This topic describes how to configure firewall policies for Windows ECS instances, enabling you to utilize the desired features effectively.
Overview of operations
Refer to the table below to understand the functions of each feature and access the configuration method through the provided links. This guide uses Windows Server 2022 as an example.
Feature |
Description |
Feature 1: Allow a Program or Feature Through Windows Firewall |
This setting permits specific applications or services to accept inbound connections from the Internet or other networks, ensuring their functionality is not hindered by the firewall. For instance, you can allow file sharing software and instant messaging applications through Windows Firewall. |
You can configure access to specific local ports to allow or block connections from the Internet or other networks, reducing the risk of malware or attackers exploiting these ports. For instance, if the FTP service (default port 21) is not required, you can block access to port 21 to enhance security. |
|
This setting enables you to allow or block specific IP addresses from accessing your programs, services, ports, etc., to mitigate the risk of malware or attackers exploiting vulnerabilities. For instance, you can permit access to the instance from your local computer's IP address. |
Feature 1: Allow a program or feature through Windows Firewall
Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.
Click
.Click Allow an App or Feature Through Windows Defender Firewall.
Click Allow Another App.
On the Add an App page, under the Apps (P) tab, double-click the specified application. If the application is not listed, click Browse to locate the application file in the file system and double-click to select it.
Feature 2: Allow or block access to specific local ports
Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.
Click
.Click Advanced Settings.
Click Inbound Rules > New Rule.
Configure the rules.
In the Rule Type step, select Port, and click Next.
In the Protocol and Ports step, select the protocol TCP or UDP, choose Specific Local Ports (S), and enter the local port number, such as
8080
. Click Next.In the Action step, choose Block the Connection or Allow the Connection. Click Next.
In the Profile step, select the appropriate scope and click Next.
NoteThe scope is typically based on the native network environment. By default, all are selected.
In the Name step, enter the rule name and description, and click Finish.
Feature 3: Allow or block access from specific IP addresses
Set the scope to restrict which IP addresses the inbound rules apply to, allowing or blocking these IP addresses from accessing your programs, services, ports, etc. You can adjust the scope for existing inbound rules or when creating new custom rules.
If the Action of the inbound rule is Allow the Connection, these IP addresses are permitted to access the specified programs, services, or ports.
If the Action of the inbound rule is Block the Connection, these IP addresses are prohibited from accessing the specified programs, services, or ports.
Set the scope for existing rules
Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.
Click
.Click Advanced Settings.
Click Inbound Rules, find the desired rule, right-click it, and select Properties.
Under the Scope tab, choose These IP Addresses for Remote IP Address, and click Add.
Enter the IP address or CIDR block to match, such as your local computer's public IP address, and click OK.
NoteYou can add multiple IP addresses or CIDR blocks by clicking Add again.
After adding the IP addresses, click OK to apply the inbound rule to these IP addresses.
Create a new rule and set the scope
Connect to the instance using VNC. For detailed instructions, see Connect to the Instance Using VNC.
Click
.Click Advanced Settings.
Click Inbound Rules > New Rule.
Configure the rules.
In the Rule Type step, select Custom, and click Next.
During the Program step, choose either All Programs or specify This Program Path, then click Next.
NoteThe term All Programs encompasses every program on the local machine, while This Program Path denotes the directory of a particular individual program.
In the Protocol and Ports step, configure the ports and protocols according to your requirements.
In the Scope step, under Which Remote IP Addresses Does This Rule Apply To?, select These IP Addresses, and click Add.
Enter the IP address or CIDR block to match, such as your local computer's public IP address, and click OK. After adding, click Next.
NoteYou can add multiple IP addresses or CIDR blocks by clicking Add again.
In the Action step, select Block the Connection or Allow the Connection, and click Next.
In the Profile step, select the appropriate scope and click Next.
NoteThe scope is typically based on the native network environment. By default, all are selected.
In the Name step, enter the rule name and description, and click Finish.
References
If you encounter issues connecting to the instance, consider adding a rule to allow remote connections in the system firewall. We provide specific examples for this process. For more information, see Configure Firewall Rules.
If the system firewall configuration is correct but you still cannot connect to the instance, explore other potential causes. For more information, see Troubleshooting Methods for Not Being Able to Connect to a Windows Instance Remotely and Remote Desktop Protocol (RDP) Connection Issues.