Common ports

Applications that are hosted on a server provide service externally by using the ports of the server. If you understand the default ports used by typical applications, you can add or modify security group rules in a more accurate manner. This topic describes the common ports of Elastic Compute Service (ECS) instances and the usage scenarios of the ports.

Background information

You must specify communication ports or port ranges when you add security group rules to a security group. Then, the security group allows or denies traffic to or from ECS instances based on the security group rules. For example, when you connect to a Linux instance in a security group by using an Xshell client, the security group detects an SSH request from the Internet or internal network. The security group then matches the request against each inbound rule to check whether the rule contains the IP address of the request sender and whether port 22 is open. A connection is not established to the instance until an inbound rule that allows the request is matched.

Note Specific carriers consider port 25, port 135, port 139, port 444, port 445, port 5800, and port 5900 high-risk, and traffic over these ports is blocked by default. Even if these ports are opened by security group rules, ECS instances are still inaccessible over these ports in relevant regions. We recommend that you do not use these ports.

For more information about ports used by applications on Windows Server operating systems, see Service overview and network port requirements for Windows in Microsoft documentation.

The following table describes the default ports used by typical applications.


Port	Service	Description
21	FTP	The FTP port. It is used to upload and download files.
22	SSH	The SSH port. It is used to log on to Linux ECS instances by using a CLI tool or remote connection software such as PuTTY, Xshell, and SecureCRT. For more information, see Connect to a Linux instance by using a password
23	Telnet	The Telnet port. It is used to log on to ECS instances.
25	SMTP	The Simple Mail Transfer Protocol (SMTP) port. It is used to send emails. For security purposes, port 25 is disabled on ECS instances by default. We recommend that you use the SSL port instead to send emails. In most cases, the SSL port is port 465.
53	DNS	The Domain Name Server (DNS) port. If a security group denies all outbound access by default and allows specific outbound access based on security group rules, you must add security group rules that open the default UDP port 53 for outbound traffic to implement domain name resolution.
80	HTTP	The HTTP port. It is used to access services such as IIS, Apache, and NGINX. For more information about how to troubleshoot issues related to port 80, see Verify if TCP port 80 works properly.
110	POP3	The POP3 port. It is used to send and receive emails.
143	IMAP	The Internet Message Access Protocol (IMAP) port. It is used to receive emails.
443	HTTPS	The HTTPS port. It is used to access services. The HTTPS protocol can implement encrypted and secure data transmission.
1433	SQL Server	The TCP port of SQL Server. It is used for SQL Server to provide external services.
1434	SQL Server	The UDP port of SQL Server. It is used to return the TCP/IP port that is occupied by SQL Server.
1521	Oracle	The Oracle communication port. ECS instances that run Oracle SQL must have this port open.
3306	MySQL	The MySQL port. It is used for MySQL to provide external services.
3389	Windows Server Remote Desktop Services	The Windows Server Remote Desktop Services port. It is used to log on to Windows ECS instances. For more information, see Connect to a Windows instance by using a username and password
8080	Proxy service	An alternative to port 80. It is commonly used for WWW proxy services. If you use port 8080, you must add `:8080` to the end of your IP address when you access websites or use proxy servers. If you install the Apache Tomcat service, port 8080 is used by default.
137, 138, and 139	NetBIOS	Port 137 and port 138 are UDP ports used for data transfer over NetBIOS. Port 139 is used to obtain services over NetBIOS or SMB. The NetBIOS protocol is typically used to share Windows files and printers. It is also used in Samba.

Usage scenarios

The following table provides examples on usage scenarios of specific common ports used by ECS instances and the security group rules that are used for the scenarios. For information about more usage scenarios., see Security groups for different use cases .


Usage scenario	Network type	Direction	Action	Protocol	Port range	Authorization type	Authorization object	Priority
Connect to Linux ECS instances over SSH	Virtual Private Cloud (VPC)	Inbound	Allow	Custom TCP	SSH (22)	IPv4 CIDR block	0.0.0.0/0	1
Connect to Linux ECS instances over SSH	Classic network	Internet ingress	Allow	Custom TCP	SSH (22)	IPv4 CIDR block	0.0.0.0/0	1
Connect to Windows ECS instances over Remote Desktop Protocol (RDP)	VPC	Inbound	Allow	Custom TCP	RDP (3389)	IPv4 CIDR block	0.0.0.0/0	1
	Classic network	Internet ingress	Allow	Custom TCP	RDP (3389)	IPv4 CIDR block	0.0.0.0/0	1
Ping ECS instances over the Internet	VPC	Inbound	Allow	All ICMP	-1/-1	CIDR block or security group	Subject to the authorization type	1
Ping ECS instances over the Internet	Classic network	Internet ingress	Allow	All ICMP	-1/-1	CIDR block or security group	Subject to the authorization type	1
Use ECS instances as web servers	VPC	Inbound	Allow	Custom TCP	HTTP (80)	IPv4 CIDR block	0.0.0.0/0	1
Use ECS instances as web servers	Classic network	Internet ingress	Allow	Custom TCP	HTTP (80)	IPv4 CIDR block	0.0.0.0/0	1
Upload and download files over FTP	VPC	Inbound	Allow	Custom TCP	20/21	CIDR block	Specified CIDR block	1
Upload and download files over FTP	Classic network	Internet ingress	Allow	Custom TCP	20/21	CIDR block	Specified CIDR block	1