This topic describes the default rules in security groups created by you or the system.

Note The content of this topic is no longer being updated. It is for reference only. For the latest content, see Overview.

Security groups created by the system

When you create an ECS instance within a region where you have not created a security group, you can use the default security group created by the system. For more information about how to create a security group, see Create a security group.

The default security group has the following default rules:
  • Inbound: All traffic is denied by default. To help you manage ECS instances, the default security group allows ICMP, SSH port 22, and RDP port 3389. You can also select HTTP port 80 and HTTPS port 443.
  • Outbound: Allow all outbound traffic.
The default security group rules vary depending on the network type.
  • VPC: Security group rules for VPCs do not distinguish between the internal network and the Internet. ECS instances within VPCs access the Internet through the mapping of public IP addresses to internal NICs. Because of this, you cannot view the Internet NIC in the instance. You can only configure internal network rules within the security group. The security group rules apply to both the internal network and the Internet. The following table describes the default rules of the default security groups for VPCs.
    NIC type Rule direction Authorization policy Protocol type Port range Priority Authorization type Authorization object
    N/A Inbound Allow Custom TCP (SSH) 22/22 110 Access from an IP address or a CIDR block 0.0.0.0/0
    Custom TCP (RDP) 3389/3389
    All ICMP -1/-1
    Optional. Custom TCP (HTTP) 80/80
    Optional. Custom TCP (HTTPS) 443
  • The following table describes the rules of the default security group for the classic network.
    NIC type Rule direction Authorization policy Protocol type Port range Priority Authorization type Authorization object
    Internet Inbound Allow Custom TCP (SSH) 22/22 110 Access from an IP address or a CIDR block 0.0.0.0/0
    Custom TCP (RDP) 3389/3389
    All ICMP -1/-1
    Optional. Custom TCP (HTTP) 80/80
    Optional. Custom TCP (HTTPS) 443
    Note The default rules have a priority of 110. It means that their priority will always be lower than those of rules that you create. When you manually add security group rules, the priority range is 1 to 100. For more information about the priority of security group rules, see Add security group rules.

You can also add security group rules in the default security group. For more information, see Add security group rules.

Security groups created by yourself

After you create a security group, the following default rules apply to access from the Internet and the internal network before you add any rules. For more information about how to create a security group, see Create a security group.

  • Outbound: Allow all outbound traffic.
  • Inbound: All traffic is denied.

If you add an instance to a security group you created, you can only connect to the ECS instance by using VNC. You cannot use other remote connection methods such as connecting to a Linux instance by using a username and password or connecting to a Windows instance by using remote connection tools.

You can add security groups to manually created security groups. For more information, see Add security group rules.