Configure security group rules with the correct ports for services such as SSH, SMTP, and HTTP on ECS instances.
Background
Each security group rule requires a port or port range. The security group forwards or blocks traffic to the ECS instance based on an allow or deny policy.
For example, when you use an SSH client such as Xshell to connect to an ECS instance, the security group checks whether an inbound rule allows the source IP address and whether port 22 is open. The connection succeeds only if a matching rule exists.
Some carriers block high-risk ports such as 25, 135, 139, 444, 445, 5800, and 5900 by default. Even if your security group rules allow traffic on these ports, users in affected regions may still be unable to access them. Use non-high-risk ports for your services instead.
For ports used by Windows Server applications, see Microsoft documentationService overview and network port requirements for Windows.
Common ports
The following table lists default ports for common applications.
|
Port |
Service |
Description |
|
21 |
FTP |
File Transfer Protocol (FTP) port for uploading and downloading files. |
|
22 |
SSH |
SSH port for connecting to Linux instances with tools such as PuTTY, Xshell, or SecureCRT. See Connect to a Linux instance using a password. |
|
23 |
Telnet |
Telnet port for remote logon to an ECS instance. |
|
25 |
SMTP |
Simple Mail Transfer Protocol (SMTP) port for sending email. Note
Port 25 on ECS instances is restricted by default for security reasons. Use SSL-encrypted port 465 to send emails instead. |
|
53 |
DNS |
Domain Name System (DNS) port. Note
If you use an allowlist for outbound security group rules, allow traffic on UDP port 53 for domain name resolution. |
|
80 |
HTTP |
HTTP services such as IIS, Apache, and Nginx. To troubleshoot port 80 issues, see Check whether TCP port 80 works as expected. |
|
110 |
POP3 |
Post Office Protocol 3 (POP3) port for receiving email. |
|
143 |
IMAP |
Internet Message Access Protocol (IMAP) port for receiving email. |
|
443 |
HTTPS |
HTTPS services providing encrypted communication. |
|
1433 |
SQL Server |
TCP port for SQL Server external services. |
|
1434 |
SQL Server |
UDP port for SQL Server, used to query information such as the TCP/IP port number and IP address of SQL Server. Important
Open UDP port 1434 only if you use the SQL Server Browser service. Otherwise, close or restrict this port to improve security. |
|
1521 |
Oracle |
Default service port for Oracle databases. |
|
3306 |
MySQL |
Default service port for MySQL databases. |
|
3389 |
Remote Desktop Services |
Remote Desktop Services port for connecting to Windows instances. See Connect to a Windows instance by using a remote desktop connection or app. |
|
8080 |
proxy port |
Like port 80, port 8080 is often used for |
|
137, 138, 139 |
NetBIOS protocol |
NetBIOS protocol, used for Windows file and printer sharing and Samba.
|
|
5432 |
PostgreSQL |
Default service port for PostgreSQL databases. |
|
6379 |
Redis |
Default service port for Redis databases. |
Use cases
The following table shows security group rule settings for common use cases. For more examples, see Security group application guide and cases.
|
Use case |
Network type |
Direction |
Policy |
Protocol |
Port range |
Object type |
Authorization object |
Priority |
|
Connect to a Linux instance over SSH |
VPC |
Inbound |
Allow |
Custom TCP |
SSH (22) |
CIDR block |
0.0.0.0/0 |
1 |
|
Connect to a Windows instance over RDP |
VPC |
Inbound |
Allow |
Custom TCP |
RDP (3389) |
CIDR block |
0.0.0.0/0 |
1 |
|
Ping an ECS instance over the Internet |
VPC |
Inbound |
Allow |
All ICMP |
-1/-1 |
CIDR block or security group |
Depends on the object type. |
1 |
|
Use an ECS instance as a web server |
VPC |
Inbound |
Allow |
Custom TCP |
HTTP (80) |
CIDR block |
0.0.0.0/0 |
1 |
|
Upload or download files over FTP |
VPC |
Inbound |
Allow |
Custom TCP |
20/21 |
CIDR block |
Specified IP address range |
1 |