The security group is based on the allowlist mechanism. By default, if no rules are set for a newly created security group, all inbound traffics to access VM instances in the security group are not allowed, while outbound traffics from VM instances in the security group are not restricted.