All Products
Search
Document Center

Elastic Compute Service:Windows System Firewall Policy Configuration Guide

Last Updated:Jan 10, 2025

This topic describes how to configure firewall policies for Windows ECS instances, enabling you to utilize the desired features effectively.

Overview of operations

Refer to the table below to understand the functions of each feature and access the configuration method through the provided links. This guide uses Windows Server 2022 as an example.

Feature

Description

Feature 1: Allow a Program or Feature Through Windows Firewall

This setting permits specific applications or services to accept inbound connections from the Internet or other networks, ensuring their functionality is not hindered by the firewall.

For instance, you can allow file sharing software and instant messaging applications through Windows Firewall.

Feature 2: Allow or Block Access to Specific Local Ports

You can configure access to specific local ports to allow or block connections from the Internet or other networks, reducing the risk of malware or attackers exploiting these ports.

For instance, if the FTP service (default port 21) is not required, you can block access to port 21 to enhance security.

Feature 3: Allow or Block Access from Specific IP Addresses

This setting enables you to allow or block specific IP addresses from accessing your programs, services, ports, etc., to mitigate the risk of malware or attackers exploiting vulnerabilities.

For instance, you can permit access to the instance from your local computer's IP address.

Feature 1: Allow a program or feature through Windows Firewall

  1. Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.

  2. Click Start > Control Panel > System and Security > Windows Defender Firewall.

  3. Click Allow an App or Feature Through Windows Defender Firewall.

    image

  4. Click Allow Another App.

  5. On the Add an App page, under the Apps (P) tab, double-click the specified application. If the application is not listed, click Browse to locate the application file in the file system and double-click to select it.

    image

Feature 2: Allow or block access to specific local ports

  1. Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.

  2. Click Start > Control Panel > System and Security > Windows Defender Firewall.

  3. Click Advanced Settings.

    image

  4. Click Inbound Rules > New Rule.

    image

  5. Configure the rules.

    1. In the Rule Type step, select Port, and click Next.

      image

    2. In the Protocol and Ports step, select the protocol TCP or UDP, choose Specific Local Ports (S), and enter the local port number, such as 8080. Click Next.

      image

    3. In the Action step, choose Block the Connection or Allow the Connection. Click Next.

      image

    4. In the Profile step, select the appropriate scope and click Next.

      Note

      The scope is typically based on the native network environment. By default, all are selected.

    5. In the Name step, enter the rule name and description, and click Finish.

Feature 3: Allow or block access from specific IP addresses

Set the scope to restrict which IP addresses the inbound rules apply to, allowing or blocking these IP addresses from accessing your programs, services, ports, etc. You can adjust the scope for existing inbound rules or when creating new custom rules.

Note
  • If the Action of the inbound rule is Allow the Connection, these IP addresses are permitted to access the specified programs, services, or ports.

  • If the Action of the inbound rule is Block the Connection, these IP addresses are prohibited from accessing the specified programs, services, or ports.

Set the scope for existing rules

  1. Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.

  2. Click Start > Control Panel > System and Security > Windows Defender Firewall.

  3. Click Advanced Settings.

    image

  4. Click Inbound Rules, find the desired rule, right-click it, and select Properties.

    image

  5. Under the Scope tab, choose These IP Addresses for Remote IP Address, and click Add.

    image

  6. Enter the IP address or CIDR block to match, such as your local computer's public IP address, and click OK.

    Note

    You can add multiple IP addresses or CIDR blocks by clicking Add again.

    image

  7. After adding the IP addresses, click OK to apply the inbound rule to these IP addresses.

Create a new rule and set the scope

  1. Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.

  2. Click Start > Control Panel > System and Security > Windows Defender Firewall.

  3. Click Advanced Settings.

    image

  4. Click Inbound Rules > New Rule.

    image

  5. Configure the rules.

    1. In the Rule Type step, select Custom, and click Next.

      image

    2. During the Program step, choose either All Programs or specify This Program Path, then click Next.

      Note

      The term All Programs encompasses every program on the local machine, while This Program Path denotes the directory of a particular individual program.

      image

    3. In the Protocol and Ports step, configure the ports and protocols according to your requirements.

      image

    4. In the Scope step, under Which Remote IP Addresses Does This Rule Apply To?, select These IP Addresses, and click Add.

      image

    5. Enter the IP address or CIDR block to match, such as your local computer's public IP address, and click OK. After adding, click Next.

      Note

      You can add multiple IP addresses or CIDR blocks by clicking Add again.

      image

    6. In the Action step, select Block the Connection or Allow the Connection, and click Next.

      image

    7. In the Profile step, select the appropriate scope and click Next.

      Note

      The scope is typically based on the native network environment. By default, all are selected.

    8. In the Name step, enter the rule name and description, and click Finish.

References