Default security group rules

Last Updated: Sep 26, 2017

This document introduces the default rules of security groups that are created by the system and by yourself.

The security group created by the system

The security group created by the system has only rules for access over all ICMP ports, TCP Port 22, and TCP Port 3389, of which,

  • All ICMP ports are used by network devices, including routers, to send error messages and operational information.
  • TCP Port 22 is used to connect to a Linux instance using SSH.
  • TCP Port 3389 is used to remotely connect to a Windows instance using Windows Remote Desktop.

Classic network

The default security group created by the system includes rules of:

  • Intranet: drop inbound traffic on all ports, and accept outbound traffic on all ports.
  • Internet: accept outbound traffic on all ports, but only accept inbound traffic on TCP Port 22, TCP Port 3389, and all ICMP ports.

VPC

A security group for VPC only has intranet rules for inbound and outbound traffic.

The default security group created by the system includes rules of:

  • Outbound: accept outbound traffic on all ports.
  • Inbound: Only accept inbound traffic on TCP Port 22, TCP Port 3389, and all ICMP ports.

ECS _ VPC _ DefaultSecurityGroup

All the default security group rules have the priority of 110. Priority 110 means that these rules have the lowest priority in the group. When you manually create a security group, only a value from 1 to 100 is valid for Priority.

For user-defined security groups

For user-defined security groups, the default rules of the default security group are as follows:

  • Allow all for outbound traffic.
  • Drop all for inbound traffic, for both intranet and Internet.
Thank you! We've received your feedback.