Comment 5 for bug 681416

standalone ec2-api project has two ways to run instance - with VPC(only when neutron active) and without VPC(EC2 classic mode).

In VPC mode default security group is created for each VPC with no rules.
In EC2 classic mode system default security group is used if no one specified. And rules from default group is used. Operator can configure this default security group with any rules through OpenStack API or through EC2 API. Amazon has same situation - default security group has no rules by default but user can configure it.