If you have authorized internal network communication between Elastic Compute Service (ECS) instances across different accounts in a specific region, you can delete security group rules to revoke the authorization for internal network communication. This topic describes how to call the RevokeSecurityGroup operation to delete the security group rules that authorized internal network communication between two ECS instances in a region.
For information about the RevokeSecurityGroup operation, see RevokeSecurityGroup.
Prerequisites
An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Sign up to Alibaba Cloud page.
An Elastic Compute Service (ECS) instance is created. Alibaba CLI is installed on the instance. For information about how to install Alibaba Cloud CLI on different operating systems, see the following topics:
Preparations
Before you start, you must prepare two ECS instances that have the following configurations in a region:
Account names: the names of the accounts to which the instances belong and that you use to log on to the ECS console.
Security group IDs of the instances: the IDs of the security groups to which the instances belong. For more information, see Search for security groups.
Region ID of the instances: the ID of the region where the two instances reside. Example: cn-beijing, which indicates the China (Beijing) region. For more information about regions, see Regions and Zones.
The following table provides information about the two instances.
Account | Account name | Instance | Security group | Security group ID |
Account A | a@aliyun.com | Instance A | sg1 | sg-bp1azkttqpldxgtedXXX |
Account B | b@aliyun.com | Instance B | sg2 | sg-bp15ed6xe1yxeycg7XXX |
The preceding information is for reference only. Before you run the following commands, replace the values of the parameters with actual values.
Procedure
Connect to the two ECS instances.
For more information, see Connection method overview.
Run the following command on
Instance A
to delete the security group rule in thesg1
security group that controls traffic from thesg2
source security group:aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp1azkttqpldxgtedXXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp15ed6xe1yxeycg7XXX --SourceGroupOwnerAccount b@aliyun.com --NicType intranet
Run the following command on
Instance B
to delete the security group rule in thesg2
security group that controls traffic from thesg1
source security group:aliyun ecs RevokeSecurityGroup --SecurityGroupId sg-bp15ed6xe1yxeycg7XXX --RegionId cn-beijing --IpProtocol all --PortRange -1/-1 --SourceGroupId sg-bp1azkttqpldxgtedXXX --SourceGroupOwnerAccount a@aliyun.com --NicType intranet
Run the following command on the two instances to test the connectivity between the instances over the internal network:
ping <Private IP address of the other ECS instance>
If the
ping
tests fail, the authorization for internal network communication between the instances in different accounts is revoked.