If you are familiar with the ports that are commonly used by ECS instances, you can specify them in access control list (ACL) rules to facilitate precise network traffic filtering. This topic describes the ports that are commonly used by ECS instances and the application scenarios of these ports.

Ports

The following table lists the ports and the services that use these ports.

Port Service Description
21 FTP The FTP port. It is used to upload and download files.
22 SSH The SSH port. It is used to log on to Linux instances in the command line method by using username and password pairs.
23 Telnet The Telnet port. It is used to remotely log on to ECS instances.
25 SMTP The SMTP port. It is used to send emails.
80 HTTP The HTTP port. It is used to access services such as IIS, Apache, and NGINX.
110 POP3 The POP3 port. It is used to send and receive emails.
143 IMAP The Internet Message Access Protocol (IMAP) port. It is used to receive emails.
443 HTTPS The HTTPS port. It is used to access services. The HTTPS protocol can implement encrypted and secure data transmission.
1433 SQL Server The TCP port of SQL Server. It is used for SQL Server to provide external services.
1434 SQL Server The UDP port of SQL Server. It is used to return the TCP/IP port occupied by SQL Server.
1521 Oracle The Oracle communication port. ECS instances that run Oracle SQL must have this port open.
3306 MySQL The MySQL port. It is used for MySQL databases to provide external services.
3389 Windows Server Remote Desktop Services The Windows Server Remote Desktop Services port. It is used to log on to a Windows instance.
8080 Proxy port An alternative to port 80. It is commonly used for WWW proxy services.

Custom network ACLs

Table 1 and Table 2 describe a network ACL example for VPCs that support IPv4 addresses only.
  • The inbound rules in effective order 1, 2, 3, and 4 respectively allow HTTP, HTTPS, SSH, and RDP traffic to the VSwitch. Outbound response rules are those in effective order 3.
  • The outbound rules in effective order 1 and 2 respectively allow HTTP and HTTPS traffic from the VSwitch. Outbound response rules are those in effective order 5.
  • The inbound rule in effective order 6 denies all inbound IPv4 traffic. This rule ensures that packets that do not match any other rules are denied.
  • The outbound rule in effective order 4 denies all outbound IPv4 traffic. This rule ensures that packets that do not match any other rules are denied.
Note An inbound or outbound rule must correspond to an inbound or outbound rule that allows response traffic.
Table 1. Inbound rules
Effective order Protocol Source IP addresses Destination port range Action Description
1 TCP 0.0.0.0/0 80/80 Accept Allows inbound HTTP traffic from any IPv4 addresses.
2 TCP 0.0.0.0/0 443/443 Accept Allows inbound HTTPS traffic from any IPv4 addresses.
3 TCP 0.0.0.0/0 22/22 Accept Allows inbound SSH traffic from any IPv4 addresses.
4 TCP 0.0.0.0/0 3389/3389 Accept Allows inbound RDP traffic from any IPv4 addresses.
5 TCP 0.0.0.0/0 32768/65535 Accept Allows inbound IPv4 traffic from the Internet.

This port range is for reference only. For more information on how to select appropriate ephemeral ports, see Ephemeral ports.

6 All 0.0.0.0/0 -1/-1 Drop Denies all inbound IPv4 traffic.
Table 2. Outbound rules
Effective order Protocol Destination IP addresses Destination port range Action Description
1 TCP 0.0.0.0/0 80/80 Accept Allows outbound IPv4 HTTP traffic from the VSwitch to the Internet.
2 TCP 0.0.0.0/0 443/443 Accept Allows outbound IPv4 HTTPS traffic from the VSwitch to the Internet.
3 TCP 0.0.0.0/0 32768/65535 Accept Allows outbound IPv4 traffic from the VSwitch to the Internet.

This port range is for reference only. For more information on how to select appropriate ephemeral ports, see Ephemeral ports.

4 All 0.0.0.0/0 -1/-1 Drop Denies all outbound IPv4 traffic.

Network ACLs for SLB

If the ECS instance in the VSwitch acts as the backend server of an SLB instance, you must add the following network ACL rules.
  • Inbound rules
    Effective order Protocol Source IP addresses Destination port range Action Description
    1 SLB listener protocol Client IP addresses allowed to access the SLB instance SLB listener port Accept Allows inbound traffic from specified client IP addresses.
    2 Health check protocol 100.64.0.0/10 Health check port Accept Allows inbound traffic from health check IP addresses.
  • Outbound rules
    Effective order Protocol Destination IP addresses Destination port range Action Description
    1 All Client IP addresses allowed to access the SLB instance -1/-1 Accept Allows all outbound traffic to specified client IP addresses.
    2 All 100.64.0.0/10 -1/-1 Accept Allows outbound traffic to health check IP addresses.

Ephemeral ports

Clients use different ports to initiate requests. You can select different port ranges for network ACL rules based on the client type. The following table lists ephemeral port ranges for common clients.
Client Port range
Linux 32768/61000
Windows Server 2003 1025/5000
Windows Server 2008 and later 49152/65535
NAT gateway 1024/65535