DocsICP FilingConsole
官方文档
首页

AuthorizeSecurityGroup

更新时间:
复制 MD 格式
产品详情
我的收藏

Creates inbound security group rules in a security group. You can use the created rules to allow or deny inbound traffic from other objects to Elastic Compute Service (ECS) instances in the security group for fine-grained network access control.

Operation description

使用须知

  • 数量限制: 单张弹性网卡关联的所有安全组的规则(包括入方向规则与出方向规则)数量之和不能超过 1000。具体限制请参见安全组使用限制

  • 优先级设置: 安全组入方向规则优先级(Priority)可选范围为 1~100。数字越小,代表优先级越高,优先级相同的安全组规则,优先以拒绝访问(drop)的规则为准。

注意事项

如果指定的安全组规则已存在,此次调用成功,但不会增加规则。

规则确定方式

确定一条安全组入方向规则必要的一组相关参数:

  • 源端设置:选择 SourceCidrIp(IPv4 地址)、Ipv6SourceCidrIp(IPv6 地址)、SourcetPrefixListId(前缀列表 ID)、SourceGroupId(源端安全组)中的一项。

  • 目的端口范围:PortRange。

  • 协议类型:IpProtocol。

  • 权限策略:Policy。

Note

企业安全组不支持授权其他安全组访问,普通安全组支持授权的安全组数量最多为 20 个。

请求示例

假设要在杭州地域下指定安全组中增加几条不同源端的入方向规则:

  • 增加指定 IP 地址段的访问权限。

    "RegionId":"cn-hangzhou", //设置地域
"SecurityGroupId":"sg-bp67acfmxazb4p****", //设置安全组
"Permissions":[
     {
       "SourceCidrIp":"10.0.0.0/8", //设置源端 IPv4 地址
       "PortRange":"22/22", //设置端口范围
       "IpProtocol":"TCP", //设置协议类型
       "Policy":"Accept" //设置访问策略
     }
]

  • 增加一条其他安全组和一条前缀列表的访问权限。

    "RegionId":"cn-hangzhou",
"SecurityGroupId":"sg-bp67acfmxazb4p****",
"Permissions":[
     {
       "SourceGroupId":"sg-bp17vs63txqxbd****", //设置源端安全组
       "PortRange":"22/22",
       "IpProtocol":"TCP",
       "Policy":"Drop"
     },{
       "SourcePrefixListId":"pl-x1j1k5ykzqlixdcy****", //设置源端前缀列表
       "PortRange":"22/22",
       "IpProtocol":"TCP",
       "Policy":"Drop"
     }
]

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

The table below describes the authorization required to call this API. You can define it in a Resource Access Management (RAM) policy. The table's columns are detailed below:

  • Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.

  • API: The API that you can call to perform the action.

  • Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.

  • Resource type: The type of the resource that supports authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.

    • For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding Alibaba Cloud Resource Name (ARN) in the Resource element of the policy.

    • For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.

  • Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys applicable across all RAM-supported services.

  • Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action

Access level

Resource type

Condition key

Dependent action

ecs:AuthorizeSecurityGroup

create

*All Resource

*
  • ecs:SecurityGroupIpProtocols
  • ecs:SecurityGroupSourceCidrIps
 None

Request parameters

Parameter

Type

Required

Description

Example
RegionId

string

Yes

The region ID of the security group. You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
RegionId

string

Yes

The region ID of the security group. You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
RegionId

string

Yes

The region ID of the security group. You can call the DescribeRegions operation to query the most recent region list.

cn-hangzhou
ClientToken

string

No

The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests The token can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000
ClientToken

string

No

The client token that is used to ensure the idempotence of the request. You can use the client to generate the token, but you must make sure that the token is unique among different requests The token can contain only ASCII characters and cannot exceed 64 characters in length. For more information, see How to ensure idempotence.

123e4567-e89b-12d3-a456-426655440000
SecurityGroupId

string

Yes

The ID of the security group.

sg-bp67acfmxazb4p****
SecurityGroupId

string

Yes

The ID of the security group.

sg-bp67acfmxazb4p****
Permissions

array<object>

No

An array of security group rules. You can specify 1 to 100 security group rules in a request.

object

No

Security group rule N.

Policy

string

No

The action of the security group rule. Valid values:

  • accept: allows inbound access.

  • drop: denies inbound access and returns no responses. In this case, the request times out or the connection cannot be established.

Default value: accept.

accept
Priority

string

No

The priority of the security group rule. A smaller value specifies a higher priority. Valid values: 1 to 100.

Default value: 1.

1
IpProtocol

string

No

Network Layer /transport layer protocol. Two types of assignments are supported:

  1. The case-insensitive protocol name. Valid value:

  • ICMP

  • GRE

  • TCP

  • UDP

  • ALL: supports all protocols.

  1. The value of the IANA-compliant protocol number, which is an integer from 0 to 255. List of regions currently available:

  • Philippines (Manila)

  • UK (London)

  • Malaysia (Kuala Lumpur)

  • China (Hohhot)

  • China (Qingdao)

  • US (Silicon Valley)

  • Singapore

ALL
SourceCidrIp

string

No

The source IPv4 CIDR block of the security group rule. IPv4 CIDR blocks and IPv4 addresses are supported.

10.0.0.0/8
Ipv6SourceCidrIp

string

No

The source IPv6 CIDR block of the security group rule. IPv6 CIDR blocks and IPv6 addresses are supported.

Note

This parameter is valid only for Elastic Compute Service (ECS) instances that reside in virtual private clouds (VPCs) and support IPv6 CIDR blocks. You cannot specify both this parameter and SourceCidrIp in the same request.

2001:250:6000::***
SourceGroupId

string

No

The ID of the source security group referenced in the security group rule.

  • At least one of SourceGroupId, SourceCidrIp, Ipv6SourceCidrIp, and SourcePrefixListId must be specified.

  • If you specify SourceGroupId but do not specify SourceCidrIp or Ipv6SourceCidrIp, you must set NicType to intranet.

  • If both SourceGroupId and SourceCidrIp are specified, SourceCidrIp takes precedence.

sg-bp67acfmxazb4p****
SourcePrefixListId

string

No

The ID of the source prefix list of the security group rule. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

Notes:

  • If a security group resides in the classic network, you cannot specify prefix lists in the rules of the security group. For more information about limits on security groups and prefix lists, see Limits on security groups.

  • If you specify SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId, this parameter is ignored.

pl-x1j1k5ykzqlixdcy****
PortRange

string

No

The range of destination port numbers for the protocols specified in the security group rule. Valid values:

  • TCP/UDP: Valid values: 1 to 65535. Use a forward slash (/) to separate the start and end ports. Example: 1/200.

  • ICMP:-1/-1.

  • GRE:-1/-1.

  • Set the IpProtocol parameter to ALL:-1/-1.

For more information about the application scenarios of ports, see Common ports of typical applications.

80/80
DestCidrIp

string

No

The destination IPv4 CIDR block. IPv4 CIDR blocks and IPv4 addresses are supported.

This parameter is used to support quintuple rules. For more information, see Security group quintuple rules.

10.0.0.0/8
Ipv6DestCidrIp

string

No

The destination IPv6 CIDR block. IP address ranges in the CIDR format and IPv6 format are supported.

This parameter is used to support quintuple rules. For more information, see Security group quintuple rules.

Note

This parameter is valid only for VPC-type ECS instances that support IPv6. This parameter and the DestCidrIp parameter cannot be set at the same time.

2001:250:6000::***
SourcePortRange

string

No

The range of source port numbers for the protocols specified in the security group rule. Default value: Month. Valid values:

  • TCP/UDP: Valid values: 1 to 65535. Use a forward slash (/) to separate the start and end ports. Example: 1/200.

  • ICMP protocol:-1/-1.

  • GRE protocol:-1/-1.

  • If you set IpProtocol to ALL, the port range is -1/-1.

This parameter is used to support quintuple rules. For more information, see Security group quintuple rules.

7000/8000
SourceGroupOwnerAccount

string

No

The Alibaba Cloud account that manages the source security group referenced in the security group rule.

  • If both SourceGroupOwnerAccount and SourceGroupOwnerId are empty, access permissions are configured for another security group in your Alibaba Cloud account.

  • If you specify SourceCidrIp, SourceGroupOwnerAccount becomes invalid.

test@aliyun.com
SourceGroupOwnerId

integer

No

The ID of the Alibaba Cloud account that manages the source security group referenced in the security group rule.

  • If both SourceGroupOwnerAccount and SourceGroupOwnerId are empty, access permissions are configured for another security group in your Alibaba Cloud account.

  • If you specify SourceCidrIp, SourceGroupOwnerAccount becomes invalid.

1234567890
NicType

string

No

The network interface controller (NIC) type of the security group rule if the security group resides in the classic network. Default value: Month. Valid values:

  • internet: public NIC.

  • intranet: internal NIC.

If the security group resides in a VPC, this parameter is set to intranet by default and cannot be modified.

If you specify only DestGroupId when you configure access permissions between security groups, you must set this parameter to intranet.

Default value: internet.

intranet
Description

string

No

The description of the security group rule. The name must be 1 to 512 characters in length.

This is description.
PortRangeListId

string

No

The ID of the port list. You can call the DescribePortRangeLists to query the ID of the port list that can be used.

  • If you specify a Permissions.N.PortRange parameter, this parameter is ignored.

  • If the network type of the security group is classic network, you cannot set the port list. For more information about limits on security groups and ports, see Limits on security groups.

prl-2ze9743****
Policy deprecated

string

No

This parameter is deprecated. Use Permissions.N.Policy to specify whether to allow access.

accept
Priority deprecated

string

No

This parameter is deprecated. Use Permissions.N.Priority to specify the rule priority.

1
IpProtocol deprecated

string

No

This parameter is deprecated. Use Permissions.N.IpProtocol to specify the protocol.

ALL
SourceCidrIp deprecated

string

No

This parameter is deprecated. Use Permissions.N.SourceCidrIp to specify the source IPv4 CIDR block.

10.0.0.0/8
Ipv6SourceCidrIp deprecated

string

No

This parameter is deprecated. Use Permissions.N.Ipv6SourceCidrIp to specify the source IPv6 CIDR block.

2001:250:6000::***
SourceGroupId deprecated

string

No

This parameter is deprecated. Use Permissions.N.SourceGroupId to specify the ID of the source security group.

sg-bp67acfmxazb4p****
SourcePrefixListId deprecated

string

No

This parameter is deprecated. Use Permissions.N.SourcePrefixListId to specify the ID of the source prefix list.

pl-x1j1k5ykzqlixdcy****
PortRange deprecated

string

No

This parameter is deprecated. Use Permissions.N.PortRange to specify the range of destination ports.

22/22
DestCidrIp deprecated

string

No

This parameter is deprecated. Use Permissions.N.DestCidrIp to specify the destination IPv4 CIDR block.

10.0.0.0/8
Ipv6DestCidrIp deprecated

string

No

This parameter is deprecated. Use Permissions.N.Ipv6DestCidrIp to specify the destination IPv6 CIDR block.

null
SourcePortRange deprecated

string

No

This parameter is deprecated. Use Permissions.N.SourcePortRange to specify the range of source ports.

22/22
SourceGroupOwnerAccount deprecated

string

No

This parameter is deprecated. Use Permissions.N.SourceGroupOwnerAccount to specify the Alibaba Cloud account that manages the source security group.

test@aliyun.com
SourceGroupOwnerId deprecated

integer

No

This parameter is deprecated. Use Permissions.N.SourceGroupOwnerId to specify the ID of the Alibaba Cloud account that manages the source security group.

1234567890
NicType deprecated

string

No

This parameter is deprecated. Use Permissions.N.NicType to specify the network interface type.

intranet
Description deprecated

string

No

This parameter is deprecated. Use Permissions.N.Description to specify the rule description.

This is description.

Response elements

Element

Type

Description

Example

object

RequestId

string

The ID of the request.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3****

Examples

Success response

JSON format

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3****"
}

Error codes

HTTP status code

Error code

Error message

Description
400 OperationDenied The specified IpProtocol does not exist or IpProtocol and PortRange do not match. The specified IP protocol does not exist or does not match the specified port range.
400 InvalidIpProtocol.Malformed The specified parameter PortRange is not valid. The specified IpProtocol or PortRange parameter is invalid.
400 InvalidSourceCidrIp.Malformed The specified parameter SourceCidrIp is not valid. The specified source CIDR block is invalid.
400 InvalidPolicy.Malformed The specified parameter Policy is not valid. The specified Policy parameter is invalid.
400 InvalidNicType.ValueNotSupported The specified NicType does not exist. The specified NicType parameter does not exist.
400 InvalidNicType.Mismatch The specified NicType conflicts with the authorization record. The specified NIC type does not match the existing rule.
400 InvalidSourceGroupId.Mismatch Specified security group and source group are not in the same VPC. The specified source and destination security groups do not belong to the same VPC.
400 InvalidSourceGroup.NotFound Specified source security group does not exist. The specified inbound security group rule does not exist, or required parameters are not specified.
400 InvalidPriority.Malformed The parameter Priority is invalid. The specified Priority parameter is invalid.
400 InvalidPriority.ValueNotSupported The specified parameter %s is invalid. The specified Priority parameter is invalid.
400 InvalidSecurityGroupDiscription.Malformed The specified security group rule description parameter %s is not valid. The specified security group rule description is invalid.
400 InvalidSecurityGroup.InvalidNetworkType The specified security group network type is not support this operation, please check the security group network types. For VPC security groups, ClassicLink must be enabled. The operation is not supported while the security group is of the current network type. If the network type is VPC, ClassicLink must be enabled.
400 MissingParameter.Source One of the parameters SourceCidrIp, Ipv6SourceCidrIp, SourceGroupId or SourcePrefixListId in %s must be specified. At least one of the SourceCidrIp, SourceGroupId, and SourcePrefixListId parameters must be specified.
400 InvalidParam.PortRange The specified parameter %s is not valid. It should be two integers less than 65535 in ?/? format. The format of the port range is invalid. Specify the port range in the format of a slash separating two integers.
400 InvalidIpProtocol.ValueNotSupported The parameter %s must be specified with case insensitive TCP, UDP, ICMP, GRE or All. The specified Protocol parameter is invalid. You must set Protocol to a vaule that is case-insensitive, such as TCP, UDP, ICMP, GRE, and All.
400 InvalidSecurityGroupId.Malformed The specified parameter SecurityGroupId is not valid. The specified SecurityGroupId parameter is invalid.
400 InvalidParamter.Conflict The specified SourceCidrIp should be different from the DestCidrIp. The value of SourceCidrIp must be different from that of DestCidrIp.
400 InvalidSourcePortRange.Malformed The specified parameter SourcePortRange is not valid. The specified SourcePortRange parameter is invalid.
400 InvalidPortRange.Malformed The specified parameter PortRange must set. The PortRange parameter must be specified.
400 InvalidParam.SourceIp The Parameters SourceCidrIp and Ipv6SourceCidrIp in %s cannot be set at the same time. The SourceCidrIp and Ipv6SourceCidrIp parameters cannot be specified at the same time.
400 InvalidParam.DestIp The Parameters DestCidrIp and Ipv6DestCidrIp in %s cannot be set at the same time. The DestCidrIp and Ipv6DestCidrIp parameters cannot be specified at the same time.
400 InvalidParam.Ipv6DestCidrIp The specified parameter %s is not valid. The specified Ipv6DestCidrIp parameter is invalid.
400 InvalidParam.Ipv6SourceCidrIp The specified parameter %s is not valid. The specified Ipv6SourceCidrIp parameter is invalid.
400 InvalidParam.Ipv4ProtocolConflictWithIpv6Address IPv6 address cannot be specified for IPv4-specific protocol. IPv6 addresses cannot be specified for instances that use the IPv4 protocol.
400 InvalidParam.Ipv6ProtocolConflictWithIpv4Address IPv4 address cannot be specified for IPv6-specific protocol. IPv4 addresses cannot be specified for instances that use the IPv6 protocol.
400 InvalidParameter.Ipv6CidrIp The specified Ipv6CidrIp is not valid. The specified Ipv6CidrIp parameter is invalid.
400 InvalidGroupAuthParameter.OperationDenied The security group can not authorize to enterprise level security group. Security groups cannot be referenced as authorization objects (destinations or sources) in rules of advanced security groups.
400 InvalidDestCidrIp.Malformed The specified parameter DestCidrIp is not valid. The specified DestCidrIp parameter is invalid.
400 InvalidParameter.Conflict IPv6 and IPv4 addresses cannot exist at the same time. IPv6 and IPv4 addresses cannot be both specified.
400 InvalidParam.PrefixListAddressFamilyMismatch The address family of the specified prefix list does not match the specified CidrIp. The address family of the specified prefix list does not match that of the specified CIDR block.
400 NotSupported.ClassicNetworkPrefixList The prefix list is not supported when the network type of security group is classic. Security groups in the classic network do not support prefix lists.
400 AuthorizedGroupRule.LimitExceed You have reached the limit on the number of group authorization rules that you can add to a security group.When authorization object of rule is security group, the limit is 20. Up to 20 rules in which security groups are specified as authorization objects can be present in a basic security group.
400 InvalidParam.SourceCidrIp The specified parameter %s is not valid. The specified SourceCidrIp parameter is invalid.
400 InvalidParam.DestCidrIp The specified parameter %s is not valid. The specified DestCidrIp parameter is invalid.
400 MissingParameter %s A parameter is not specified.
400 InvalidParam.Permissions The specified parameter Permissions cannot coexist with other parameters. The specified Permissions parameter and other parameters are mutually exclusive.
400 InvalidParam.DuplicatePermissions There are duplicate permissions in the specified parameter Permissions. The specified Permissions parameter contains duplicate permissions.
400 InvalidGroupParameter.OperationDenied The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified. The attributes Policy, SourceGroupId, DestGroupId of enterprise level security groups are not allowed to be set or modified.
400 InvalidParam.ProtocolNotSupportPortRangeList The specified protocol does not support the port range list. The specified protocol does not support the port list.
400 InvalidPortRangeListId.NotFound The specified port range list was not found. The specified port list was not found.
401 InvalidOperation.SecurityGroupNotAuthorized The specified security group is not authorized to operate. You do not have permission to operate the current security group.
500 InternalError The request processing has failed due to some unknown error.
403 InvalidSourceGroupId.Mismatch NicType is required or NicType expects intranet. The NicType parameter is not specified or is not set to intranet.
403 MissingParameter The input parameter SourceGroupId or SourceCidrIp cannot be both blank. At least one of the SourceGroupId and SourceCidrIp parameters must be specified.
403 AuthorizationLimitExceed The limit of authorization records in the security group reaches.
403 InvalidParamter.Conflict The specified SecurityGroupId should be different from the SourceGroupId. The destination security group is the same as the source security group.
403 InvalidNetworkType.Mismatch The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). The network type of the destination security group is different from that of the source security group.
403 InvalidNetworkType.Conflict The specified SecurityGroup network type should be same with SourceGroup network type (vpc or classic). The network type of the destination security group is different from that of the source security group.
403 InvalidOperation.ResourceManagedByCloudProduct %s You cannot modify security groups managed by cloud services.
403 LimitExceed.PrefixListAssociationResource The number of resources associated with the prefix list exceeds the limit. The maximum number of resources that can be associated with the prefix list has been exceeded.
404 InvalidSecurityGroupId.NotFound The specified SecurityGroupId does not exist. The specified security group does not exist in this account. Check whether the security group ID is correct.
404 InvalidSourceGroupId.NotFound The SourceGroupId provided does not exist in our records. The specified SourceGroupId parameter does not exist.
404 InvalidPrefixListId.NotFound The specified prefix list was not found. The prefix list does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.