Removing Rules from a Security Group
You can remove an inbound or outbound rule from a security group at any time, even the initial rules contained in default or custom security groups. Once the rule is removed, your modifications are automatically applied and the corresponding flows are no longer allowed.
Removing Rules from a Security Group Using Cockpit v2
-
In the Security Groups dashboard, click the details icon of the security group from which you want to remove rules.
The security group details panel appears. -
Check the box of the rule you want to remove.
The rule is selected. -
Click Delete.
A confirmation dialog box appears. -
Click Delete.
The selected rule is deleted.
Removing Rules from a Security Group Using OSC CLI
The DeleteSecurityGroupRule command deletes one or more inbound or outbound rules from a security group. For the rule to be deleted, the values specified in the deletion request must exactly match the value of the existing rule.
In case of TCP and UDP protocols, you have to indicate the destination port or range of ports. In case of ICMP protocol, you have to specify the ICMP type and code numbers.
Rules (IP permissions) consist of the protocol, IP range or source security group.
To remove outbound access to a destination security group, we recommend to use a set of IP permissions. We also recommend to specify the protocol in a set of IP permissions.
$ osc-cli api DeleteSecurityGroupRule --profile "default" \
--Flow "Inbound" \
--SecurityGroupId "sg-12345678" \
--FromPortRange 80 \
--ToPortRange 80 \
--IpProtocol "tcp" \
--IpRange "10.0.0.0/16"
$ osc-cli api DeleteSecurityGroupRule --profile "default" \
--Flow "Inbound" \
--SecurityGroupId "sg-12345678" \
--Rules '[
{
"FromPortRange": 22,
"ToPortRange": 22,
"IpProtocol": "tcp",
"SecurityGroupsMembers": [{"AccountId": "123456789012", "SecurityGroupName": "another-security-group"}]
}
]'
This command contains the following attributes that you need to specify:
-
DryRun
: (optional) If true, checks whether you have the required permissions to perform the action. -
Flow
: The direction of the flow:Inbound
orOutbound
. You can specifyOutbound
for Nets only. -
FromPortRange
: (optional) The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: (optional) The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRange
: (optional) The IP range for the security group rule, in CIDR notation (for example,10.0.0.0/16
). -
Rules
: (optional) One or more rules you want to delete from the security group.-
FromPortRange
: (optional) The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: (optional) The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRanges
: (optional) One or more IP ranges for the security group rules, in CIDR notation (for example,10.0.0.0/16
). -
SecurityGroupsMembers
: (optional) Information about one or more source or destination security groups.-
AccountId
: (optional) The account ID that owns the source or destination security group. -
SecurityGroupId
: (optional) The ID of a source or destination security group that you want to link to the security group of the rule. -
SecurityGroupName
: (optional) (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
-
-
ServiceIds
: (optional) One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices. -
ToPortRange
: (optional) The end of the port range for the TCP and UDP protocols, or an ICMP code number.
-
-
SecurityGroupAccountIdToUnlink
: (optional) The account ID of the owner of the security group you want to delete a rule from. -
SecurityGroupId
: The ID of the security group you want to delete a rule from. -
SecurityGroupNameToUnlink
: (optional) The ID of the source security group. If you are in the Public Cloud, you can also specify the name of the source security group. -
ToPortRange
: (optional) The end of the port range for the TCP and UDP protocols, or an ICMP code number.
The DeleteSecurityGroupRule command returns the following elements:
-
ResponseContext
: Information about the context of the response.-
RequestId
: The ID of the request.
-
-
SecurityGroup
: Information about the security group.-
AccountId
: The account ID that has been granted permission. -
Description
: The description of the security group. -
InboundRules
: The inbound rules associated with the security group.-
FromPortRange
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRanges
: One or more IP ranges for the security group rules, in CIDR notation (for example,10.0.0.0/16
). -
SecurityGroupsMembers
: Information about one or more source or destination security groups.-
AccountId
: The account ID that owns the source or destination security group. -
SecurityGroupId
: The ID of a source or destination security group that you want to link to the security group of the rule. -
SecurityGroupName
: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
-
-
ServiceIds
: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices. -
ToPortRange
: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
-
-
NetId
: The ID of the Net for the security group. -
OutboundRules
: The outbound rules associated with the security group.-
FromPortRange
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRanges
: One or more IP ranges for the security group rules, in CIDR notation (for example,10.0.0.0/16
). -
SecurityGroupsMembers
: Information about one or more source or destination security groups.-
AccountId
: The account ID that owns the source or destination security group. -
SecurityGroupId
: The ID of a source or destination security group that you want to link to the security group of the rule. -
SecurityGroupName
: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
-
-
ServiceIds
: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices. -
ToPortRange
: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
-
-
SecurityGroupId
: The ID of the security group. -
SecurityGroupName
: The name of the security group. -
Tags
: One or more tags associated with the security group.-
Key
: The key of the tag, with a minimum of 1 character. -
Value
: The value of the tag, between 0 and 255 characters.
-
-
{
"SecurityGroup": {
"Tags": [],
"SecurityGroupName": "security-group-example",
"OutboundRules": [
{
"FromPortRange": -1,
"IpProtocol": "-1",
"ToPortRange": -1,
"IpRanges": [
"0.0.0.0/0"
]
}
],
"SecurityGroupId": "sg-12345678",
"AccountId": "123456789012",
"Description": "Example of security group",
"InboundRules": [],
"NetId": "vpc-12345678"
},
"ResponseContext": {
"RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
}
}
{
"SecurityGroup": {
"Tags": [],
"SecurityGroupName": "security-group-example",
"OutboundRules": [
{
"FromPortRange": -1,
"IpProtocol": "-1",
"ToPortRange": -1,
"IpRanges": [
"0.0.0.0/0"
]
}
],
"SecurityGroupId": "sg-12345678",
"AccountId": "123456789012",
"Description": "Example of security group",
"InboundRules": [],
"NetId": "vpc-12345678"
},
"ResponseContext": {
"RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
}
}
Removing Rules from a Security Group Using oapi-cli
The DeleteSecurityGroupRule command deletes one or more inbound or outbound rules from a security group. For the rule to be deleted, the values specified in the deletion request must exactly match the value of the existing rule.
In case of TCP and UDP protocols, you have to indicate the destination port or range of ports. In case of ICMP protocol, you have to specify the ICMP type and code numbers.
Rules (IP permissions) consist of the protocol, IP range or source security group.
To remove outbound access to a destination security group, we recommend to use a set of IP permissions. We also recommend to specify the protocol in a set of IP permissions.
$ oapi-cli --profile "default" DeleteSecurityGroupRule \
--Flow "Inbound" \
--SecurityGroupId "sg-12345678" \
--FromPortRange 80 \
--ToPortRange 80 \
--IpProtocol "tcp" \
--IpRange "10.0.0.0/16"
$ oapi-cli --profile "default" DeleteSecurityGroupRule \
--Flow "Inbound" \
--SecurityGroupId "sg-12345678" \
--Rules '[
{
"FromPortRange": 22,
"ToPortRange": 22,
"IpProtocol": "tcp",
"SecurityGroupsMembers": [{"AccountId": "123456789012", "SecurityGroupName": "another-security-group"}]
}
]'
This command contains the following attributes that you need to specify:
-
DryRun
: (optional) If true, checks whether you have the required permissions to perform the action. -
Flow
: The direction of the flow:Inbound
orOutbound
. You can specifyOutbound
for Nets only. -
FromPortRange
: (optional) The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: (optional) The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRange
: (optional) The IP range for the security group rule, in CIDR notation (for example,10.0.0.0/16
). -
Rules
: (optional) One or more rules you want to delete from the security group.-
FromPortRange
: (optional) The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: (optional) The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRanges
: (optional) One or more IP ranges for the security group rules, in CIDR notation (for example,10.0.0.0/16
). -
SecurityGroupsMembers
: (optional) Information about one or more source or destination security groups.-
AccountId
: (optional) The account ID that owns the source or destination security group. -
SecurityGroupId
: (optional) The ID of a source or destination security group that you want to link to the security group of the rule. -
SecurityGroupName
: (optional) (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
-
-
ServiceIds
: (optional) One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices. -
ToPortRange
: (optional) The end of the port range for the TCP and UDP protocols, or an ICMP code number.
-
-
SecurityGroupAccountIdToUnlink
: (optional) The account ID of the owner of the security group you want to delete a rule from. -
SecurityGroupId
: The ID of the security group you want to delete a rule from. -
SecurityGroupNameToUnlink
: (optional) The ID of the source security group. If you are in the Public Cloud, you can also specify the name of the source security group. -
ToPortRange
: (optional) The end of the port range for the TCP and UDP protocols, or an ICMP code number.
The DeleteSecurityGroupRule command returns the following elements:
-
ResponseContext
: Information about the context of the response.-
RequestId
: The ID of the request.
-
-
SecurityGroup
: Information about the security group.-
AccountId
: The account ID that has been granted permission. -
Description
: The description of the security group. -
InboundRules
: The inbound rules associated with the security group.-
FromPortRange
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRanges
: One or more IP ranges for the security group rules, in CIDR notation (for example,10.0.0.0/16
). -
SecurityGroupsMembers
: Information about one or more source or destination security groups.-
AccountId
: The account ID that owns the source or destination security group. -
SecurityGroupId
: The ID of a source or destination security group that you want to link to the security group of the rule. -
SecurityGroupName
: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
-
-
ServiceIds
: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices. -
ToPortRange
: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
-
-
NetId
: The ID of the Net for the security group. -
OutboundRules
: The outbound rules associated with the security group.-
FromPortRange
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. -
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. -
IpRanges
: One or more IP ranges for the security group rules, in CIDR notation (for example,10.0.0.0/16
). -
SecurityGroupsMembers
: Information about one or more source or destination security groups.-
AccountId
: The account ID that owns the source or destination security group. -
SecurityGroupId
: The ID of a source or destination security group that you want to link to the security group of the rule. -
SecurityGroupName
: (Public Cloud only) The name of a source or destination security group that you want to link to the security group of the rule.
-
-
ServiceIds
: One or more service IDs to allow traffic from a Net to access the corresponding OUTSCALE services. For more information, see ReadNetAccessPointServices. -
ToPortRange
: The end of the port range for the TCP and UDP protocols, or an ICMP code number.
-
-
SecurityGroupId
: The ID of the security group. -
SecurityGroupName
: The name of the security group. -
Tags
: One or more tags associated with the security group.-
Key
: The key of the tag, with a minimum of 1 character. -
Value
: The value of the tag, between 0 and 255 characters.
-
-
{
"SecurityGroup": {
"Tags": [],
"SecurityGroupName": "security-group-example",
"OutboundRules": [
{
"FromPortRange": -1,
"IpProtocol": "-1",
"ToPortRange": -1,
"IpRanges": [
"0.0.0.0/0"
]
}
],
"SecurityGroupId": "sg-12345678",
"AccountId": "123456789012",
"Description": "Example of security group",
"InboundRules": [],
"NetId": "vpc-12345678"
},
"ResponseContext": {
"RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
}
}
{
"SecurityGroup": {
"Tags": [],
"SecurityGroupName": "security-group-example",
"OutboundRules": [
{
"FromPortRange": -1,
"IpProtocol": "-1",
"ToPortRange": -1,
"IpRanges": [
"0.0.0.0/0"
]
}
],
"SecurityGroupId": "sg-12345678",
"AccountId": "123456789012",
"Description": "Example of security group",
"InboundRules": [],
"NetId": "vpc-12345678"
},
"ResponseContext": {
"RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
}
}
Removing Rules from a Security Group Using AWS CLI
Before you begin: Install and configure AWS CLI. For more information, see Installing and Configuring AWS CLI. |
Removing Inbound Flows Rules from a Security Group
To remove one or more rules for inbound flows, use the revoke-security-group-ingress command following this syntax:
$ aws ec2 revoke-security-group-ingress \
--profile YOUR_PROFILE \
--group-name my-security-group \
--group-id NOT_SPECIFIED \
--protocol NOT_SPECIFIED \
--port NOT_SPECIFIED \
--cidr NOT_SPECIFIED \
--source-group NOT_SPECIFIED \
--group-owner NOT_SPECIFIED \
--ip-permissions "[ \
{ \
\"IpProtocol\": \"tcp\", \
\"FromPort\": 22, \
\"ToPort\": 22, \
\"IpRanges\": [ \
{ \
\"CidrIp\": \"10.0.0.0/16\" \
} \
], \
\"UserIdGroupPairs\": [ \
{ \
\"UserId\": \"123456789000\", \
\"GroupName\": \"dev-sg\", \
\"GroupId\": \"sg-87654321\" \
} \
] \
} \
]" \
--endpoint https://fcu.eu-west-2.outscale.com
This command contains the following attributes that you need to specify:
-
(optional)
profile
: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI. -
(optional)
group-name
: The name of the security group, if you are in the public Cloud. -
(optional)
group-id
: The ID of the security group.Among the following attributes, you need to specify either:
-
the
protocol
,port
, andcidr
attributes -
the
protocol
,port
,source-group
, andgroup-owner
attributes -
the
ip-permissions
attribute
-
-
(optional)
protocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
port
: The port as a single integer or range of ports in themin-max
format for TCP and UDP protocols, or an ICMP type number and code in thetype-code
format (-1
to indicate all ICMP types). -
(optional)
cidr
: The range of IPs you want to allow, in CIDR notation (/32
prefix for a single IP). -
(optional)
source-group
: The name or ID of the source security group from which flows are allowed by the rule you want to remove. -
(optional)
group-owner
: The account ID of the owner of the source security group, if it belongs to another account. -
(optional)
ip-permissions
: A set of permissions that can be used to remove several rules in the same request. This attribute contains the following elements that you need to specify:-
(optional)
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
FromPort
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1
to indicate all ICMP types). -
(optional)
ToPort
: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1
to indicate all ICMP codes). -
(optional)
IpRanges
: One or more IP ranges.-
(optional)
CidrIp
: The range of IPs.
-
-
(optional)
UserIdGroupPairs
: Information about one or more accounts and security groups to remove permissions for flows from security groups of other accounts. This attribute contains the following elements that you need to specify:-
(optional)
UserId
: The account ID of the owner of the referenced security group. -
(optional)
GroupName
: The name of the referenced security group. -
(optional)
GroupId
: The ID of the referenced security group.
-
-
-
endpoint
: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.
The specified rules are removed from the security group.
(VPC only) Removing Outbound Flows Rules from a Security Group
To remove one or more rules for outbound flows, use the revoke-security-group-egress command following this syntax:
$ aws ec2 revoke-security-group-egress \
--profile YOUR_PROFILE \
--group-id my-security-group \
--protocol NOT_SPECIFIED \
--port NOT_SPECIFIED \
--cidr NOT_SPECIFIED \
--source-group NOT_SPECIFIED \
--group-owner NOT_SPECIFIED \
--ip-permissions "[ \
{ \
\"IpProtocol\": \"tcp\", \
\"FromPort\": 22, \
\"ToPort\": 22, \
\"IpRanges\": [ \
{ \
\"CidrIp\": \"10.0.0.0/16\" \
} \
], \
\"UserIdGroupPairs\": [ \
{ \
\"UserId\": \"123456789000\", \
\"GroupName\": \"dev-sg\", \
\"GroupId\": \"sg-87654321\" \
} \
], \
\"PrefixListIds\": [ \
{ \
\"PrefixListId\": \"pl-12345678\" \
} \
] \
} \
]" \
--endpoint https://fcu.eu-west-2.outscale.com
This command contains the following attributes that you need to specify:
-
(optional)
profile
: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI. -
group-id
: The ID of the security group.Among the following attributes, you need to specify either:
-
the
protocol
,port
, andcidr
attributes -
the
protocol
,port
,source-group
, andgroup-owner
attributes -
the
ip-permissions
attribute
-
-
(optional)
protocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
port
: The port as a single integer or range of ports in themin-max
format for TCP and UDP protocols, or an ICMP type number and code in thetype-code
format (-1
to indicate all ICMP types). -
(optional)
cidr
: The range of IPs you want to allow, in CIDR notation (/32
prefix for a single IP). -
(optional)
source-group
: The name or ID of the source security group from which flows are allowed by the rule you want to remove. -
(optional)
group-owner
: The account ID of the owner of the source security group, if it belongs to another account. -
(optional)
ip-permissions
: A set of permissions that can be used to remove several rules in the same request. This attribute contains the following elements that you need to specify:-
(optional)
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
FromPort
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1
to indicate all ICMP types). -
(optional)
ToPort
: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1
to indicate all ICMP codes). -
(optional)
IpRanges
: One or more IP ranges.-
(optional)
CidrIp
: The range of IPs.
-
-
(optional)
UserIdGroupPairs
: Information about one or more accounts and security groups to remove permissions for flows from security groups of other accounts. This attribute contains the following elements that you need to specify:-
(optional)
UserId
: The account ID of the owner of the referenced security group. -
(optional)
GroupName
: The name of the referenced security group. -
(optional)
GroupId
: The ID of the referenced security group.
-
-
(optional)
PrefixListIds
: One or more prefix list IDs. For more information, see Getting Information About Prefix Lists.-
(optional)
PrefixListId
: The ID of a prefix list.
-
-
-
endpoint
: The endpoint corresponding to the Region you want to send the request to. For more information, see Installing and Configuring AWS CLI.
The specified rules are removed from the security group.
Related Pages
Corresponding API Methods
AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.