All Products
Search
Document Center

Elastic Compute Service:Manage Windows system firewall

Last Updated:Apr 27, 2026

Enable, disable, or configure Windows firewall rules to control remote access to your ECS instance.

Check firewall status

Check whether the firewall is enabled or disabled.

  1. Log on to the Windows instance with VNC.

  2. Select Start > Control Panel.

  3. Set View by to Small icons, then click Windows Defender Firewall.

    Note

    The option name varies by Windows version. If Windows Defender Firewall is unavailable, select Windows Firewall.

    image

  4. Click Advanced settings.

  5. In the Overview section, view the firewall status.

    Note

    Keep the firewall state consistent across the domain profile, private profile, and public profile. If they differ, apply the same setting to all profiles.

    image

Enable or disable firewall

If you enable the firewall, you must also configure firewall rules.

Enable firewall

After the firewall is enabled, it filters traffic based on configured rules.

  1. In the Windows Defender Firewall with Advanced Security window, click Windows Defender Firewall Properties.

    Note

    To open this window, see Check firewall status.

    image

  2. Set Firewall state to On (recommended), then click Apply.

    Note

    Enable the firewall on the Domain Profile, Private Profile, and Public Profile tabs.

    image

Disable firewall

After the firewall is disabled, all traffic passes through without filtering.

  1. In the Windows Defender Firewall with Advanced Security window, click Windows Defender Firewall Properties.

    Note

    To open this window, see Check firewall status.

    image

  2. Set Firewall state to Off, then click Apply.

    Note

    Disable the firewall on the Domain Profile, Private Profile, and Public Profile tabs.

    image

Configure firewall rules

Add inbound rules to allow remote connections after the firewall is enabled. For the full policy reference, see Windows Firewall Policy Configuration Guide.

Method 1: Add port rule

Open the Remote Desktop port (TCP 3389 by default) to allow remote connections.

Note

If you changed the Remote Desktop port, add the new port to the inbound rule.

  1. In the Windows Defender Firewall with Advanced Security window, click Inbound Rules > New Rule....

    Note

    To open this window, see Check firewall status.

    image

  2. On the Rule Type page, select Port and click Next.

    image

  3. On the Protocol and Ports page, select TCP, enter the port number in Specific local ports, then click Next.

    Note

    Enter your remote port number. Default: 3389.

    image

  4. On the Action page, select Allow the connection, then click Next.

    image

  5. On the Profile page, keep the defaults and click Next.

    image

  6. On the Name page, enter a rule name, such as RemoteDesktop, then click Finish.

  7. Configure the scope.

    Restrict remote access to specific source IP addresses.

    1. Right-click the RemoteDesktop inbound rule and select Properties.

      image

    2. On the Scope tab, under Remote IP address, select These IP addresses:, click Add..., add one or more IP addresses or CIDR blocks, then click OK.

      Important

      To connect to the instance by using Workbench, you must add 47.96.60.0/24 and 118.31.243.0/24 to the scope.

      image

  8. Connect with your RDP client. In the Computer field, enter the public IP address and port (for example, 192.168.1.2:3389). Expand Show Options and enter the User name (for example, Administrator).

    image

Method 2: Add predefined rule

Add a predefined Remote Desktop inbound rule.

Important

This method applies only to the default Remote Desktop port (TCP 3389).

  1. In the Windows Defender Firewall with Advanced Security window, click Inbound Rules > New Rule....

    Note

    To open the Windows Defender Firewall with Advanced Security window, see Check firewall status.

    image

  2. In the New Inbound Rule Wizard, on the Rule Type page, select Predefined > Remote Desktop, then click Next.

    image

  3. On the Predefined Rules page, select the Remote Desktop - User Mode (TCP-In) checkbox, then click Next.

    Note

    On earlier Windows versions, if Remote Desktop - User Mode (TCP-In) is unavailable, select Remote Desktop (TCP-In).

    image

  4. On the Actions page, select Allow the connection, then click Completed.

    image

  5. Configure the scope.

    Restrict remote access to specific source IP addresses.

    1. In the Windows Defender Firewall with Advanced Security window, click Inbound Rules, right-click the rule you created, and select Type.

      image

    2. On the Scope tab, under Remote IP address, select These IP addresses:, click Add..., add one or more IP addresses or CIDR blocks, then click OK.

      Important

      To connect to the instance by using Workbench, you must add 47.96.60.0/24 and 118.31.243.0/24 to the scope.

      image

  6. Connect with your RDP client. In the Computer field, enter the public IP address and port (for example, 192.168.1.2:3389). Expand Show Options and enter the User name (for example, Administrator).

    image

References