Help Center/ Elastic Cloud Server/ User Guide/ Security/ Security Groups/ Default Security Groups and Rules
Updated on 2024-10-18 GMT+08:00

Default Security Groups and Rules

Note the following when using default security group rules:
  • Inbound rules control incoming traffic to instances in the default security group. The instances can only communicate with each other but cannot be accessed from external networks.
  • Outbound rules allow all traffic from the instances in the default security group to external networks.

Figure 1 shows the default security group.

Figure 1 Default security group
  • Both default and custom security groups are free of charge. The name of a default security group is default.
  • You cannot delete the default security group, but you can modify existing rules or add rules to the group.
  • The default security group is automatically created to simplify the process of creating an instance for the first time. The default security group denies all external requests. To log in to an instance, add a security group rule by referring to Remotely Logging In to an ECS from a Local Server.

Table 1 describes the rules in the default security group.

Table 1 Default security group rules

Direction

Action

Type

Protocol & Port

Source/Destination

Description

Inbound

Allow

IPv4

All

Source: default security group (default)

Allows IPv4 instances in the security group to communicate with each other using any protocol over any port.

Inbound

Allow

IPv6

All

Source: default security group (default)

Allows IPv6 instances in the security group to communicate with each other using any protocol over any port.

Outbound

Allow

IPv4

All

Destination: 0.0.0.0/0

Allows all traffic from the instances in the security group to any IPv4 address over any port.

Outbound

Allow

IPv6

All

Destination: ::/0

Allows all traffic from the instances in the security group to any IPv6 address over any port.

When you create an ECS for the first time, the system automatically creates a VPC vpc-default and:

  • Add the Sys-WebServer security group.
  • Add the Sys-FullAccess security group.
  • Add security group rules to the default security group default.
Table 2 Default security group rules

Direction

Action

Type

Protocol & Port

Source/Destination

Description

Inbound

Allow

IPv4

TCP: 3389

Source: 0.0.0.0/0

Allows all IPv4 addresses to access Windows ECSs through the default Windows remote desktop.

Inbound

Allow

IPv4

TCP: 22

Source: 0.0.0.0/0

Allows all IPv4 addresses to access Linux ECSs over SSH.

Inbound

Allow

IPv4

All

Source: Default security group (default)

Allows instances in the security group to communicate with each other over IPv4 protocols.

Inbound

Allow

IPv6

All

Source: Default security group (default)

Allows instances in the security group to communicate with each other over IPv6 protocols.

Outbound

Allow

IPv4

All

Destination: 0.0.0.0/0

Allows access from instances in the security group to any IPv4 address over any port.

Outbound

Allow

IPv6

All

Destination: ::/0

Allows access from instances in the security group to any IPv6 address over any port.

Table 3 Sys-WebServer security group rules

Direction

Action

Type

Protocol & Port

Source/Destination

Description

Inbound

Allow

IPv4

ICMP: All

Source: 0.0.0.0/0

Allows the use of the ping command to test the network connectivity over IPv4 protocols.

Inbound

Allow

IPv4

All

Source: current security group (Sys-WebServer)

Allows instances in the security group to communicate with each other over IPv4 protocols.

Inbound

Allow

IPv4

TCP: 443

Source: 0.0.0.0/0

Allows all IPv4 addresses to access websites deployed on ECSs over HTTPS.

Inbound

Allow

IPv4

TCP: 80

Source: 0.0.0.0/0

Allows all IPv4 addresses to access websites deployed on ECSs over HTTP.

Inbound

Allow

IPv4

TCP: 22

Source: 0.0.0.0/0

Allows all IPv4 addresses to access Linux ECSs over SSH.

Inbound

Allow

IPv4

TCP: 3389

Source: 0.0.0.0/0

Allows all IPv4 addresses to access Windows ECSs through the default Windows remote desktop.

Inbound

Allow

IPv6

All

Source: current security group (Sys-WebServer)

Allows instances in the security group to communicate with each other over IPv6 protocols.

Outbound

Allow

IPv4

All

Destination: 0.0.0.0/0

Allows access from instances in the security group to any IPv4 address over any port.

Outbound

Allow

IPv6

All

Destination: ::/0

Allows access from instances in the security group to any IPv6 address over any port.

Table 4 Sys-FullAccess security group rules

Direction

Action

Type

Protocol & Port

Source/Destination

Description

Inbound

Allow

IPv4

All

Source: current security group (Sys-FullAccess)

Allows instances in the security group to communicate with each other over IPv4 protocols.

Inbound

Allow

IPv6

All

Source: current security group (Sys-FullAccess)

Allows instances in the security group to communicate with each other over IPv6 protocols.

Inbound

Allow

IPv4

All

Source: 0.0.0.0/0

Allows all inbound data packets to pass through over IPv4 protocols.

Inbound

Allow

IPv6

All

Source address::/0

Allows all inbound data packets to pass through over IPv6 protocols.

Outbound

Allow

IPv4

All

Destination: 0.0.0.0/0

Allows access from instances in the security group to any IPv4 address over any port.

Outbound

Allow

IPv6

All

Destination: ::/0

Allows access from instances in the security group to any IPv6 address over any port.