> ## Documentation Index > Fetch the complete documentation index at: https://altostrat.io/docs/llms.txt > Use this file to discover all available pages before exploring further. # Update a security group > Updates an existing security group by fully replacing its attributes, including its name, description, rules, and site associations. This is a full replacement operation (PUT); any omitted fields in the `rules` or `sites` arrays will result in those items being removed. ## OpenAPI ````yaml /api/en/security-groups.yaml put /vpc/security-groups/{securityGroupId} openapi: 3.0.3 info: title: Altostrat Security Groups API version: 1.0.0 description: >- The Altostrat Security Groups API is the microservice responsible for the centralized management of stateful firewall rulesets and reusable IP address collections. It serves as the source of truth for all network security policies within the Altostrat SDX platform, translating abstract rules into concrete configurations that are asynchronously deployed to MikroTik routers. This API allows you to programmatically manage: - **Security Groups:** Containers for stateful firewall rules that define allowed inbound and outbound traffic for associated network sites. - **Prefix Lists:** Reusable, named collections of IP addresses and CIDR blocks that can be referenced within Security Group rules to simplify policy management. Developers use this API to programmatically define, manage, and automate network security policies at scale across their entire MikroTik infrastructure. servers: - url: https://v1.api.altostrat.io description: Production API Server security: [] tags: - name: Security Groups description: Manage firewall rule containers and their associations with network sites. - name: Prefix Lists description: Manage reusable collections of IP addresses and CIDR blocks. - name: Reference Data description: Retrieve static data like supported protocols and services. paths: /vpc/security-groups/{securityGroupId}: put: tags: - Security Groups summary: Update a security group description: >- Updates an existing security group by fully replacing its attributes, including its name, description, rules, and site associations. This is a full replacement operation (PUT); any omitted fields in the `rules` or `sites` arrays will result in those items being removed. operationId: updateSecurityGroup parameters: - name: securityGroupId in: path required: true description: The unique identifier for the security group to update. schema: type: string pattern: ^sec_grp_[0-9a-zA-Z]{27}$ example: sec_grp_0ujsswThIGTUYm2K8FjOOfxcYpw requestBody: description: The new state for the security group. required: true content: application/json: schema: $ref: '#/components/schemas/SecurityGroupWrite' responses: '200': description: The updated security group object. content: application/json: schema: $ref: '#/components/schemas/SecurityGroup' '400': $ref: '#/components/responses/BadRequest' '401': $ref: '#/components/responses/Unauthorized' '404': $ref: '#/components/responses/NotFound' '422': $ref: '#/components/responses/UnprocessableEntity' '500': $ref: '#/components/responses/InternalServerError' security: - bearerAuth: [] components: schemas: SecurityGroupWrite: type: object description: >- Defines the writable properties for creating or updating a security group. required: - name - rules - sites properties: name: type: string minLength: 3 maxLength: 255 description: A human-readable name for the security group. example: Web Application Firewall description: type: string maxLength: 1024 nullable: true description: An optional description for the security group. example: Allows inbound HTTP/S and blocks common attack vectors. rules: type: array maxItems: 250 description: >- A list of firewall rules. The order of rules is determined by the `order` property within each rule object. The entire list of rules is replaced on update. items: $ref: '#/components/schemas/FilterRuleWrite' sites: type: array description: >- A list of site IDs to which this security group should be applied. The entire list of sites is replaced on update. items: type: string example: site_0ujsswThIGTUYm2K8FjOOfxcYpw example: name: Web Application Servers description: Allows HTTP/S from the world and SSH from the office. rules: - direction: inbound order: 10 protocol: 6 port: '443' address: 0.0.0.0/0 description: Allow HTTPS - direction: inbound order: 20 protocol: 6 port: '80' address: 0.0.0.0/0 description: Allow HTTP - direction: inbound order: 30 protocol: 6 port: '22' address: prfx_lst_0ujsswThIGTUYm2K8FjOOfxcYpw description: Allow SSH from Office sites: - site_0ujsswThIGTUYm2K8FjOOfxcYpw - site_0ujsswThIGTUYm2K8FjOOfxcYpz SecurityGroup: type: object description: Represents a container for a stateful firewall ruleset. properties: id: type: string description: >- The unique identifier for the security group, prefixed with `sec_grp_`. readOnly: true example: sec_grp_0ujsswThIGTUYm2K8FjOOfxcYpw name: type: string description: A human-readable name for the security group. example: Default Web Servers description: type: string description: >- An optional description for the security group, providing more context. example: Allows inbound HTTP/HTTPS traffic from anywhere. status: type: string description: >- The current synchronization status of the security group. `syncing` means changes are being deployed and the resource is locked from modification. readOnly: true enum: - active - syncing - failed example: active sites: type: array description: >- A list of site IDs to which this security group is currently applied. items: type: string example: site_12345 rules: type: array description: An ordered list of firewall rules that define the security policy. items: $ref: '#/components/schemas/FilterRule' FilterRuleWrite: type: object description: Defines the writable properties for a filter rule. required: - direction - order - protocol - port - address - description properties: direction: type: string description: The direction of traffic. enum: - inbound - outbound example: inbound order: type: integer description: The rule's processing order (1-250), unique within the group. minimum: 1 maximum: 250 example: 100 protocol: type: integer description: >- The IP protocol number (e.g., 6 for TCP). Use the Reference Data endpoint to get a full list. example: 6 port: type: string description: >- The port or port range (e.g., "80", "1024-2048"). Must be an empty string for protocols that don't support ports. example: '443' address: type: string description: A valid IPv4 CIDR or a Prefix List ID (`prfx_lst_...`). example: prfx_lst_0ujsswThIGTUYm2K8FjOOfxcYpw description: type: string maxLength: 255 description: A brief, human-readable description of the rule's purpose. example: Allow SSH from management network FilterRule: type: object description: Represents a single firewall rule within a security group. properties: id: type: string description: The unique identifier for the filter rule, prefixed with `fltr_`. readOnly: true example: fltr_0ujsswThIGTUYm2K8FjOOfxcYpw direction: type: string description: The direction of traffic the rule applies to. enum: - inbound - outbound example: inbound order: type: integer description: >- The processing order of the rule, from lowest to highest. Must be unique within the security group. minimum: 1 maximum: 250 example: 10 protocol: type: integer description: >- The IP protocol number. Common values are `6` (TCP), `17` (UDP), `1` (ICMP). `0` represents all protocols. example: 6 port: type: string description: >- The destination port or port range. Required for protocols like TCP and UDP. Should be an empty string for protocols that do not use ports (e.g., ICMP). example: '443' address: type: string description: >- The source (for inbound) or destination (for outbound) address. Can be a CIDR block or a reference to a Prefix List ID (`prfx_lst_...`). example: 0.0.0.0/0 description: type: string description: A human-readable description for the rule. example: Allow inbound HTTPS traffic ErrorResponse: type: object properties: type: type: string description: A broad category for the error (e.g., 'invalid_request_error'). example: invalid_request_error code: type: string description: A short, unique string identifying the specific error. example: parameter_missing message: type: string description: A human-readable description of what went wrong. example: The 'name' parameter is required for this request. doc_url: type: string description: >- A direct link to the documentation page for this specific error code. example: https://docs.altostrat.io/errors/parameter_missing responses: BadRequest: description: >- Bad Request - The request was malformed, for example, due to invalid JSON. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' Unauthorized: description: >- Unauthorized - The request requires authentication, and a valid Bearer token was not provided. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' NotFound: description: Not Found - The requested resource does not exist. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' UnprocessableEntity: description: >- Unprocessable Entity - The request was well-formed but was unable to be followed due to semantic errors (e.g., validation failed). content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' InternalServerError: description: Internal Server Error - An unexpected error occurred on the server. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' securitySchemes: bearerAuth: type: http scheme: bearer bearerFormat: JWT description: >- Authentication is performed via an Auth0-issued JSON Web Token (JWT). Provide the token in the `Authorization` header with the `Bearer` scheme. ````