Help Center/ Virtual Private Cloud/ API Reference/ VPC APIs (V3)/ Port/ Adding a Security Group to the Security Group List of a Port

Updated on 2025-11-10 GMT+08:00

Online Debugging

CLI Examples

View PDF

Adding a Security Group to the Security Group List of a Port

Function

This API is used to insert a new security group into the security group list of an elastic network interface, that is, associate a new security group with the elastic network interface.

Calling Method

For details, see Calling APIs.

Authorization Information

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.

If you are using identity policy-based authorization, the following identity policy-based permissions are required.

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
vpc:ports:update	Write	port *	vpc:SubnetId vpc:PortId vpc:VpcId g:EnterpriseProjectId g:ResourceTag/<tag-key>	vpc:vips:update vpc:vips:delete	-

URI

PUT /v3/{project_id}/ports/{port_id}/insert-security-groups

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
port_id	Yes	String	Definition: Port ID, which can be the ID of an elastic network interface. Range: N/A
project_id	Yes	String	Definition: Project ID. For details about how to obtain a project ID, see Obtaining a Project ID. Range: N/A

Request Parameters

**Table 2** Request body parameters
Parameter	Mandatory	Type	Description
port	Yes	InsertSecurityGroupOption object	Definition: Request body for adding a security group to a security group list of a port. Constraints: N/A Range: N/A Default Value: N/A
dry_run	No	Boolean	Definition: Whether to only check the request. Constraints: N/A Range: true: A check request will be sent and no security group will be added to the security group list of a port. Check items include mandatory parameters, request format, and constraints. If the check fails, an error will be returned. If the check succeeds, response code 202 will be returned. false: A request will be sent and a security group will be added to the security group list of a port. Default Value: false

**Table 3** InsertSecurityGroupOption
Parameter	Mandatory	Type	Description
security_groups	Yes	Array of strings	Definition: IDs of security groups to be inserted, for example, "security_groups": ["a0608cbf-d047-4f54-8b28-cd7b59853fff"]. You can call the API Querying Security Groups to obtain the ID of the target security group, and then use this API to associate the security group to the elastic network interface. Constraints: N/A Range: N/A Default Value: N/A
index	No	Integer	Definition: Position that a security group is added to. The value starts from 0. For example: To add a security group to the top of the associated security group list, set index to 0. To add a security group after the nth security group in the associated security group list, set index to n. By default, a security group is added to the end of the security group list associated with the port. Constraints: N/A Range: N/A Default Value: N/A

Response Parameters

Status code: 200

**Table 4** Response body parameters
Parameter	Type	Description
request_id	String	Definition: Request ID. Range: N/A
port	Port object	Definition: Response body for adding a security group to a security group list of a port. Range: N/A

**Table 5** Port
Parameter	Type	Description
admin_state_up	Boolean	Definition: Administrative state of this port. Range: The value can be true (default) or false
binding:host_id	String	Definition: ID of the host where the port is located. Range: N/A
binding:profile	Object	Definition: User-defined information of the port. Range: N/A
binding:vif_details	binding:vif_details object	Definition: Detailed information about the VIF. Range: N/A
binding:vif_type	String	Definition: Interface type of the port. The value can be ovs, hw_veb, or others. This is an extended attribute. Range: N/A
binding:vnic_type	String	Definition: Type of the bound vNIC. Range: normal: softswitch. direct: SR-IOV PCIe passthrough (not supported). baremetal: used for bare metal servers.
created_at	String	Definition: Time when the port was created. Range: The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss.
updated_at	String	Definition: Time when the port was last updated. Range: The value is a UTC time in the format of yyyy-MM-ddTHH:mm:ss.
description	String	Definition: Port description. Range: The value can contain 0 to 255 characters and cannot contain angle brackets (< or >).
device_id	String	Definition: ID of the device that the port belongs to. Range: The value is in UUID format with hyphens (-).
device_owner	String	Definition: Name of the device that the port belongs to. Range: network:dhcp: DHCP service network:router_interface_distributed: Subnet gateway address compute:xxx: Private IP address of a cloud server network interface. XXX specifies the AZ name. For example, compute:aa-bb-cc indicates that the private IP address is used by a cloud server in the AZ aa-bb-cc. neutron:VIP_PORT: Virtual IP address neutron:LOADBALANCERV2: Shared load balancer neutron:LOADBALANCERV3: Dedicated load balancer network:endpoint_interface: VPC endpoint network:nat_gateway: NAT gateway network:ucmp: UCMP port, which is used by Enterprise Router.
ecs_flavor	String	Definition: Flavor of the ECS that the port belongs to. Range: N/A
id	String	Definition: Port ID. Range: The value is in UUID format with hyphens (-).
instance_id	String	Definition: ID of the instance that the port belongs to, for example, RDS instance ID. Range: N/A
instance_type	String	Definition: The type of instance that the port belongs to, for example, RDS. Range: N/A
mac_address	String	Definition: MAC address of the port. Range: N/A
name	String	Definition: Port name. Range: The value can contain no more than 255 characters. This parameter is left blank by default.
port_security_enabled	Boolean	Definition: Whether the security option is enabled for a port. If the option is not enabled, the security group and DHCP snooping do not take effect. Range: true: The security option is enabled for a port. false: The security option is not enabled for a port.
private_ips	Array of PrivateIpInfo objects	Definition: Private IP address of a port. Range: N/A
project_id	String	Definition: ID of the project that the port belongs to. Range: N/A
security_groups	Array of strings	Definition: Security groups bound to a port. Range: N/A
status	String	Definition: Port status. Range: ACTIVE: The port is active and can be used for communications. BUILD: The port is being created or configured. DOWN: The port is inactive and cannot be used for communications. The status of a HANA SR-IOV VM port is always DOWN.
tenant_id	String	Definition: ID of the tenant that the port belongs to. Range: N/A
virsubnet_id	String	Definition: ID of the virtual subnet that the port belongs to. Range: The value is in UUID format with hyphens (-).
vpc_id	String	Definition: ID of the VPC that the port belongs to. Range: The value is in UUID format with hyphens (-).
vpc_tenant_id	String	Definition: Tenant ID of the VPC that the port belongs to. Range: N/A
vtep_ip	String	Definition: VTEP IP address of the port, that is, the IP address of the virtual tunnel endpoint. Range: N/A
enable_efi	Boolean	Definition: Whether to enable efi. If efi is enabled, the port supports vRoCE. Range: true: efi is enabled. false: efi is disabled.
scope	String	Definition: Scope of the subnet where the port is located (edge cloud scenario). Range: center: The subnet is in a central AZ. {publicBorderGroup}: The subnet is in a public border group. The public border group limits the AZs of a subnet but it can have multiple edge AZs associated.
zone_id	String	Definition: ID of the AZ that the port belongs to. Range: N/A
binding:migration_info	Object	Definition: Information about the destination node where the port is migrated, including binding:vif_details and binding:vif_type of the destination node. Range: N/A
extra_dhcp_opts	Array of ExtraDhcpOpt objects	Definition: Extended DHCP attributes. Range: N/A
position_type	String	Definition: Location type of the port in the edge scenario. Range: Default Value: center
instance_info	Object	Definition: Information about the instance with the port bound. Range: N/A
tags	Array of ResponseTag objects	Definition: Tags of a port, including tag keys and tag values, which can be used to classify and identify resources. For details, see the tag objects. Range: N/A
allowed_address_pairs	Array of AllowedAddressPair objects	Definition: IP address and MAC address pairs of the port. Range: The IP address cannot be 0.0.0.0/0. Configure a dedicated security group if a large CIDR block (subnet mask less than 24) is configured for parameter allowed_address_pairs. If the value of allowed_address_pairs is 1.1.1.1/0, the source/destination check is disabled. Set allowed_address_pairs of the cloud server network interface to 1.1.1.1/0.

**Table 6** binding:vif_details
Parameter	Type	Description
primary_interface	Boolean	Definition: Whether this is the primary network interface of the cloud server. Range: true: This is the primary network interface of the cloud server. false: This is not the primary network interface of the cloud server.
port_filter	Boolean	Definition: Whether the network service provides port filtering features, such as security groups and anti-MAC/IP spoofing. Range: true: The network service provides port filtering features. false: The network service does not provide port filtering features.
ovs_hybrid_plug	Boolean	Definition: Whether the OVS/bridge hybrid mode is used. Range: true: The OVS/bridge hybrid mode is used. false: The OVS/bridge hybrid mode is not used.

**Table 7** PrivateIpInfo
Parameter	Type	Description
subnet_cidr_id	String	Definition: ID of the subnet where a port works. Range: N/A
ip_address	String	Definition: Private IP address of a port. Range: N/A

**Table 8** ExtraDhcpOpt
Parameter	Type	Description
opt_name	String	Definition: DHCP attribute name. Name of additional control information or network configuration parameter transmitted when the DHCP server allocates IP addresses to clients. Range: N/A
opt_value	String	Definition: DHCP attribute value. Value of additional control information or network configuration parameter transmitted when the DHCP server allocates IP addresses to clients. Range: N/A

**Table 9** ResponseTag
Parameter	Type	Description
key	String	Definition: Tag key. Range: A tag key can contain a maximum of 128 Unicode characters and cannot be left blank. Each tag key of a resource must be unique. The value can contain: Letters Digits Special characters: underscores (_), periods (.), colons (:), plus signs (+), hyphens (-), and equal signs (=) Chinese characters
value	String	Definition: Tag value. Range: Each value can contain a maximum of 255 Unicode characters and can be left blank. The value can contain: Letters Digits Special characters: underscores (_), periods (.), colons (:), plus signs (+), hyphens (-), and equal signs (=) Chinese characters

**Table 10** AllowedAddressPair
Parameter	Type	Description
ip_address	String	Definition: IP address. Constraints: Configure a dedicated security group if a large CIDR block (subnet mask less than 24) is configured for parameter allowed_address_pairs. Range: Single IP address, for example, 192.168.21.25 A CIDR block, for example, 192.168.21.0/24 Default Value: N/A
mac_address	String	Definition: MAC address. Constraints: N/A Range: N/A Default Value: N/A

Example Requests

Add a security group above the first security group (567be4e3-d171-46ce-9e8a-c15e91cfe86a) to the security group list (["567be4e3-d171-46ce-9e8a-c15e91cfe86a", "4940b983-5992-4663-bed9-d1d1e15d1009"]) associated with the port (99fd0c77-56b4-4bf6-8365-df352e45d5fc). Set index to 1.

PUT https://{Endpoint}/v3/f5dab68cd75740e68c599e9af5fe0aed/ports/99fd0c77-56b4-4bf6-8365-df352e45d5fc/insert-security-groups

{
  "port" : {
    "security_groups" : [ "8edd3747-ccd4-49a1-82b9-a165eec314b4", "6c2d4540-3b7d-4207-a319-a7231b439995" ],
    "index" : 1
  }
}

Example Responses

Status code: 200

Normal response to the PUT operation. For more status codes, see Status Codes.

{
  "port" : {
    "name" : "",
    "id" : "99fd0c77-56b4-4bf6-8365-df352e45d5fc",
    "admin_state_up" : true,
    "status" : "DOWN",
    "project_id" : "f5dab68cd75740e68c599e9af5fe0aed",
    "device_id" : "",
    "mac_address" : "fa:16:3e:1f:17:df",
    "device_owner" : "",
    "description" : "",
    "zone_id" : "",
    "scope" : "center",
    "position_type" : "center",
    "created_at" : "2023-05-10T01:35:02.000+00:00",
    "updated_at" : "2023-05-10T01:35:02.000+00:00",
    "port_security_enabled" : true,
    "tags" : [ ],
    "security_groups" : [ "567be4e3-d171-46ce-9e8a-c15e91cfe86a", "8edd3747-ccd4-49a1-82b9-a165eec314b4", "6c2d4540-3b7d-4207-a319-a7231b439995", "4940b983-5992-4663-bed9-d1d1e15d1009" ],
    "allowed_address_pairs" : [ ],
    "extra_dhcp_opts" : [ ],
    "instance_id" : "",
    "instance_type" : "",
    "ecs_flavor" : "",
    "enable_efi" : false,
    "virsubnet_id" : "3847b263-2370-45c0-8236-38a1de568049",
    "private_ips" : [ {
      "subnet_cidr_id" : "ffe98087-6d4f-45cd-988b-1c87f75d2d53",
      "ip_address" : "192.168.158.228"
    } ],
    "binding:host_id" : "",
    "binding:vif_type" : "unbound",
    "binding:vnic_type" : "normal",
    "binding:vif_details" : { },
    "binding:profile" : { },
    "binding:migration_info" : { }
  },
  "request_id" : "458691c0-7db2-43d8-9400-053800c5ff53"
}

SDK Sample Code

The SDK sample code is as follows.

      
       
         
         
           package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.vpc.v3.region.VpcRegion;
import com.huaweicloud.sdk.vpc.v3.*;
import com.huaweicloud.sdk.vpc.v3.model.*;

import java.util.List;
import java.util.ArrayList;

public class AddSecurityGroupsSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        VpcClient client = VpcClient.newBuilder()
                .withCredential(auth)
                .withRegion(VpcRegion.valueOf("<YOUR REGION>"))
                .build();
        AddSecurityGroupsRequest request = new AddSecurityGroupsRequest();
        request.withPortId("{port_id}");
        AddSecurityGroupsRequestBody body = new AddSecurityGroupsRequestBody();
        List<String> listPortSecurityGroups = new ArrayList<>();
        listPortSecurityGroups.add("8edd3747-ccd4-49a1-82b9-a165eec314b4");
        listPortSecurityGroups.add("6c2d4540-3b7d-4207-a319-a7231b439995");
        InsertSecurityGroupOption portbody = new InsertSecurityGroupOption();
        portbody.withSecurityGroups(listPortSecurityGroups)
            .withIndex(1);
        body.withPort(portbody);
        request.withBody(body);
        try {
            AddSecurityGroupsResponse response = client.addSecurityGroups(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

          

        

      
     

      
       
         
         
           # coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkvpc.v3.region.vpc_region import VpcRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkvpc.v3 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = VpcClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(VpcRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = AddSecurityGroupsRequest()
        request.port_id = "{port_id}"
        listSecurityGroupsPort = [
            "8edd3747-ccd4-49a1-82b9-a165eec314b4",
            "6c2d4540-3b7d-4207-a319-a7231b439995"
        ]
        portbody = InsertSecurityGroupOption(
            security_groups=listSecurityGroupsPort,
            index=1
        )
        request.body = AddSecurityGroupsRequestBody(
            port=portbody
        )
        response = client.add_security_groups(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

          

        

      
     

      
       
         
         
           package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    vpc "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/vpc/v3/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := vpc.NewVpcClient(
        vpc.VpcClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.AddSecurityGroupsRequest{}
	request.PortId = "{port_id}"
	var listSecurityGroupsPort = []string{
        "8edd3747-ccd4-49a1-82b9-a165eec314b4",
	    "6c2d4540-3b7d-4207-a319-a7231b439995",
    }
	indexPort:= int32(1)
	portbody := &model.InsertSecurityGroupOption{
		SecurityGroups: listSecurityGroupsPort,
		Index: &indexPort,
	}
	request.Body = &model.AddSecurityGroupsRequestBody{
		Port: portbody,
	}
	response, err := client.AddSecurityGroups(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

          

        

      
     