Adds an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) to a security group. When you call this operation, you can specify parameters, such as SecurityGroupId, InstanceId, and NetworkInterfaceId, in the request.
Operation description
Usage notes
Note
This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an instance to or remove an instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.
Take note of the following items:
- Before you add an instance to a security group, the instance must be in the Stopped (Stopped) or Running (Running) state.
- An instance can be added to up to five security groups by default.
- You can submit a ticket to change the maximum number of security groups to which an instance can be added to 4 or 10.
- A basic security group can contain up to 2,000 instances. An advanced security group can contain up to 65,536 instances.
- The security group and the instance must reside in the same region.
- The security group and the instance must be of the same network type. If the network type is Virtual Private Cloud (VPC), the security group and the instance must reside in the same VPC.
- An instance and an ENI cannot be added to a security group at the same time. You cannot specify
InstanceIdandNetworkInterfaceIdat the same time in a request.
For more information, see Limits .
Debugging
Authorization information
The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:
- Operation: the value that you can use in the Action element to specify the operation on a resource.
- Access level: the access level of each operation. The levels are read, write, and list.
- Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level,
All Resourcesis used in the Resource type column of the operation.
- Condition Key: the condition key that is defined by the cloud service.
- Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
| Operation | Access level | Resource type | Condition key | Associated operation |
|---|---|---|---|---|
| ecs:JoinSecurityGroup | update | *Instance acs:ecs:{#regionId}:{#accountId}:instance/{#instanceId}*SecurityGroup acs:ecs:{#regionId}:{#accountId}:securitygroup/{#securitygroupId} |
| none |
Request parameters
| Parameter | Type | Required | Description | Example |
|---|---|---|---|---|
| SecurityGroupId | string | Yes | The ID of the security group. You can call the DescribeSecurityGroups operation to query the most recent security group list. | sg-bp67acfmxazb4p**** |
| InstanceId | string | No | The instance ID. Note
If you configure this parameter, you cannot configure NetworkInterfaceId.
| i-bp67acfmxazb4p**** |
| NetworkInterfaceId | string | No | The ENI ID. Note
If you configure this parameter, you cannot configure InstanceId.
| eni-bp13kd656hxambfe**** |
| RegionId | string | No | The region ID. You can call the DescribeRegions operation to query the most recent region list.
| cn-hangzhou |
Response parameters
Examples
Sample success responses
JSONformat
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}Error codes
| HTTP status code | Error code | Error message | Description |
|---|---|---|---|
| 400 | InstanceSecurityGroupLimitExceeded | Exceeding the allowed amount of security groups that an instance can be in. | - |
| 400 | InvalidInstanceId.Mismatch | Specified instance and security group are not in the same VPC. | The specified instance and security group do not belong to the same VPC, or one of the following cases has occurred: 1. The security group is of the VPC network type but the instance is not. 2. The instance is of the VPC network type but the security group is not. |
| 400 | InvalidInstanceId.Malformed | The specified parameter "InstanceId" is not valid. | - |
| 400 | InvalidOperation.NotSupportEnterpriseGroup | The specified instance type doesn't support enterprise level security group. | - |
| 400 | InvalidOperation.MultiGroupType | The specified instance can't join different types of security group. | - |
| 400 | InvalidOperation.InvalidEniState | %s | - |
| 400 | InvalidOperation.EniAndGroupNotBelongSameUser | %s | - |
| 400 | NotBelongUser | %s | You are not authorized to manage the specified resource. |
| 400 | MissingParameter.RegionId | The specified RegionId should not be null. | The RegionId parameter is required. |
| 400 | InvalidStatus.EniOrInstanceIsBeingCreated | %s. | The specified ECS instance or ENI is currently being created. Please wait for the creation process to complete and try again. |
| 403 | IncorrectInstanceStatus | The current status of the resource does not support this operation. | The resource is in a state that does not support the current operation. |
| 403 | InstanceLockedForSecurity | The specified operation is denied as your instance is locked for security reasons. | - |
| 403 | SecurityGroupInstanceLimitExceeded | The maximum number of instances in a security group is exceeded. | The maximum number of instances in the specified security group has been reached. |
| 403 | InvalidInstanceId.AlreadyExists | The specified instance already exists in the specified security group. | The specified instance is already present in the specified security group. |
| 403 | SecurityGroupInstanceLimitExceeded | %s | The maximum number of instances in the specified security group has been reached. |
| 403 | AclLimitExceed | %s | The number of ACL rules for an ENI or instance exceeds the upper limit. |
| 403 | InstanceSecurityGroupLimitExceeded | %s | - |
| 403 | InvalidOperation.NetworkInterfaceCountExceeded | The maximum number of NetworkInterface in a enterprise level security group is exceeded. | - |
| 403 | InvalidOperation.ResourceManagedByCloudProduct | %s | You cannot modify security groups managed by cloud services. |
| 403 | InvalidOperation.InvalidEniType | %s | - |
| 403 | InvalidOperation.VpcMismatch | %s | The operation is invalid. Check whether the VPC in the operation corresponds to other parameters. |
| 403 | InvalidOperation.EniServiceManaged | %s | The operation is invalid. |
| 403 | InvalidParam.Malformed | %s | - |
| 403 | InvalidParam.EniIdAndInstanceId.Conflict | %s | The InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified. |
| 403 | Forbidden.InstanceIsBeingCreated | The specified instance is being created. | The specified instance is being created. |
| 404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The specified security group does not exist in this account. Check whether the security group ID is correct. |
| 404 | InvalidInstanceId.NotFound | The specified InstanceId does not exist. | The specified instance does not exist. |
| 404 | InvalidEniId.NotFound | %s | The specified ENI ID does not exist. |
| 500 | InternalError | The request processing has failed due to some unknown error. | An internal error has occurred. Try again later. |
For a list of error codes, visit the Service error codes.
Change history
| Change time | Summary of changes | Operation |
|---|---|---|
| 2024-07-09 | The Error code has changed | View Change Details |