LeaveSecurityGroup - Elastic Compute Service - Alibaba Cloud Documentation Center

Removes an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) from a security group. To remove an ECS instance from a security group, specify SecurityGroupId and InstanceId in the request. To remove an ENI from a security group, specify SecurityGroupId and NetworkInterfaceId in the request.

Operation description

Usage notes

Note

To improve user experience, Alibaba Cloud modified the verification rules for the LeaveSecurityGroup operation on July 8, 2024. When you remove an ECS instance or ENI that does not belong to a security group from the security group, the "InvalidSecurityGroupAssociation.NotFound" error code is returned instead of a success response. Update the LeaveSecurityGroup operation to use the new verification rules with the new error code based on your business requirements.
This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an ECS instance to or remove an ECS instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.

Take note of the following items:

Before you remove an instance from a security group, the instance must be in the Stopped (Stopped) or Running (Running) state.
An instance must belong to at least one security group. Therefore, if the instance to be removed belongs to only one security group, the LeaveSecurityGroup request fails.
You cannot remove an instance and an ENI from a security group at the same time. This indicates that you cannot specify InstanceId and NetworkInterfaceId in one request.

Debugging

You can run this interface directly in OpenAPI Explorer, saving you the trouble of calculating signatures. After running successfully, OpenAPI Explorer can automatically generate SDK code samples.

Debug

Authorization information

There is currently no authorization information disclosed in the API.

Request parameters

Parameter	Type	Required	Description	Example
SecurityGroupId	string	Yes	The security group ID.	sg-bp67acfmxazb4p****
InstanceId	string	No	The instance ID. Note If you configure this parameter, you cannot configure `NetworkInterfaceId`.	i-bp67acfmxazb4p****
NetworkInterfaceId	string	No	The ENI ID. Note If you configure this parameter, you cannot configure `InstanceId`.	eni-bp13kd656hxambfe****
RegionId	string	No	The region ID. You can call the DescribeRegions operation to query the most recent region list. If you want to remove an instance from a security group, you do not need to specify a region ID. If you want to remove an ENI from a security group, you must specify the ID of the region in which the ENI resides.	cn-hangzhou

Response parameters

Parameter	Type	Description	Example
	object
RequestId	string	The request ID.	473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E

Examples

Sample success responses

JSONformat

{
  "RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvalidInstanceId.Malformed	The specified parameter "InstanceId" is not valid.	-
400	MissingParameter.RegionId	The specified RegionId should not be null.	The RegionId parameter is required.
400	InvalidOperation.InvalidEniState	%s	-
400	InvalidSecurityGroupAssociation.NotFound	%s.	The specified ECS or ENI is not associated with the specified security group.
403	InstanceLastSecurityGroup	The specified security group is the last security group for the instance.	The specified security group is the only security group to which the instance belongs.
403	IncorrectInstanceStatus	The current status of the resource does not support this operation.	The resource is in a state that does not support the current operation.
403	InstanceLockedForSecurity	The specified operation is denied as your instance is locked for security reasons.	-
403	InstanceNotInSecurityGroup	The instance not in the group.	The specified instance does not belong to the security group.
403	InvalidOperation.ResourceManagedByCloudProduct	%s	You cannot modify security groups managed by cloud services.
403	InvalidOperation.AtLeastInOneGroup	%s	-
403	InvalidOperation.EniServiceManaged	%s	The operation is invalid.
403	InvalidOperation.InvalidEniType	%s	-
403	InvalidParam.Malformed	%s	-
403	InvalidParam.EniIdAndInstanceId.Conflict	%s	The InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified.
404	InvalidInstanceId.NotFound	The specified InstanceId does not exist.	The specified instance does not exist.
404	InvalidSecurityGroupId.NotFound	The specified SecurityGroupId does not exist.	The specified security group does not exist in this account. Check whether the security group ID is correct.
404	InvalidEniId.NotFound	%s	The specified ENI ID does not exist.
404	InvalidInstanceId.NotFound	The specified parameter InstanceId does not exist.	The specified instance ID does not exist.
504	RequestTimeout	The request encounters an upstream server timeout.	The request is denied due to a timeout error of the upstream server.

For a list of error codes, visit the Service error codes.

Change history

Change time	Summary of changes	Operation
2024-06-03	The Error code has changed	View Change Details