Process Flow - Default security group behavior

Create VPC

↓

Auto-create Default Security Group

↓

Inbound Rules: Allow all traffic from same SG

↓

Outbound Rules: Allow all traffic to anywhere

↓

Attach SG to EC2 Instances

↓

Instances communicate based on SG rules

When a VPC is created, AWS automatically creates a default security group with rules allowing all inbound traffic from instances in the same group and all outbound traffic to anywhere.

Execution Sample

AWS

1. Create VPC
2. Default SG created automatically
3. Default SG inbound: allow all from self
4. Default SG outbound: allow all
5. Launch EC2 with default SG
6. Instances communicate freely within SG

This sequence shows how the default security group is created and how its rules allow communication between instances using it.

Process Table

Step	Action	Security Group State	Inbound Rules	Outbound Rules	Effect on Instances
1	Create VPC	No SG yet	N/A	N/A	No network rules
2	Default SG auto-created	Default SG exists	Allow all from self	Allow all to anywhere	No restrictions yet
3	Launch EC2 instance with default SG	Default SG attached	Allow all from self	Allow all to anywhere	Instance can talk to others in SG
4	Launch second EC2 with default SG	Both instances in default SG	Allow all from self	Allow all to anywhere	Instances communicate freely
5	Try inbound from outside SG	Default SG unchanged	Allow all from self only	Allow all to anywhere	Inbound blocked from outside
6	Try outbound to anywhere	Default SG unchanged	Allow all from self	Allow all to anywhere	Outbound allowed to all
7	Terminate instances	Default SG remains	Allow all from self	Allow all to anywhere	No instances to communicate
8	Delete VPC	Default SG deleted	N/A	N/A	No network resources
9	End	No SG	N/A	N/A	No network communication

💡 VPC deletion removes default security group and all associated network resources

Status Tracker

Variable	Start	After Step 2	After Step 3	After Step 4	After Step 7	Final
VPC	Not created	Created	Created	Created	Created	Deleted
Default Security Group	None	Created	Attached to instance	Attached to two instances	Exists	Deleted
Inbound Rules	N/A	Allow all from self	Allow all from self	Allow all from self	Allow all from self	N/A
Outbound Rules	N/A	Allow all to anywhere	Allow all to anywhere	Allow all to anywhere	Allow all to anywhere	N/A
Instances	None	None	One instance	Two instances	None	None

Key Moments - 3 Insights

Why can instances in the default security group communicate with each other without explicit inbound rules?

Why is inbound traffic from outside the default security group blocked?

Does the default security group allow outbound traffic to anywhere?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table at step 4. How many instances are attached to the default security group?

AOne instance

BNo instances

CTwo instances

DThree instances

Concept Snapshot

Default Security Group Behavior:
- Created automatically with each VPC
- Inbound: allows all traffic from instances in same SG
- Outbound: allows all traffic to anywhere
- Enables easy communication between instances in same SG
- Blocks inbound traffic from outside by default

Full Transcript

When you create a new VPC in AWS, a default security group is created automatically. This security group has rules that allow all inbound traffic from instances that are also in this group, and allow all outbound traffic to any destination. When you launch EC2 instances and assign them this default security group, they can communicate freely with each other. However, inbound traffic from outside the group is blocked. The default security group remains until the VPC is deleted, which removes all associated resources. This behavior helps instances in the same group to communicate easily while protecting from outside inbound traffic.