If you have authorized internal network communication between ECS instances across different accounts within the same region, you can revoke security group authorization by calling the API operation.


  • An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Alibaba Cloud official website.
  • Alibaba Cloud Command-Line Interface (CLI) is installed for the ECS instance. For information about how to install Alibaba Cloud CLI in different operating systems, see the following topics:

Background information

In this topic, the RevokeSecurityGroup operation is used to revoke authorized security group rules. Before you start, you must prepare the following information:
  • Account name: the name of the account that you use to log on to the ECS console.
  • Security group IDs of the ECS instances: the IDs of the security groups to which the instances involved belong.

    You can query the security group IDs in the ECS console or by calling the DescribeSecurityGroupReferences operation.

  • Region IDs of the ECS instances: See Regions and zones. cn-beijing is used in this example.
Assume that the information of the two accounts is as follows.
Account Account name Security group Security group ID
Account A a@aliyun.com sg1 sg-bp1azkttqpldxgtedXXX
Account B b@aliyun.com sg2 sg-bp15ed6xe1yxeycg7XXX


  1. Run the following command for Account A:
    aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgtedXXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp15ed6xe1yxeycg7XXX --SourceGroupOwnerAccount b@aliyun.com --NicType intranet
  2. Run the following command for Account B:
    aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg7XXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp1azkttqpldxgtedXXX --SourceGroupOwnerAccount a@aliyun.com --NicType intranet