To simplify the creation of Elastic Compute Service (ECS) instances, Alibaba Cloud creates default security groups that contain default security group rules if you do not specify security groups when you create ECS instances. This topic describes the creation conditions and features of default security groups and how to use default security groups.
Features of default security groups
If you do not specify a security group when you create an ECS instance, Alibaba Cloud adds the instance to a default security group. If no default security groups exist or the existing default security groups cannot accommodate additional ECS instances, Alibaba Cloud creates a default security group and adds the instance to the created security group. A security group that resides in a virtual private cloud (VPC) can be used only in the VPC. If no default security group exists in a VPC and you create ECS instances in the VPC without specifying a security group, Alibaba Cloud creates a default security group in the VPC.
Default security groups are basic security groups. For information about basic security groups, see Basic security groups and advanced security groups. You can create and modify security group rules in default security groups. Default security groups contain default inbound security group rules. The following table describes the security group rules.
Protocol type
Port range
Authorization object
Priority
Action
SSH
22/22
0.0.0.0/0
100
Allow
RDP
3389/3389
0.0.0.0/0
100
Allow
ICMP(IPv4)
-1/-1
0.0.0.0/0
100
Allow
Default security groups contain default inbound security group rules that allow TCP access from all IP addresses on SSH port 22 and Remote Desktop Protocol (RDP) port 3389.
Default security groups contain a default inbound security group rule that allows ICMP (IPv4) access from all IP addresses on all ports.
ImportantDefault security groups are provided to simplify the first-time creation of ECS instances. The default security group rules in default security groups, which allow TCP access from all IP addresses (0.0.0.0/0) on SSH port 22 and RDP port 3389 and allow ICMP (IPv4) access from all IP addresses on all ports, allow any users to connect to ECS instances contained in the default security groups. This poses security risks and exposes ECS instances to brute-force attacks. For security reasons, we recommend that you configure security group rules to allow access only from specific IP addresses. We also recommend that you create custom security groups or modify the default security group rules in default security groups based on your business requirements, instead of using the default security group rules.
Create a default security group
Use a default security group when you create an ECS instance by calling an API operation
If you do not specify security groups when you call the CreateInstance operation to create an ECS instance, Alibaba Cloud adds the created instance to a default security group. If no default security groups exist or the existing default security groups cannot accommodate additional ECS instances, Alibaba Cloud creates a default security group and adds the instance to the created security group.
If you call the RunInstances operation to create ECS instances, you must specify existing security groups.
Default security group rules that were created before May 27, 2020 have a priority of 110.
Use a default security group when you create an ECS instance in the ECS console
When you create ECS instances on the Quick Launch tab of the instance buy page in the ECS console, Alibaba Cloud adds the instances to a default security group. If no default security groups exist or the existing default security groups cannot accommodate additional ECS instances, Alibaba Cloud creates a default group and adds the instances to the created security group.