rule. The description must be 1 to 512 characters in length.

Response parameters

Parameter Type Example Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The ID of the request.

Examples

Sample requests

https://ecs.aliyuncs.com/?Action=ModifySecurityGroupEgressRule
&SecurityGroupId=sg-bp67acfmxazb4p****
&DestGroupId=sg-bp67acfmxa123b****
&IpProtocol=tcp
&PortRange=80/80
&Policy=allow
&Description=This is a new securitygroup rule.
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<ModifySecurityGroupEgressRuleResponse>
    <RequestId>CEF72CEB-54B6-4AE8-B225-F876FF7BA984</RequestId>
</ModifySecurityGroupEgressRuleResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "CEF72CEB-54B6-4AE8-B225-F876FF7BA984"
}

Error codes

HttpCode Error code Error message Description
400 OperationDenied The specified IpProtocol does not exist or IpProtocol and PortRange do not match. The error message returned because the specified IpProtocol parameter does not exist or does not match the specified port range.
400 InvalidIpProtocol.Malformed The specified parameter "PortRange" is not valid. The error message returned because the specified IpProtocol or PortRange parameter is invalid.
400 InvalidDestCidrIp.Malformed The specified parameter "DestCidrIp" is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidPolicy.Malformed The specified parameter "Policy" is not valid. The error message returned because the specified Policy parameter is invalid.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The error message returned because the specified NicType parameter does not exist.
400 InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. The error message returned because the specified NIC type does not match the authorization object of the security group rule.
400 InvalidDestGroupId.Mismatch Specified security group and destination group are not in the same VPC. The error message returned because the specified source and destination security groups do not belong to the same VPC.
400 InvalidDestGroup.NotFound Specified destination security group does not exist. The error message returned because the specified DestGroupId parameter does not exist.
400 VPCDisabled Can't use the SecurityGroup in VPC. The error message returned because the VPC does not support security groups.
400 InvalidPriority.Malformed The specified parameter "Priority" is not valid. The error message returned because the specified Priority parameter is invalid.
400 InvalidPriority.ValueNotSupported The specified Priority is invalid. The error message returned because the specified Priority parameter is invalid.
400 InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidNicType.ValueNotSupported The specified NicType is not valid. The error message returned because the specified NicType parameter does not exist.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. The error message returned because the specified Description parameter is invalid.
400 InvalidSecurityGroup.InvalidNetworkType The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. The error message returned because the operation is not supported while the security group is of the current network type. If the network type is VPC, ClassicLink must be enabled.
400 MissingParameter.Dest One of the parameters DestCidrIp, DestGroupId or DestPrefixListId must be specified. The error message returned because the DestCidrIp, DestGroupId, and DestPrefixListId parameters are all empty. At least one of these parameters must be specified.
400 InvalidParam.PortRange The specified param PortRange or SourcePortRange is not valid. should be integer and less than 65535, range separator is '/'. The error message returned because the specified PortRange or SourcePortRange parameter is invalid. The values of PortRange and SourcePortRange must be in the format of <Start port number>/<End port number>. The port numbers must be integers and range from 1 to 65535.
400 InvalidIpProtocol.ValueNotSupported The specified parameter IpProtocol should not be null and only tcp, udp, icmp, gre or all is supported. Ignore case. The error message returned because the specified IpProtocol parameter is invalid. The valid values of this parameter are tcp, udp, icmp, gre, and all.
400 InvalidPriority.ValueNotSupported The parameter Priority is invalid. The error message returned because the specified Priority parameter is invalid.
400 InvalidParam.SourceIp %s The error message returned because the specified SourceCidrIp parameter is invalid.
400 InvalidParam.DestIp %s The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6DestCidrIp %s The error message returned because the specified Ipv6DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6SourceCidrIp %s The error message returned because the specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv6 address under an IPv4 protocol by mistake.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv4 address under an IPv6 protocol by mistake.
400 ILLEGAL_IPV6_CIDR %s The error message returned because the specified IPv6 address is invalid.
400 InvalidSourcePortRange.Malformed The specified parameter "SourcePortRange" is not valid. The error message returned because the specified SourcePortRange parameter is invalid.
500 InternalError The request processing has failed due to some unknown error. The error message returned because an internal error has occurred. Try again later. If the error persists, submit a ticket.
403 InvalidDestGroupId.Mismatch NicType is required or NicType expects intranet. The error message returned because the NicType parameter is not specified or is not set to intranet.
403 MissingParameter The input parameter "DestGroupId" or "DestCidrIp" cannot be both blank. The error message returned because both the DestGroupId and DestCidrIp parameters are empty.
403 AuthorizationLimitExceed The limit of authorization records in the security group reaches. The error message returned because the maximum number of rules in the security group has been reached.
403 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The error message returned because the destination security group is the same as the source security group.
403 InvalidNetworkType.Conflict The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). The error message returned because the network type of the destination security group is different from that of the source security group.
403 InvalidSecurityGroup.IsSame The authorized SecurityGroupId should be different from the DestGroupId. The error message returned because the ID of the source security group is the same as that of the destination security group.
403 InvalidOperation.ResourceManagedByCloudProduct %s The error message returned because you cannot modify security groups managed by cloud services.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned because the specified security group does not exist within this account. Check whether the security group ID is correct.
404 InvalidDestGroupId.NotFound The DestGroupId provided does not exist in our records. The error message returned because the specified destination security group does not exist.
404 InvalidPrefixListId.NotFound The specified prefix list was not found. The error message returned because the specified prefix list does not exist.
404 NotSupported.GrayFunction The prefix list is a gray-scale function, not currently supported. The error message returned because this operation is not supported. The prefix list feature is in invitational preview.

For a list of error codes, visit the API Error Center.