Default Security Group Overview
- The default security group is named default and its name cannot be changed for distinguishing it from custom security groups.
- The default security group cannot be deleted, but you can modify its rules or add rules to it.
- The default security group allows instances in the security group to communicate with each other and denies all external requests. To allow access to an instance associated with the default security group, you can add rules to allow access over specific ports by referring to Remotely Logging In to an ECS from a Local Server.
- If your service has different security requirements on instances for different purposes, you can create custom security groups and associate these instances with different security groups accordingly.
Security groups are free of charge.
Default Security Group Rules
- Inbound rules control incoming traffic to instances in the default security group. The instances can communicate with each other but cannot be accessed from external networks.
- Outbound rules allow all traffic from the instances in the default security group to external networks.
Table 1 describes the default rules in the default security group.
|
Direction |
Action |
Type |
Protocol & Port |
Source/Destination |
Description |
|---|---|---|---|---|---|
|
Inbound |
Allow |
IPv4 |
All |
Source: default security group (default) |
Allows IPv4 instances in the security group to communicate with each other using any protocol and port. |
|
Inbound |
Allow |
IPv6 |
All |
Source: default security group (default) |
Allows IPv6 instances in the security group to communicate with each other using any protocol and port. |
|
Outbound |
Allow |
IPv4 |
All |
Destination: 0.0.0.0/0 |
Allows all IPv4 traffic from the instances in the security group to any IP address over any port. |
|
Outbound |
Allow |
IPv6 |
All |
Destination: ::/0 |
Allows all IPv6 traffic from the instances in the security group to any IP address over any port. |
Default Security Group Application Example
As shown in Figure 2, VPC-X has three subnets: Subnet-A, Subnet-B, and Subnet-C. ECSs in Subnet-A and Subnet-B are associated with the default security group. The default security group allows instances in the security group to communicate with each other but denies all external requests by default. So, the four ECSs (ECS-A01, ECS-A02, ECS-B01, and ECS-B02) can communicate with each other, but they cannot receive traffic from the NAT gateway.
To allow traffic from the NAT gateway, you need to add rules to the default security group or create a security group and associate it with the instances.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
