diff --git a/library/cloud/ec2_group b/library/cloud/ec2_group
index 56581ecd778..ac0389accaa 100644
--- a/library/cloud/ec2_group
+++ b/library/cloud/ec2_group
@@ -313,6 +313,20 @@ def main():
                                 src_group_id=grantGroup,
                                 cidr_ip=ip)
                     changed = True
+        elif vpc_id and not module.check_mode:
+            # when using a vpc, but no egress rules are specified, 
+            # we add in a default allow all out rule, which was the
+            # default behavior before egress rules were added
+            if 'out--1-None-None-None-0.0.0.0/0' not in groupRules:
+                ec2.authorize_security_group_egress(
+                    group_id=group.id,
+                    ip_protocol=-1,
+                    from_port=None,
+                    to_port=None,
+                    src_group_id=None,
+                    cidr_ip='0.0.0.0/0'
+                )
+                changed = True
 
         # Finally, remove anything left in the groupRules -- these will be defunct rules
         for rule in groupRules.itervalues():