Deletes one or more outbound security group rules. After the rules are deleted, the access control implemented by them is revoked.

Description

In the security group-related API documents, outbound traffic refers to the traffic sent by the source and received by the destination.

When you call this operation, take note of the following items:

  • The Permissions.N prefix is added to some parameters to generate new parameters. Original parameters and corresponding parameters prefixed with Permissions.N cannot be specified together. We recommend that you use parameters prefixed with Permissions.N.
  • If the specified outbound security group rule does not exist, the call to RevokeSecurityGroupEgress is successful but no security group rule is deleted.
  • You can determine a security group rule by specifying one of the following groups of parameters. You cannot determine a security group rule by specifying only one parameter.
    • Parameters used to delete an outbound security group rule that controls access to a specified CIDR block: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, DestCidrIp, and SourceCidrIp (optional).
      
              http(s)://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
              &SecurityGroupId=sg-bp67acfmxazb4ph***
              &Permissions.1.IpProtocol=TCP
              &Permissions.1.DestCidrIp=10.0.0.0/8
              &Permissions.1.PortRange=-22/22
              &Permissions.1.NicType=intranet
              &Permissions.1.Policy=accept
              &<Common request parameters>
              
    • Parameters used to delete an outbound security group rule that controls access to another security group: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, SourceCidrIp (optional), and DestGroupId.
      
              http(s)://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
              &SecurityGroupId=sg-bp67acfmxazb4ph***
              &Permissions.1.DestGroupId=sg-bp67acfmxa123b****
              &Permissions.1.IpProtocol=TCP
              &Permissions.1.PortRange=22/22
              &Permissions.1.NicType=intranet
              &Permissions.1.Policy=accept
              &<Common request parameters>
              
    • Parameters used to delete an outbound security group rule that controls access to a prefix list: IpProtocol, PortRange, SourcePortRange (optional), NicType, Policy, SourceCidrIp (optional), and DestPrefixListId.
      
              http(s)://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
              &SecurityGroupId=sg-bp67acfmxazb4ph***
              &Permissions.1.IpProtocol=TCP
              &Permissions.1.DestPrefixListId=pl-x1j1k5ykzqlixdcy****
              &Permissions.1.PortRange=-22/22
              &Permissions.1.NicType=intranet
              &Permissions.1.Policy=accept
              &<Common request parameters>
              

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes RevokeSecurityGroupEgress

The operation that you want to perform. Set the value to RevokeSecurityGroupEgress.

RegionId String Yes cn-hangzhou

The region ID of the security group. You can call the DescribeRegions operation to query the most recent region list.

ClientToken String No 473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

The client token that is used to ensure the idempotence of the request. You can use the client to generate the value, but you must make sure that it is unique among different requests. The ClientToken value can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

SecurityGroupId String Yes sg-bp67acfmxazb4p****

The ID of the security group.

Permissions.N.Policy String No accept

The action of security group rule N that determines whether to allow outbound access. Valid values:

  • accept: allows access.
  • drop: denies access and returns no responses. In this case, the request times out or the connection cannot be established.

Default value: accept.

Valid values of N: 1 to 100.

Permissions.N.Priority String No 1

The priority of security group rule N. A smaller value indicates a higher priority. Valid values: 1 to 100.

Default value: 1.

Valid values of N: 1 to 100.

Permissions.N.IpProtocol String No TCP

The transport layer protocol of security group rule N. The value of this parameter is case-insensitive. Valid values:

  • TCP
  • UDP
  • ICMP
  • ICMPv6
  • GRE
  • ALL: All protocols are supported.

Valid values of N: 1 to 100.

Permissions.N.DestCidrIp String No 10.0.0.0/8

The destination IPv4 CIDR block for security group rule N. CIDR blocks and IPv4 addresses are supported.

Valid values of N: 1 to 100.

Permissions.N.Ipv6DestCidrIp String No 2001:db8:1233:1a00::***

The destination IPv6 CIDR block for security group rule N. CIDR blocks and IPv6 addresses are supported.

Valid values of N: 1 to 100.

Note The Permissions.N.Ipv6DestCidrIp parameter is valid only when the destination is ECS instances that reside in virtual private clouds (VPCs) and that support IPv6 CIDR blocks. You cannot specify both this parameter and the DestCidrIp parameter.
Permissions.N.DestGroupId String No sg-bp67acfmxa123b****

The ID of the source security group that is referenced in security group rule N.

  • At least one of DestGroupId, DestCidrIp, Ipv6DestCidrIp, and DestPrefixListId must be specified.
  • If DestGroupId is specified but DestCidrIp is not specified, the NicType parameter must be set to intranet.
  • If both DestGroupId and DestCidrIp are specified, DestCidrIp takes precedence.

Take note of the following items:

  • For advanced security groups, security groups cannot be used as authorization objects.
  • For each basic security group, a maximum of 20 security groups can be used as authorization objects.

Valid values of N: 1 to 100.

Permissions.N.DestPrefixListId String No pl-x1j1k5ykzqlixdcy****

The ID of the destination prefix list that is referenced in security group rule N. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

Take note of the following items:

  • If a security group is in the classic network, you cannot reference prefix lists in the security group rules. For information about the limits on security groups and prefix lists, see the "Security group limits" section in Limits.
  • If you specify DestCidrIp, Ipv6DestCidrIp, or DestGroupId, Permissions.N.DestPrefixListId is ignored.

Valid values of N: 1 to 100.

Permissions.N.PortRange String No 22/22

The range of destination ports that correspond to the transport layer protocol for security group rule N. Valid values:

  • When the Permissions.N.IpProtocol parameter is set to TCP or UDP, the port number range is 1 to 65535. Specify a port range in the format of <Start port number>/<End port number>. Example: 1/200.
  • When the Permissions.N.IpProtocol parameter is set to ICMP, the port number range is -1/-1, which indicates all ports.
  • When the Permissions.N.IpProtocol parameter is set to GRE, the port number range is -1/-1, which indicates all ports.
  • When the Permissions.N.IpProtocol parameter is set to ALL, the port number range is -1/-1, which indicates all ports.

Valid values of N: 1 to 100.

Permissions.N.SourceCidrIp String No 10.0.0.0/8

The source IPv4 CIDR block for security group rule N. CIDR blocks and IPv4 addresses are supported.

This parameter is specified to meet quintuple rules. For more information, see Security group quintuple rules.

Valid values of N: 1 to 100.

Permissions.N.Ipv6SourceCidrIp String No 2001:db8:1234:1a00::***

The source IPv6 CIDR block for security group rule N. CIDR blocks and IPv6 addresses are supported.

This parameter is specified to meet quintuple rules. For more information, see Security group quintuple rules.

Valid values of N: 1 to 100.

Note The Permissions.N.Ipv6SourceCidrIp parameter is valid only when the source is ECS instances that reside in VPCs and that support IPv6 CIDR blocks. You cannot specify both this parameter and the DestCidrIp parameter.
Permissions.N.SourcePortRange String No 22/22

The range of source ports that correspond to the transport layer protocol for security group rule N. Valid values:

  • When the Permissions.N.IpProtocol parameter is set to TCP or UDP, the port number range is 1 to 65535. Specify a port range in the format of <Start port number>/<End port number>. Example: 1/200.
  • When the Permissions.N.IpProtocol parameter is set to ICMP, the port number range is -1/-1, which indicates all ports.
  • When the Permissions.N.IpProtocol parameter is set to GRE, the port number range is -1/-1, which indicates all ports.
  • When the Permissions.N.IpProtocol parameter is set to ALL, the port number range is -1/-1, which indicates all ports.

This parameter is specified to meet quintuple rules. For more information, see Security group quintuple rules.

Valid values of N: 1 to 100.

Permissions.N.DestGroupOwnerAccount String No Test@aliyun.com

The Alibaba Cloud account that manages the destination security group when you delete security group rules N across accounts.

  • If both DestGroupOwnerAccount and DestGroupOwnerId are not specified, the access control is revoked from another security group managed by your account.
  • If DestCidrIp is specified, DestGroupOwnerAccount is ignored.

Valid values of N: 1 to 100.

Permissions.N.DestGroupOwnerId String No 12345678910

The Alibaba Cloud account that manages the destination security group when you delete security group rule N across accounts.

  • If both DestGroupOwnerId and DestGroupOwnerAccount are not specified, the access control is revoked from another security group managed by your account.
  • If DestCidrIp is specified, DestGroupOwnerId is invalid.

Valid values of N: 1 to 100.

Permissions.N.NicType String No intranet

The network interface controller (NIC) type of security group rule N when the security group is in the classic network. Valid values:

  • internet: public NIC
  • intranet: internal NIC

If the security group is in a VPC, this parameter is set to intranet by default and cannot be modified.

If you specify only SourceGroupId when you configure access between security groups, this parameter must be set to intranet.

Default value: internet.

Valid values of N: 1 to 100.

Permissions.N.Description String No This is description.

The description of security group rule N. The description must be 1 to 512 characters in length.

Valid values of N: 1 to 100.

Policy String No accept

This parameter is discontinued. Use Permissions.N.Policy to specify whether to allow outbound access.

Priority String No 1

This parameter is discontinued. Use Permissions.N.Priority to specify the rule priority.

IpProtocol String No TCP

This parameter is discontinued. Use Permissions.N.IpProtocol to specify the transport layer protocol.

DestCidrIp String No 10.0.0.0/8

This parameter is discontinued. Use Permissions.N.DestCidrIp to specify the destination IPv4 CIDR block.

Ipv6DestCidrIp String No 2001:db8:1233:1a00::***

This parameter is discontinued. Use Permissions.N.Ipv6DestCidrIp to specify the destination IPv6 CIDR block.

DestGroupId String No sg-bp67acfmxa123b****

This parameter is discontinued. Use Permissions.N.DestGroupId to specify the ID of the destination security group.

DestPrefixListId String No pl-x1j1k5ykzqlixdcy****

This parameter is discontinued. Use Permissions.N.DestPrefixListId to specify the ID of the destination prefix list.

PortRange String No 22/22

This parameter is discontinued. Use Permissions.N.PortRange to specify the range of destination ports.

SourceCidrIp String No 10.0.0.0/8

This parameter is discontinued. Use Permissions.N.SourceCidrIp to specify the source IPv4 CIDR block.

Ipv6SourceCidrIp String No 2001:db8:1234:1a00::***

This parameter is discontinued. Use Permissions.N.Ipv6SourceCidrIp to specify the source IPv6 CIDR block.

SourcePortRange String No 22/22

This parameter is discontinued. Use Permissions.N.SourcePortRange to specify the range of source ports.

DestGroupOwnerAccount String No Test@aliyun.com

This parameter is discontinued. Use Permissions.N.DestGroupOwnerAccount to specify the Alibaba Cloud account that manages the destination security group.

DestGroupOwnerId Long No 12345678910

This parameter is discontinued. Use Permissions.N.DestGroupOwnerId to specify the ID of the Alibaba Cloud account that manages the destination security group.

NicType String No intranet

This parameter is discontinued. Use Permissions.N.NicType to specify the NIC type.

Description String No This is description.

This parameter is discontinued. Use Permissions.N.Description to specify the description of security group rule N.

Response parameters

Parameter Type Example Description
RequestId String 473469C7-AA6F-4DC5-B3DB-A3DC0DE3****

The ID of the request.

Examples

Sample requests

http(s)://ecs.aliyuncs.com/?Action=RevokeSecurityGroupEgress
&RegionId=cn-hangzhou
&ClientToken=473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E
&SecurityGroupId=sg-bp67acfmxazb4p****
&Permissions.1.IpProtocol=TCP
&Permissions.1.DestCidrIp=10.0.0.0/8
&Permissions.1.PortRange=22/22
&Permissions.1.NicType=intranet
&Permissions.1.Policy=Accept
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<RevokeSecurityGroupEgressResponse>
    <RequestId>473469C7-AA6F-4DC5-B3DB-A3DC0DE3****</RequestId>
</RevokeSecurityGroupEgressResponse>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
}

Error codes

HTTP status code Error code Error message Description
400 InvalidDestGroupId.Mismatch Specified security group and destination group are not in the same VPC. The error message returned because the specified source and destination security groups do not belong to the same VPC.
400 VPCDisabled Can't use the SecurityGroup in VPC. The error message returned because the VPC does not support security groups.
400 InvalidDestCidrIp.Malformed The specified parameter "DestCidrIp" is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidPriority.Malformed The parameter Priority is invalid. The error message returned because the specified Priority parameter is invalid.
400 InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidParam.SourceIp %s The error message returned because the specified SourceCidrIp parameter is invalid.
400 InvalidParam.DestIp %s The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6DestCidrIp %s The error message returned because the specified Ipv6DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6SourceCidrIp %s The error message returned because the specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv6 address under an IPv4 protocol by mistake.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address %s The error message returned because the specified parameter is invalid. Check whether you have entered an IPv4 address under an IPv6 protocol by mistake.
400 ILLEGAL_IPV6_CIDR %s The error message returned because the specified IPv6 address is invalid.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description is not valid. The error message returned because the specified Description parameter is invalid.
400 NotSupported.ClassicNetworkPrefixList The prefix list is not supported when the network type of security group is classic. The error message returned because security groups in the classic network do not support prefix lists.
400 InvalidParam.SourceCidrIp The specified param SourceCidrIp is not valid. The error message returned because the specified SourceCidrIp parameter is invalid.
400 InvalidParam.DestCidrIp The specified parameter DestCidrIp is invalid. The error message returned because the specified DestCidrIp parameter is invalid.
400 InvalidParam.Permissions The specified parameter Permissions cannot coexist with other parameters. The error message returned because a parameter with the Permissions prefix cannot be specified at the same time as the corresponding parameter without the Permissions prefix.
400 InvalidParam.DuplicatePermissions There are duplicate permissions in the specified parameter Permissions. The error message returned because the security group rules specified by the parameters with the Permissions prefix are duplicate.
403 InvalidNicType.Mismatch Specified nic type conflicts with the authorization record. The error message returned because the specified NIC type does not match the authorization object of the security group rule.
403 InvalidGroupAuthItem.NotFound Specified group authorized item does not exist in our records. The error message returned because the specified authorized security group does not exist.
403 InvalidSecurityGroup.IsSame The authorized SecurityGroupId should be different from the DestGroupId. The error message returned because the ID of the source security group is the same as that of the destination security group.
403 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The error message returned because the destination security group is the same as the source security group.
403 InvalidOperation.ResourceManagedByCloudProduct %s The error message returned because security groups managed by cloud services cannot be modified.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The error message returned because the specified security group does not exist in this account. Check whether the security group ID is correct.
404 InvalidDestGroupId.NotFound The DestGroupId provided does not exist in our records. The error message returned because the specified DestGroupId parameter does not exist.
404 InvalidPrefixListId.NotFound The specified prefix list was not found. The error message returned because the specified prefix list does not exist.
404 InvalidSecurityGroupId.NotFound %s The error message returned because the specified SecurityGroupId parameter does not exist.
500 InternalError The request processing has failed due to some unknown error. The error message returned because an internal error has occurred. Try again later. If the error persists, submit a ticket.

For a list of error codes, visit the API Error Center.