The system creates a default security group for each account. By default, the default security group rules:
- Allow all outbound packets: Instances in the default security group can send requests to and receive responses from instances in other security groups.
- Deny all inbound packets: Requests from instances in other security groups will be denied by the default security group.
Figure 1 Default security group
- You cannot delete the default security group, but you can modify the rules for the default security group.
- If two ECSs are in the same security group but in different VPCs, the ECSs cannot communicate with each other. To enable communications between the ECSs, use a VPC peering connection to connect the two VPCs.
Table 1 describes the default rules for the default security group.
Direction |
Protocol |
Port/Range |
Source/Destination |
Description |
|---|---|---|---|---|
Outbound |
All |
All |
Destination: 0.0.0.0/0 |
Allows all outbound traffic. |
Inbound |
All |
All |
Source: the current security group (for example, sg-xxxxx) |
Allows communications among ECSs within the security group and denies all inbound traffic (incoming data packets). |