Default security groups are created by Alibaba Cloud and contain default security group rules. This topic describes the creation conditions and features of a default security group and how to use the default security group.
Background information
If you do not specify a security group when you create an Elastic Compute Service (ECS) instance, Alibaba Cloud adds the ECS instance to a default security group. If no default security groups exist or if all existing default security groups cannot contain additional instances, Alibaba Cloud creates another default security group and adds the instance to the new default security group.
A security group that resides in a virtual private cloud (VPC) can be used only in the VPC. No limits are imposed on the VPC in which default security groups can be created. If you specify a vSwitch but do not specify a security group when you create an ECS instance, Alibaba Cloud adds the instance to a default security group that resides in the same VPC as the vSwitch. If no default security groups exist in the VPC or if all existing default security groups in the VPC cannot contain additional instances, Alibaba Cloud creates another default security group in the VPC and adds the instance to the new default security group.
Take note that default security groups are provided to simplify the process of creating ECS instances. By default, each default security group contains default inbound rules that allow TCP access from all IP addresses (0.0.0.0/0) to port 22 and port 3389 and Internet Control Messages Protocol (ICMP) (IPv4) access from all IP addresses (0.0.0.0/0) to all ports. These rules are not compliant with the best security practices. To ensure compliance with the best security practices, we recommend that you configure security group rules to allow access only from specific IP addresses. We also recommend that you create custom security groups instead of using default security groups.
Default security group that is used to create ECS instances by calling an API operation
If you do not specify security groups when you create an ECS instance by calling the CreateInstance operation, Alibaba Cloud adds the instance to a default security group. The default security group is a basic security group that contains default security group rules. The following table describes the default security group rules.
Protocol | Port range | Authorization object | Priority | Action |
TCP | 22/22 | 0.0.0.0/0 | 100 | Allow |
TCP | 3389/3389 | 0.0.0.0/0 | 100 | Allow |
ICMP(IPv4) | -1/-1 | 0.0.0.0/0 | 100 | Allow |
Rules in the default security group allow TCP access from all IP addresses to SSH port 22 and Remote Desktop Protocol (RDP) port 3389.
A rule in the default security group allows ICMP (IPv4) access from all IP addresses to all ports.
If you create ECS instances by calling the RunInstances operation, you must specify at least one existing security group.
Default security group rules that were created before May 27, 2020 have a priority of 110.
Default security group that is used to create ECS instances in the ECS console
If you select a VPC in which no security groups exist when you create ECS instances in the ECS console, you can select the IPv4 protocols and ports for which you want to allow access to create a default security group. Alibaba Cloud creates the default security group and ECS instances in the VPC and adds the instances to the default security group.
When you create ECS instances whose network type is classic network in the ECS console, you can use the default security group only if no security groups of the classic network type exist in your account.
For more information, see the Use the default security group when you create an ECS instance in the ECS console section of the "Manage ECS instances in security groups" topic.