This topic introduces the default rules in security groups created manually or by the system.

Note

Security groups are stateful. This means that, for example, if an outbound packet is allowed then the inbound packets corresponding to this connection are also allowed. For more information about security groups, see security groups.

Security groups created by the system

When you create an ECS instance in a region where you have not created a security group, we recommend that you use the default security group provided by the system.

Such a security group generally only has default rules for access over the ICMP protocol, TCP Port 22 (for SSH), TCP Port 3389 (for RDP), TCP Port 80 (for HTTP), and TCP Port 443 (for HTTPS). Note that the default rules vary with the network type of the security group.

  • VPC: The rules apply to both Internet and intranet access. The Internet access of the VPC type instance is realized through the private NIC mapping. Therefore, you cannot see the Internet NIC inside the instance, and you can only set intranet rules in the security group. The security group rules take effect for both intranet and Internet access. The default rules of the default VPC-Connected security group are described in the following table.
    NIC Rule Direction Authorization Policy Protocol Type Port Range Priority Authorization Type Authorization Object
    N/A Inbound Allow Custom TCP (SSH) 22/22 110 Address field access 0.0.0.0/0
    Custom TCP (RDP) 3389/3389
    All ICMP -1/-1
    Custom TCP (HTTP), optional 80/80
    Custom TCP (HTTPS), optional 443
  • Classic network: The default rules of a classic network-connected security group are described in the following table.
    NIC Rule Direction Authorization Policy Protocol Type Port Range Priority Authorization Type Authorization Object
    Internet Inbound Allow Custom TCP (SSH) 22/22 110 Address field access 0.0.0.0/0
    Custom TCP (RDP) 3389/3389
    All ICMP -1/-1
    Custom TCP (HTTP), optional 80/80
    Custom TCP (HTTPS), optional 443
    Note Rules with priority 110 means that they have the lowest priority in the security group. When you manually create a security group, only values from 1 to 100 are valid for priority setting. For more information about the rule priority, see add security group rules.

You can also add security group rules in the default security group.

Manually created security group

After creating a security group, before you add rules, the following default rules apply to the communication of all the instances in the group over the Internet or intranet:

  • Outbound: Allow
  • Inbound: Refuse

If your instance has joined such a security group, you can only use the Management Terminal to connect to an instance. You cannot use other remote connection methods (such as connecting to a Linux instance by using a password or connecting to a Windows instance by using remote connection software).

You can also add security group rules to manually created security groups.