Updated on 2024-07-12 GMT+08:00

Default Security Groups

If no security groups have been created yet, a default security group is automatically created for you, and the instance will be associated with it when you are creating the instance. Note the following when using the default security group:
  • The name of the default security group is default. It is recommended that you do not change the name of the default security group in order to distinguish it from any security groups that you may create.
  • You cannot delete the default security group, but you can modify its rules or add rules to it.
  • The default security group denies all external requests. To allow access to an instance associated with this security group, you can add rules to allow access over given ports by referring to Remotely Logging In to an ECS from a Local Server.
  • If your service has different security requirements on instances for different purposes, you can create security groups and associate these instances with different security groups based on their purposes.

    Security groups are free of charge.

Default Security Group Rules

Note the following when using default security group rules:
  • Inbound rules control incoming traffic to instances in the default security group. The instances can only communicate with each other but cannot be accessed from external networks.
  • Outbound rules allow all traffic from the instances in the default security group to external networks.
Figure 1 Default security group

Table 1 describes the default rules for the default security group.

Table 1 Default security group rules

Direction

Action

Type

Protocol & Port

Source/Destination

Description

Inbound

Allow

IPv4

All

Source: default security group (default)

Allows IPv4 instances in the security group to communicate with each other using any protocol over any port.

Inbound

Allow

IPv6

All

Source: default security group (default)

Allows IPv6 instances in the security group to communicate with each other using any protocol over any port.

Outbound

Allow

IPv4

All

Destination: 0.0.0.0/0

Allows all traffic from the instances in the security group to any IPv4 address over any port.

Outbound

Allow

IPv6

All

Destination: ::/0

Allows all traffic from the instances in the security group to any IPv6 address over any port.

A Default Security Group Example

As shown in Figure 2, VPC-X has three subnets: Subnet-A, Subnet-B, and Subnet-C. ECSs in Subnet-A and Subnet-B have been associated with the default security group. The default security group allows the instances in the security group to communicate with each other and denies all external requests. So, the four ECSs (ECS-A01, ECS-A02, ECS-B01, and ECS-B02) can communicate with each other, but they cannot receive traffic from the NAT gateway.

To allow traffic from the NAT gateway, you need to add rules to the default security group or create a security group and associate it with the instances.

Figure 2 Use cases