A security group acts as a virtual firewall that can control inbound and outbound traffic for Elastic Compute Service (ECS) instances. You can add an ECS instance to one or more security groups based on your business requirements. You can also change the security groups to which an instance belongs.
Background information
You can specify one or more security groups for an ECS instance when you create the instance. Then, the instance is added to the security groups. For more information, see Create an instance by using the wizard.
An ECS instance and the security groups to which you want to add the instance must use the same network type. If the instance and the security groups all use the Virtual Private Cloud (VPC) network type, they must belong to the same VPC.
Security groups are classified into basic and advanced security groups. Each ECS instance can be added to multiple security groups only of the same type.
Each ECS instance must belong to at least one security group. By default, each ECS instance can belong to up to five security groups. For more information, see the "Security group limits" section in Limits.
Procedure
You can perform the following operations to manage the security groups to which an ECS instance belongs:
Add an instance to security groups: You can add an ECS instance to specified security groups. The security groups to which the instance is already added remain unchanged.
Remove an instance from security groups: You can remove an ECS instance from specific security groups.
Replace all the security groups of an ECS instance: You can replace all the security groups to which an ECS instance belongs with one or more security groups. You can perform this operation to move an ECS instance between the two types of security groups.
You can perform the preceding operations on the Instances page, Instance Details page, and Security Groups page in the ECS console.
Manage the security groups of one or more ECS instances on the Instances page
Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the upper-left corner of the top navigation bar, select a region.
On the Instances page, find one or more ECS instances that you want to manage and manage their security groups.
Manage the security groups of a single ECS instance
On the Instances page, find the ECS instance that you want to manage. In the Actions column, choose
> Network and Security Group > Add to Security Group, Remove from Security Group, or Replace Security Groups.
On the Instances page, find the ECS instance that you want to manage and click the instance ID. The instance details page appears. In the Basic Information section on the Instance Details tab, click Add to Security Group.
On the Instances page, find the ECS instance that you want to manage and click the instance ID. The instance details page appears. Click the Security Groups tab, and then click Add to Security Group or Replace Security Groups. You can also click Remove in the Actions column corresponding to the security group that you want to manage.
Manage the security groups of multiple ECS instances
On the Instances page, select the ECS instances that you want to manage and choose More > Network and Security Group > Add to Security Group, Remove from Security Group, or Replace Security Groups in the lower part of the page.
In the dialog box that appears, select the security groups that you want to add, remove, or replace.
Manage ECS instances in a security group on the security group details page
Log on to the ECS console.
In the left-side navigation pane, choose .
In the upper-left corner of the top navigation bar, select a region.
On the Security Groups page, find the security group that you want to manage. In the Actions column, click Manage Instances.
In the left-side navigation pane of the security group details page, click Instances in Security Group.
Add ECS instances to a security group
In the upper-right corner of the page, click Add Instance.
In the Add Instance dialog box, select an ECS instance ID and click OK.
To add multiple ECS instances to the security group, repeat the preceding steps.
After you add the instances to the security group, the rules of the security group automatically apply to the instances.
Remove ECS instances from a security group
Select one or more ECS instances and click Remove from Security Group below the instance list.
Click OK.
Use the default security group when you create an ECS instance in the ECS console
If you create an ECS instance in the ECS console and no security groups are available, the system creates a default security group. In this case, you can select the ports and protocols that you want to enable for IPv4 in the default security group based on your business requirements.

For more information about how to create an ECS instance, see Create an instance by using the wizard.
Attributes of default security groups
The following section describes the attributes of each default security group.
Security group type: basic security group.
Network type: same as that of the created ECS instance.
Default security group rules:
The security group rules have a priority of 100.
NoteThe default security group rules that are created before May 27, 2020 have a priority of 110.
Rule description:
Outbound: By default, all outbound access is allowed. All outbound traffic from ECS instances in the default security group is allowed.
Inbound: By default, only inbound ICMP access and inbound access on port 22 and port 3389 are allowed. You can specify whether to allow inbound access on HTTP port 80 and HTTPS port 443. If you use ECS instances to build websites, you must allow access on HTTP port 80 and HTTPS port 443.
Default security groups displayed on the Security Groups page
If a security group is displayed on the Security Groups page in the ECS console and has a description similar to System created security group., the security group is a default security group.
You can add custom rules (in addition to default rules) to the default security group or modify existing rules of the default security group to control inbound and outbound traffic in a fine-grained manner and manage ECS instances and elastic network interfaces (ENIs) in the default security group.
If the default security group rules do not meet your business requirements, you can create custom security groups, add rules to the custom security groups, and then add ECS instances or ENIs to the custom security groups. For more information, see Create a security group.