All Products
Search

This Product

    Elastic Compute Service:Revoke the authorization for internal network communication between ECS instances in different accounts by using the API

    Document Center

    Elastic Compute Service:Revoke the authorization for internal network communication between ECS instances in different accounts by using the API

    Last Updated:Mar 29, 2024

    If you have authorized internal network communication between Elastic Compute Service (ECS) instances across different accounts in a specific region, you can delete security group rules to revoke the authorization for internal network communication. This topic describes how to call the RevokeSecurityGroup operation to delete the security group rules that authorized internal network communication between two ECS instances in a region.

    For information about the RevokeSecurityGroup operation, see RevokeSecurityGroup.

    Prerequisites

    • An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Sign up to Alibaba Cloud page.

    • An Elastic Compute Service (ECS) instance is created. Alibaba CLI is installed on the instance. For information about how to install Alibaba Cloud CLI on different operating systems, see the following topics:

    Preparations

    Before you start, you must prepare two ECS instances that have the following configurations in a region:

    • Account names: the names of the accounts to which the instances belong and that you use to log on to the ECS console.

    • Security group IDs of the instances: the IDs of the security groups to which the instances belong. For more information, see Search for security groups.

    • Region ID of the instances: the ID of the region where the two instances reside. Example: cn-beijing, which indicates the China (Beijing) region. For more information about regions, see Regions and Zones.

    The following table provides information about the two instances.

    Account

    Account name

    Instance

    Security group

    Security group ID

    Account A

    a@aliyun.com

    Instance A

    sg1

    sg-bp1azkttqpldxgtedXXX

    Account B

    b@aliyun.com

    Instance B

    sg2

    sg-bp15ed6xe1yxeycg7XXX

    Note

    The preceding information is for reference only. Before you run the following commands, replace the values of the parameters with actual values.

    Procedure

    1. Connect to the two ECS instances.

      For more information, see Connection method overview.

    2. Run the following command on Instance A to delete the security group rule in the sg1 security group that controls traffic from the sg2 source security group: 

      aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgtedXXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp15ed6xe1yxeycg7XXX --SourceGroupOwnerAccount b@aliyun.com --NicType intranet

    3. Run the following command on Instance B to delete the security group rule in the sg2 security group that controls traffic from the sg1 source security group: 

      aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg7XXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp1azkttqpldxgtedXXX --SourceGroupOwnerAccount a@aliyun.com --NicType intranet

    4. Run the following command on the two instances to test the connectivity between the instances over the internal network: 

      ping <Private IP address of the other ECS instance>

      If the ping tests fail, the authorization for internal network communication between the instances in different accounts is revoked.