All Products
Search
Document Center

Elastic Compute Service:JoinSecurityGroup

Last Updated:Dec 16, 2024

Adds an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) to a security group. When you call this operation, you can specify parameters, such as SecurityGroupId, InstanceId, and NetworkInterfaceId, in the request.

Operation description

Usage notes

Note This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an instance to or remove an instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.

Take note of the following items:

  • Before you add an instance to a security group, the instance must be in the Stopped (Stopped) or Running (Running) state.
  • An instance can be added to up to five security groups by default.
  • You can submit a ticket to change the maximum number of security groups to which an instance can be added to 4 or 10.
  • A basic security group can contain up to 2,000 instances. An advanced security group can contain up to 65,536 instances.
  • The security group and the instance must reside in the same region.
  • The security group and the instance must be of the same network type. If the network type is Virtual Private Cloud (VPC), the security group and the instance must reside in the same VPC.
  • An instance and an ENI cannot be added to a security group at the same time. You cannot specify InstanceId and NetworkInterfaceId at the same time in a request.

For more information, see Limits .

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

  • Operation: the value that you can use in the Action element to specify the operation on a resource.
  • Access level: the access level of each operation. The levels are read, write, and list.
  • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
    • The required resource types are displayed in bold characters.
    • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
  • Condition Key: the condition key that is defined by the cloud service.
  • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
OperationAccess levelResource typeCondition keyAssociated operation
ecs:JoinSecurityGroupupdate
*Instance
acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}
*SecurityGroup
acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId}
    none
none

Request parameters

ParameterTypeRequiredDescriptionExample
SecurityGroupIdstringYes

The ID of the security group. You can call the DescribeSecurityGroups operation to query the most recent security group list.

sg-bp67acfmxazb4p****
InstanceIdstringNo

The instance ID.

Note If you configure this parameter, you cannot configure NetworkInterfaceId.
i-bp67acfmxazb4p****
NetworkInterfaceIdstringNo

The ENI ID.

Note If you configure this parameter, you cannot configure InstanceId.
eni-bp13kd656hxambfe****
RegionIdstringNo

The region ID. You can call the DescribeRegions operation to query the most recent region list.

  • If you want to add an instance to a security group, you do not need to specify a region ID.
  • If you want to add an ENI to a security group, you must specify the region ID of the ENI.
cn-hangzhou

Response parameters

ParameterTypeDescriptionExample
object
RequestIdstring

The request ID.

473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Sample success responses

JSONformat

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status codeError codeError messageDescription
400InstanceSecurityGroupLimitExceededExceeding the allowed amount of security groups that an instance can be in.-
400InvalidInstanceId.MismatchSpecified instance and security group are not in the same VPC.The specified instance and security group do not belong to the same VPC, or one of the following cases has occurred: 1. The security group is of the VPC network type but the instance is not. 2. The instance is of the VPC network type but the security group is not.
400InvalidInstanceId.MalformedThe specified parameter "InstanceId" is not valid.-
400InvalidOperation.NotSupportEnterpriseGroupThe specified instance type doesn't support enterprise level security group.-
400InvalidOperation.MultiGroupTypeThe specified instance can't join different types of security group.-
400InvalidOperation.InvalidEniState%s-
400InvalidOperation.EniAndGroupNotBelongSameUser%s-
400NotBelongUser%sYou are not authorized to manage the specified resource.
400MissingParameter.RegionIdThe specified RegionId should not be null.The RegionId parameter is required.
400InvalidStatus.EniOrInstanceIsBeingCreated%s.The specified ECS instance or ENI is currently being created. Please wait for the creation process to complete and try again.
403IncorrectInstanceStatusThe current status of the resource does not support this operation.The resource is in a state that does not support the current operation.
403InstanceLockedForSecurityThe specified operation is denied as your instance is locked for security reasons.-
403SecurityGroupInstanceLimitExceededThe maximum number of instances in a security group is exceeded.The maximum number of instances in the specified security group has been reached.
403InvalidInstanceId.AlreadyExistsThe specified instance already exists in the specified security group.The specified instance is already present in the specified security group.
403SecurityGroupInstanceLimitExceeded%sThe maximum number of instances in the specified security group has been reached.
403AclLimitExceed%sThe number of ACL rules for an ENI or instance exceeds the upper limit.
403InstanceSecurityGroupLimitExceeded%s-
403InvalidOperation.NetworkInterfaceCountExceededThe maximum number of NetworkInterface in a enterprise level security group is exceeded.-
403InvalidOperation.ResourceManagedByCloudProduct%sYou cannot modify security groups managed by cloud services.
403InvalidOperation.InvalidEniType%s-
403InvalidOperation.VpcMismatch%sThe operation is invalid. Check whether the VPC in the operation corresponds to other parameters.
403InvalidOperation.EniServiceManaged%sThe operation is invalid.
403InvalidParam.Malformed%s-
403InvalidParam.EniIdAndInstanceId.Conflict%sThe InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified.
403Forbidden.InstanceIsBeingCreatedThe specified instance is being created.The specified instance is being created.
404InvalidSecurityGroupId.NotFoundThe specified SecurityGroupId does not exist.The specified security group does not exist in this account. Check whether the security group ID is correct.
404InvalidInstanceId.NotFoundThe specified InstanceId does not exist.The specified instance does not exist.
404InvalidEniId.NotFound%sThe specified ENI ID does not exist.
500InternalErrorThe request processing has failed due to some unknown error.An internal error has occurred. Try again later.

For a list of error codes, visit the Service error codes.

Change history

Change timeSummary of changesOperation
2024-07-09The Error code has changedView Change Details