Help Center/ Virtual Private Cloud/ API Reference/ VPC APIs (V3)/ Port/ Adding a Security Group to the Security Group List of a Port
Updated on 2025-10-30 GMT+08:00
View PDF

Adding a Security Group to the Security Group List of a Port

Function

This API is used to insert a new security group into the security group list of an elastic network interface, that is, associate a new security group with the elastic network interface.

Calling Method

For details, see Calling APIs.

URI

PUT /v3/{project_id}/ports/{port_id}/insert-security-groups

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

port_id

Yes

String

Definition:

Port ID, which can be the ID of an elastic network interface.

Range:

N/A

project_id

Yes

String

Definition:

Project ID. For details about how to obtain a project ID, see Obtaining a Project ID.

Range:

N/A

Request Parameters

Table 2 Request body parameters

Parameter

Mandatory

Type

Description

port

Yes

InsertSecurityGroupOption object

Definition:

Request body for adding a security group to a security group list of a port.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

dry_run

No

Boolean

Definition:

Whether to only check the request.

Constraints:

N/A

Range:

  • true: A check request will be sent and no security group will be added to the security group list of a port. Check items include mandatory parameters, request format, and constraints. If the check fails, an error will be returned. If the check succeeds, response code 202 will be returned.

  • false: A request will be sent and a security group will be added to the security group list of a port.

Default Value:

false
Table 3 InsertSecurityGroupOption

Parameter

Mandatory

Type

Description

security_groups

Yes

Array of strings

Definition:

IDs of security groups to be inserted, for example, "security_groups": ["a0608cbf-d047-4f54-8b28-cd7b59853fff"]. You can call the API Querying Security Groups to obtain the ID of the target security group, and then use this API to associate the security group to the elastic network interface.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

index

No

Integer

Definition:

Position that a security group is added to. The value starts from 0.

For example:

  1. To add a security group to the top of the associated security group list, set index to 0.

  2. To add a security group after the nth security group in the associated security group list, set index to n.

By default, a security group is added to the end of the security group list associated with the port.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

Response Parameters

Status code: 200

Table 4 Response body parameters

Parameter

Type

Description

request_id

String

Definition:

Request ID.

Range:

N/A

port

Port object

Definition:

Response body for adding a security group to a security group list of a port.

Range:

N/A
Table 5 Port

Parameter

Type

Description

admin_state_up

Boolean

Definition:

Administrative state of this port.

Range:

The value can be true (default) or false

binding:host_id

String

Definition:

ID of the host where the port is located.

Range:

N/A

binding:profile

Object

Definition:

User-defined information of the port.

Range:

N/A

binding:vif_details

binding:vif_details object

Definition:

Detailed information about the VIF.

Range:

N/A

binding:vif_type

String

Definition:

Interface type of the port. The value can be ovs, hw_veb, or others. This is an extended attribute.

Range:

N/A

binding:vnic_type

String

Definition:

Type of the bound vNIC.

Range:

  • normal: softswitch.

  • direct: SR-IOV PCIe passthrough (not supported).

  • baremetal: used for bare metal servers.

created_at

String

Definition:

Time when the port was created.

Range:

The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss.

updated_at

String

Definition:

Time when the port was last updated.

Range:

The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss.

description

String

Definition:

Port description.

Range:

The value can contain 0 to 255 characters and cannot contain angle brackets (< or >).

device_id

String

Definition:

ID of the device that the port belongs to.

Range:

The value is in UUID format with hyphens (-).

device_owner

String

Definition:

Name of the device that the port belongs to.

Range:

  • network:dhcp: DHCP service

  • network:router_interface_distributed: Subnet gateway address

  • compute:xxx: Private IP address of a cloud server network interface. XXX specifies the AZ name. For example, compute:aa-bb-cc indicates that the private IP address is used by a cloud server in the AZ aa-bb-cc.

  • neutron:VIP_PORT: Virtual IP address

  • neutron:LOADBALANCERV2: Shared load balancer

  • neutron:LOADBALANCERV3: Dedicated load balancer

  • network:endpoint_interface: VPC endpoint

  • network:nat_gateway: NAT gateway

  • network:ucmp: UCMP port, which is used by Enterprise Router.

ecs_flavor

String

Definition:

Flavor of the ECS that the port belongs to.

Range:

N/A

id

String

Definition:

Port ID.

Range:

The value is in UUID format with hyphens (-).

instance_id

String

Definition:

ID of the instance that the port belongs to, for example, RDS instance ID.

Range:

N/A

instance_type

String

Definition:

The type of instance that the port belongs to, for example, RDS.

Range:

N/A

mac_address

String

Definition:

MAC address of the port.

Range:

N/A

name

String

Definition:

Port name.

Range:

The value can contain no more than 255 characters. This parameter is left blank by default.

port_security_enabled

Boolean

Definition:

Whether the security option is enabled for a port. If the option is not enabled, the security group and DHCP snooping do not take effect.

Range:

  • true: The security option is enabled for a port.

  • false: The security option is not enabled for a port.

private_ips

Array of PrivateIpInfo objects

Definition:

Private IP address of a port.

Range:

N/A

project_id

String

Definition:

ID of the project that the port belongs to.

Range:

N/A

security_groups

Array of strings

Definition:

Security groups bound to a port.

Range:

N/A

status

String

Definition:

Port status.

Range:

  • ACTIVE: The port is active and can be used for communications.

  • BUILD: The port is being created or configured.

  • DOWN: The port is inactive and cannot be used for communications. The status of a HANA SR-IOV VM port is always DOWN.

tenant_id

String

Definition:

ID of the tenant that the port belongs to.

Range:

N/A

virsubnet_id

String

Definition:

ID of the virtual subnet that the port belongs to.

Range:

The value is in UUID format with hyphens (-).

vpc_id

String

Definition:

ID of the VPC that the port belongs to.

Range:

The value is in UUID format with hyphens (-).

vpc_tenant_id

String

Definition:

Tenant ID of the VPC that the port belongs to.

Range:

N/A

vtep_ip

String

Definition:

VTEP IP address of the port, that is, the IP address of the virtual tunnel endpoint.

Range:

N/A

enable_efi

Boolean

Definition:

Whether to enable efi. If efi is enabled, the port supports vRoCE.

Range:

  • true: efi is enabled.

  • false: efi is disabled.

scope

String

Definition:

Scope of the subnet where the port is located (edge cloud scenario).

Range:

  • center: The subnet is in a central AZ.

  • {publicBorderGroup}: The subnet is in a public border group. The public border group limits the AZs of a subnet but it can have multiple edge AZs associated.

zone_id

String

Definition:

ID of the AZ that the port belongs to.

Range:

N/A

binding:migration_info

Object

Definition:

Information about the destination node where the port is migrated, including binding:vif_details and binding:vif_type of the destination node.

Range:

N/A

extra_dhcp_opts

Array of ExtraDhcpOpt objects

Definition:

Extended DHCP attributes.

Range:

N/A

position_type

String

Definition:

Location type of the port in the edge scenario.

Range:

Default Value: center

instance_info

Object

Definition:

Information about the instance with the port bound.

Range:

N/A

tags

Array of ResponseTag objects

Definition:

Tags of a port, including tag keys and tag values, which can be used to classify and identify resources. For details, see the tag objects.

Range:

N/A

allowed_address_pairs

Array of AllowedAddressPair objects

Definition:

IP address and MAC address pairs of the port.

Range:

  • The IP address cannot be 0.0.0.0/0.

  • Configure a dedicated security group if a large CIDR block (subnet mask less than 24) is configured for parameter allowed_address_pairs.

  • If the value of allowed_address_pairs is 1.1.1.1/0, the source/destination check is disabled.

  • Set allowed_address_pairs of the cloud server network interface to 1.1.1.1/0.
Table 6 binding:vif_details

Parameter

Type

Description

primary_interface

Boolean

Definition:

Whether this is the primary network interface of the cloud server.

Range:

  • true: This is the primary network interface of the cloud server.

  • false: This is not the primary network interface of the cloud server.

port_filter

Boolean

Definition:

Whether the network service provides port filtering features, such as security groups and anti-MAC/IP spoofing.

Range:

  • true: The network service provides port filtering features.

  • false: The network service does not provide port filtering features.

ovs_hybrid_plug

Boolean

Definition:

Whether the OVS/bridge hybrid mode is used.

Range:

  • true: The OVS/bridge hybrid mode is used.

  • false: The OVS/bridge hybrid mode is not used.
Table 7 PrivateIpInfo

Parameter

Type

Description

subnet_cidr_id

String

Definition:

ID of the subnet where a port works.

Range:

N/A

ip_address

String

Definition:

Private IP address of a port.

Range:

N/A
Table 8 ExtraDhcpOpt

Parameter

Type

Description

opt_name

String

Definition:

DHCP attribute name. Name of additional control information or network configuration parameter transmitted when the DHCP server allocates IP addresses to clients.

Range:

N/A

opt_value

String

Definition:

DHCP attribute value. Value of additional control information or network configuration parameter transmitted when the DHCP server allocates IP addresses to clients.

Range:

N/A
Table 9 ResponseTag

Parameter

Type

Description

key

String

Definition:

Tag key.

Range:

  • A tag key can contain a maximum of 128 Unicode characters and cannot be left blank.

  • Each tag key of a resource must be unique.

  • The value can contain:

    • Letters

    • Digits

    • Special characters: underscores (_), periods (.), colons (:), plus signs (+), hyphens (-), and equal signs (=)

    • Chinese characters

value

String

Definition:

Tag value.

Range:

  • Each value can contain a maximum of 255 Unicode characters and can be left blank.

  • The value can contain:

    • Letters

    • Digits

    • Special characters: underscores (_), periods (.), colons (:), plus signs (+), hyphens (-), and equal signs (=)

    • Chinese characters
Table 10 AllowedAddressPair

Parameter

Type

Description

ip_address

String

Definition:

IP address.

Constraints:

Configure a dedicated security group if a large CIDR block (subnet mask less than 24) is configured for parameter allowed_address_pairs.

Range:

Single IP address, for example, 192.168.21.25

A CIDR block, for example, 192.168.21.0/24

Default Value:

N/A

mac_address

String

Definition:

MAC address.

Constraints:

N/A

Range:

N/A

Default Value:

N/A

Example Requests

Add a security group above the first security group (567be4e3-d171-46ce-9e8a-c15e91cfe86a) to the security group list (["567be4e3-d171-46ce-9e8a-c15e91cfe86a", "4940b983-5992-4663-bed9-d1d1e15d1009"]) associated with the port (99fd0c77-56b4-4bf6-8365-df352e45d5fc). Set index to 1.

PUT https://{Endpoint}/v3/f5dab68cd75740e68c599e9af5fe0aed/ports/99fd0c77-56b4-4bf6-8365-df352e45d5fc/insert-security-groups

{
  "port" : {
    "security_groups" : [ "8edd3747-ccd4-49a1-82b9-a165eec314b4", "6c2d4540-3b7d-4207-a319-a7231b439995" ],
    "index" : 1
  }
}

Example Responses

Status code: 200

Normal response to the PUT operation. For more status codes, see Status Codes.

{
  "port" : {
    "name" : "",
    "id" : "99fd0c77-56b4-4bf6-8365-df352e45d5fc",
    "admin_state_up" : true,
    "status" : "DOWN",
    "project_id" : "f5dab68cd75740e68c599e9af5fe0aed",
    "device_id" : "",
    "mac_address" : "fa:16:3e:1f:17:df",
    "device_owner" : "",
    "description" : "",
    "zone_id" : "",
    "scope" : "center",
    "position_type" : "center",
    "created_at" : "2023-05-10T01:35:02.000+00:00",
    "updated_at" : "2023-05-10T01:35:02.000+00:00",
    "port_security_enabled" : true,
    "tags" : [ ],
    "security_groups" : [ "567be4e3-d171-46ce-9e8a-c15e91cfe86a", "8edd3747-ccd4-49a1-82b9-a165eec314b4", "6c2d4540-3b7d-4207-a319-a7231b439995", "4940b983-5992-4663-bed9-d1d1e15d1009" ],
    "allowed_address_pairs" : [ ],
    "extra_dhcp_opts" : [ ],
    "instance_id" : "",
    "instance_type" : "",
    "ecs_flavor" : "",
    "enable_efi" : false,
    "virsubnet_id" : "3847b263-2370-45c0-8236-38a1de568049",
    "private_ips" : [ {
      "subnet_cidr_id" : "ffe98087-6d4f-45cd-988b-1c87f75d2d53",
      "ip_address" : "192.168.158.228"
    } ],
    "binding:host_id" : "",
    "binding:vif_type" : "unbound",
    "binding:vnic_type" : "normal",
    "binding:vif_details" : { },
    "binding:profile" : { },
    "binding:migration_info" : { }
  },
  "request_id" : "458691c0-7db2-43d8-9400-053800c5ff53"
}

Status Codes

Status Code

Description

200

Normal response to the PUT operation. For more status codes, see Status Codes.

Error Codes

See Error Codes.

Parent Topic: Port