Applications that are hosted on a server provide service externally by using the ports of the server. If you understand the default ports used by typical applications, you can add or modify security group rules in a more accurate manner. This topic describes the common ports of Elastic Compute Service (ECS) instances and the usage scenarios of the ports.

Background information

You must specify communication ports or port ranges when you add security group rules to a security group. Then, the security group allows or denies traffic to or from ECS instances based on the security group rules. For example, when you connect to a Linux instance in a security group by using an Xshell client, the security group detects an SSH request from the Internet or internal network. The security group then matches the request against each inbound rule to check whether the rule contains the IP address of the request sender and whether port 22 is open. A connection is not established to the instance until an inbound rule that allows the request is matched.

Note Specific carriers consider port 25, port 135, port 139, port 444, port 445, port 5800, and port 5900 high-risk, and traffic over these ports is blocked by default. Even if these ports are opened by security group rules, ECS instances are still inaccessible over these ports in relevant regions. We recommend that you do not use these ports.

For more information about ports used by applications on Windows Server operating systems, see Service overview and network port requirements for Windows in Microsoft documentation.

Common ports

The following table describes the default ports used by typical applications.

21FTPThe FTP port. It is used to upload and download files.
22SSHThe SSH port. It is used to log on to Linux ECS instances by using a CLI tool or remote connection software such as PuTTY, Xshell, and SecureCRT. For more information, see Connect to a Linux instance by using a password
23TelnetThe Telnet port. It is used to log on to ECS instances.
25SMTPThe Simple Mail Transfer Protocol (SMTP) port. It is used to send emails.

For security purposes, port 25 is disabled on ECS instances by default. We recommend that you use the SSL port instead to send emails. In most cases, the SSL port is port 465.

53DNSThe Domain Name Server (DNS) port.

If a security group denies all outbound access by default and allows specific outbound access based on security group rules, you must add security group rules that open the default UDP port 53 for outbound traffic to implement domain name resolution.

80HTTPThe HTTP port. It is used to access services such as IIS, Apache, and NGINX.

For more information about how to troubleshoot issues related to port 80, see Verify if TCP port 80 works properly.

110POP3The POP3 port. It is used to send and receive emails.
143IMAPThe Internet Message Access Protocol (IMAP) port. It is used to receive emails.
443HTTPSThe HTTPS port. It is used to access services. The HTTPS protocol can implement encrypted and secure data transmission.
1433SQL ServerThe TCP port of SQL Server. It is used for SQL Server to provide external services.
1434SQL ServerThe UDP port of SQL Server. It is used to return the TCP/IP port that is occupied by SQL Server.
1521OracleThe Oracle communication port. ECS instances that run Oracle SQL must have this port open.
3306MySQLThe MySQL port. It is used for MySQL to provide external services.
3389Windows Server Remote Desktop ServicesThe Windows Server Remote Desktop Services port. It is used to log on to Windows ECS instances. For more information, see Connect to a Windows instance by using a username and password
8080Proxy serviceAn alternative to port 80. It is commonly used for WWW proxy services. If you use port 8080, you must add :8080 to the end of your IP address when you access websites or use proxy servers. If you install the Apache Tomcat service, port 8080 is used by default.
137, 138, and 139NetBIOS
  • Port 137 and port 138 are UDP ports used for data transfer over NetBIOS.
  • Port 139 is used to obtain services over NetBIOS or SMB.
The NetBIOS protocol is typically used to share Windows files and printers. It is also used in Samba.

Usage scenarios

The following table provides examples on usage scenarios of specific common ports used by ECS instances and the security group rules that are used for the scenarios. For information about more usage scenarios., see Security groups for different use cases .

Usage scenarioNetwork typeDirectionActionProtocolPort rangeAuthorization typeAuthorization objectPriority
Connect to Linux ECS instances over SSHVirtual Private Cloud (VPC)InboundAllowCustom TCPSSH (22)IPv4 CIDR block0.0.0.0/01
Classic networkInternet ingress
Connect to Windows ECS instances over Remote Desktop Protocol (RDP)VPCInboundAllowCustom TCPRDP (3389)IPv4 CIDR block0.0.0.0/01
Classic networkInternet ingress
Ping ECS instances over the InternetVPCInboundAllowAll ICMP-1/-1CIDR block or security groupSubject to the authorization type1
Classic networkInternet ingress
Use ECS instances as web serversVPCInboundAllowCustom TCPHTTP (80)IPv4 CIDR block0.0.0.0/01
Classic networkInternet ingress
Upload and download files over FTPVPCInboundAllowCustom TCP20/21CIDR blockSpecified CIDR block1
Classic networkInternet ingress