Default Security Groups
- The name of the default security group is default. It is recommended that you do not change the name of the default security group in order to distinguish it from any security groups that you may create.
- You cannot delete the default security group, but you can modify its rules or add rules to it.
- The default security group denies all external requests. To allow access to an instance associated with this security group, you can add rules to allow access over given ports by referring to Remotely Logging In to an ECS from a Local Server.
- If your service has different security requirements on instances for different purposes, you can create security groups and associate these instances with different security groups based on their purposes.
Security groups are free of charge.
Default Security Group Rules
- Inbound rules control incoming traffic to instances in the default security group. The instances can only communicate with each other but cannot be accessed from external networks.
- Outbound rules allow all traffic from the instances in the default security group to external networks.
Table 1 describes the default rules for the default security group.
Direction |
Action |
Type |
Protocol & Port |
Source/Destination |
Description |
---|---|---|---|---|---|
Inbound |
Allow |
IPv4 |
All |
Source: default security group (default) |
Allows IPv4 instances in the security group to communicate with each other using any protocol over any port. |
Inbound |
Allow |
IPv6 |
All |
Source: default security group (default) |
Allows IPv6 instances in the security group to communicate with each other using any protocol over any port. |
Outbound |
Allow |
IPv4 |
All |
Destination: 0.0.0.0/0 |
Allows all traffic from the instances in the security group to any IPv4 address over any port. |
Outbound |
Allow |
IPv6 |
All |
Destination: ::/0 |
Allows all traffic from the instances in the security group to any IPv6 address over any port. |
A Default Security Group Example
As shown in Figure 2, VPC-X has three subnets: Subnet-A, Subnet-B, and Subnet-C. ECSs in Subnet-A and Subnet-B have been associated with the default security group. The default security group allows the instances in the security group to communicate with each other and denies all external requests. So, the four ECSs (ECS-A01, ECS-A02, ECS-B01, and ECS-B02) can communicate with each other, but they cannot receive traffic from the NAT gateway.
To allow traffic from the NAT gateway, you need to add rules to the default security group or create a security group and associate it with the instances.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.