After you get familiar with the default ports that are used by typical applications, you can add or modify security group rules in a more accurate manner. This way, applications hosted on Elastic Compute Service (ECS) instances can provide external services over the required ports, to meet your business requirements in different scenarios, such as connecting to an ECS instance over SSH and using the Simple Mail Transfer Protocol (SMTP) service to send emails. This topic describes the common ports of ECS instances and the corresponding usage scenarios.
Background information
When you add security group rules to a security group, you must specify communication ports or port ranges. The security group allows or denies traffic to or from ECS instances based on the security group rules.
For example, when you connect to a Linux instance in a security group by using an Xshell client, the security group detects an SSH request from the Internet or internal network. Then, the security group matches the request against each inbound rule to check whether the rule contains the IP address of the request sender and whether port 22 is open. A connection is not established to the instance until an inbound rule that allows the request is matched.
Specific carriers mark ports 25, 135, 139, 444, 445, 5800, and 5900 as high-risk ports, and traffic over the ports is blocked by default. Even if the ports are opened by security group rules, ECS instances remain inaccessible over the ports in specific regions. We recommend that you do not use the ports.
For information about the ports that are used by applications on Windows Server operating systems, see Service overview and network port requirements for Windows in Microsoft documentation.
Common ports
The following table describes the default ports that are used by typical applications.
Port | Service | Description |
21 | FTP | The FTP port. The port is used to upload and download files. |
22 | SSH | The SSH port. The port is used to log on to Linux ECS instances by using a CLI tool or remote connection software such as PuTTY, Xshell, and SecureCRT. For more information, see Connect to a Linux instance by using a username and password. |
23 | Telnet | The Telnet port. The port is used to log on to ECS instances. |
25 | SMTP | The SMTP port. The port is used to send emails. Note By default, port 25 is disabled on ECS instances to ensure security. We recommend that you use the SSL port to send emails. In most cases, the SSL port is port 465. |
53 | DNS | The Domain Name Server (DNS) port. Note If a security group denies all outbound access by default and allows specific outbound access based on security group rules, you must add security group rules that open the default UDP port 53 for outbound traffic to resolve domain names. |
80 | HTTP | The HTTP port. The port is used to access services such as IIS, Apache, and NGINX. For information about how to troubleshoot issues related to port 80, see Check whether TCP port 80 is available. |
110 | POP3 | The POP3 port. The port is used to send and receive emails. |
143 | IMAP | The Internet Message Access Protocol (IMAP) port. The port is used to receive emails. |
443 | HTTPS | The HTTPS port. The port is used for access over HTTPS. The HTTPS protocol can provide encrypted and secure data transmission. |
1433 | SQL Server | The TCP port of SQL Server. The port is used for SQL Server to provide external services. |
1434 | SQL Server | The UDP port of SQL Server. The port is used to obtain the TCP/IP port and IP address that are used by SQL Server Important Open UDP port 1434 only if you need to use the SQL Server Browser service. If you do not need to use the SQL Server Browser service, we recommend that you close UDP port 1434 or restrict traffic over the port to ensure security. |
1521 | Oracle | The Oracle communication port. ECS instances that run Oracle SQL must have this port open. |
3306 | MySQL | The MySQL port. The port is used for MySQL to provide external services. |
3389 | Windows Server Remote Desktop Services | The Windows Server Remote Desktop Services port. The port is used to log on to Windows ECS instances. For more information, see Connect to a Windows instance by using a username and password. |
8080 | Proxy service | An alternative to port 80. In most cases, port 8080 is used for |
137, 138, and 139 | NetBIOS | In most cases, the NetBIOS protocol is used to share Windows files and printers. The protocol is also used in Samba.
|
Sample usage scenarios
The following table describes sample usage scenarios of specific common ports that are used by ECS instances and the security group rules that are used for the scenarios. For information about more usage scenarios, see Security groups for different use cases.
Usage scenario | Network type | Direction | Action | Protocol | Port range | Object type | Authorization object | Priority |
Connect to Linux ECS instances over SSH | Virtual Private Cloud (VPC) | Inbound | Allow | Custom TCP | SSH (22) | CIDR block | 0.0.0.0/0 | 1 |
Classic network | Internet ingress | |||||||
Connect to Windows ECS instances over Remote Desktop Protocol (RDP) | VPC | Inbound | Allow | Custom TCP | RDP (3389) | CIDR block | 0.0.0.0/0 | 1 |
Classic network | Internet ingress | |||||||
Ping ECS instances over the Internet | VPC | Inbound | Allow | All ICMP | -1/-1 | CIDR block or security group | Subject to the authorization type | 1 |
Classic network | Internet ingress | |||||||
Use ECS instances as web servers | VPC | Inbound | Allow | Custom TCP | HTTP (80) | CIDR block | 0.0.0.0/0 | 1 |
Classic network | Internet ingress | |||||||
Upload and download files over FTP | VPC | Inbound | Allow | Custom TCP | 20/21 | CIDR block | Specified CIDR blocks | 1 |
Classic network | Internet ingress |