Removes an Elastic Compute Service (ECS) instance or an elastic network interface (ENI) from a security group. To remove an ECS instance from a security group, specify SecurityGroupId and InstanceId in the request. To remove an ENI from a security group, specify SecurityGroupId and NetworkInterfaceId in the request.
Operation description
Usage notes
-
To improve user experience, Alibaba Cloud modified the verification rules for the LeaveSecurityGroup operation on July 8, 2024. When you remove an ECS instance or ENI that does not belong to a security group from the security group, the "InvalidSecurityGroupAssociation.NotFound" error code is returned instead of a success response. Update the LeaveSecurityGroup operation to use the new verification rules with the new error code based on your business requirements.
-
This operation is not recommended. We recommend that you call the ModifyInstanceAttribute operation to add an ECS instance to or remove an ECS instance from a security group, and call the ModifyNetworkInterfaceAttribute operation to add an ENI to or remove an ENI from a security group.
Take note of the following items:
- Before you remove an instance from a security group, the instance must be in the Stopped (Stopped) or Running (Running) state.
- An instance must belong to at least one security group. Therefore, if the instance to be removed belongs to only one security group, the LeaveSecurityGroup request fails.
- You cannot remove an instance and an ENI from a security group at the same time. This indicates that you cannot specify
InstanceId
andNetworkInterfaceId
in one request.
Debugging
Authorization information
Request parameters
Parameter | Type | Required | Description | Example |
---|---|---|---|---|
SecurityGroupId | string | Yes | The security group ID. | sg-bp67acfmxazb4p**** |
InstanceId | string | No | The instance ID. Note
If you configure this parameter, you cannot configure NetworkInterfaceId .
| i-bp67acfmxazb4p**** |
NetworkInterfaceId | string | No | The ENI ID. Note
If you configure this parameter, you cannot configure InstanceId .
| eni-bp13kd656hxambfe**** |
RegionId | string | No | The region ID. You can call the DescribeRegions operation to query the most recent region list.
| cn-hangzhou |
Response parameters
Examples
Sample success responses
JSON
format
{
"RequestId": "473469C7-AA6F-4DC5-B3DB-A3DC0DE3C83E"
}
Error codes
HTTP status code | Error code | Error message | Description |
---|---|---|---|
400 | InvalidInstanceId.Malformed | The specified parameter "InstanceId" is not valid. | - |
400 | MissingParameter.RegionId | The specified RegionId should not be null. | The RegionId parameter is required. |
400 | InvalidOperation.InvalidEniState | %s | - |
400 | InvalidSecurityGroupAssociation.NotFound | %s. | The specified ECS or ENI is not associated with the specified security group. |
403 | InstanceLastSecurityGroup | The specified security group is the last security group for the instance. | The specified security group is the only security group to which the instance belongs. |
403 | IncorrectInstanceStatus | The current status of the resource does not support this operation. | The resource is in a state that does not support the current operation. |
403 | InstanceLockedForSecurity | The specified operation is denied as your instance is locked for security reasons. | - |
403 | InstanceNotInSecurityGroup | The instance not in the group. | The specified instance does not belong to the security group. |
403 | InvalidOperation.ResourceManagedByCloudProduct | %s | You cannot modify security groups managed by cloud services. |
403 | InvalidOperation.AtLeastInOneGroup | %s | - |
403 | InvalidOperation.EniServiceManaged | %s | The operation is invalid. |
403 | InvalidOperation.InvalidEniType | %s | - |
403 | InvalidParam.Malformed | %s | - |
403 | InvalidParam.EniIdAndInstanceId.Conflict | %s | The InstanceId and NetworkInterfaceId parameters are mutually exclusive and cannot be both specified. |
404 | InvalidInstanceId.NotFound | The specified InstanceId does not exist. | The specified instance does not exist. |
404 | InvalidSecurityGroupId.NotFound | The specified SecurityGroupId does not exist. | The specified security group does not exist in this account. Check whether the security group ID is correct. |
404 | InvalidEniId.NotFound | %s | The specified ENI ID does not exist. |
404 | InvalidInstanceId.NotFound | The specified parameter InstanceId does not exist. | The specified instance ID does not exist. |
504 | RequestTimeout | The request encounters an upstream server timeout. | The request is denied due to a timeout error of the upstream server. |
For a list of error codes, visit the Service error codes.
Change history
Change time | Summary of changes | Operation |
---|---|---|
2024-06-03 | The Error code has changed | View Change Details |