If you know the ports commonly used by Elastic Compute Service (ECS) instances, you can add network access control list (ACL) rules in a more accurate manner. This topic describes the ports commonly used by ECS instances and the scenarios of these ports.
Ports
The following table lists the ports and the services that use these ports.
| Port | Service | Description |
|---|---|---|
| 21 | FTP | The FTP port. It is used to upload and download files. |
| 22 | SSH | The SSH port. It is used to log on to Linux instances with the command line method by using username and password pairs. |
| 23 | Telnet | The Telnet port. It is used to log on to ECS instances. |
| 25 | SMTP | The SMTP port. It is used to send emails. |
| 80 | HTTP | The HTTP port. It is used to access services such as IIS, Apache, and NGINX. |
| 110 | POP3 | The POP3 port. It is used to receive emails. |
| 143 | IMAP | The Internet Message Access Protocol (IMAP) port. It is used to receive emails. |
| 443 | HTTPS | The HTTPS port. It is used to access services. The HTTPS protocol can implement encrypted and secure data transmission. |
| 1433 | SQL Server | The TCP port of SQL Server. It is used for SQL Server to provide external services. |
| 1434 | SQL Server | The UDP port of SQL Server. It is used to return the TCP/IP port occupied by SQL Server. |
| 1521 | Oracle | The Oracle communication port. ECS instances that run Oracle SQL must have this port enabled. |
| 3306 | MySQL | The MySQL port. It is used for MySQL databases to provide external services. |
| 3389 | Windows Server Remote Desktop Services | The Windows Server Remote Desktop Services port. It is used to log on to Windows instances. |
| 8080 | Proxy port | An alternative to port 80. It is commonly used for WWW proxy services. |
Custom network ACL rules
Inbound rules and Outbound rules describe a network ACL example for VPCs that support only IPv4 addresses.
- The inbound rules in effective order 1, 2, 3, and 4 respectively allow HTTP, HTTPS, SSH, and RDP traffic to the vSwitch. Outbound response rules are those in effective order 3.
- The outbound rules in effective order 1 and 2 respectively allow HTTP and HTTPS traffic from the vSwitch. Outbound response rules are those in effective order 5.
- The inbound rule in effective order 6 denies all inbound IPv4 traffic. This rule ensures that packets that do not match other rules are denied.
- The outbound rule in effective order 4 denies all outbound IPv4 traffic. This rule ensures that packets that do not match other rules are denied.
Note An inbound or outbound rule must correspond to an inbound or outbound rule that allows response traffic.
| Effective order | Protocol | Source IP address | Destination port range | Action | Description |
|---|---|---|---|---|---|
| 1 | tcp | 0.0.0.0/0 | 80/80 | Allow | Allows HTTP traffic from IPv4 addresses. |
| 2 | tcp | 0.0.0.0/0 | 443/443 | Allow | Allows HTTPS traffic from IPv4 addresses. |
| 3 | tcp | 0.0.0.0/0 | 22/22 | Allow | Allows SSH traffic from IPv4 addresses. |
| 4 | tcp | 0.0.0.0/0 | 3389/3389 | Allow | Allows RDP traffic from IPv4 addresses. |
| 5 | tcp | 0.0.0.0/0 | 32768/65535 | Allow | Allows TCP traffic from IPv4 addresses to ports 32768 to 65535. This port range is for reference only. For more information on how to select appropriate ephemeral ports, see Ephemeral ports. |
| 6 | all | 0.0.0.0/0 | -1/-1 | Deny | Denies all inbound IPv4 traffic. |
| Effective order | Protocol | Destination IP address | Destination port range | Action | Description |
|---|---|---|---|---|---|
| 1 | tcp | 0.0.0.0/0 | 80/80 | Allow | Allows outbound IPv4 HTTP traffic from the vSwitch to the Internet. |
| 2 | tcp | 0.0.0.0/0 | 443/443 | Allow | Allows outbound IPv4 HTTPS traffic from the vSwitch to the Internet. |
| 3 | tcp | 0.0.0.0/0 | 32768/65535 | Allow | Allows outbound IPv4 traffic from the vSwitch to the Internet. This port range is for reference only. For more information on how to select appropriate ephemeral ports, see Ephemeral ports. |
| 4 | all | 0.0.0.0/0 | -1/-1 | Deny | Denies all outbound IPv4 traffic. |
Network ACL rules for SLB
If the ECS instance in the vSwitch serves as the backend server of an SLB instance, you must add the following network ACL rules.
- Inbound rules
Effective order Protocol Source IP address Destination port range Action Description 1 SLB listening protocol Client IP addresses allowed to access the SLB instance SLB listening port Allow Allows inbound traffic from specified client IP addresses. 2 Health check protocol 100.64.0.0/10 Health check port Allow Allows inbound traffic from health check IP addresses. - Outbound rules
Effective order Protocol Destination IP address Destination port range Action Description 1 all Client IP addresses allowed to access the SLB instance -1/-1 Allow Allows all outbound traffic to specified client IP addresses. 2 all 100.64.0.0/10 -1/-1 Allow Allows outbound traffic to health check IP addresses.
Ephemeral ports
Clients use different ports to initiate requests. You can select different port ranges for network ACL rules based on the client type. The following table lists ephemeral port ranges for common clients.
| Client | Port range |
|---|---|
| Linux | 32768/61000 |
| Windows Server 2003 | 1025/5000 |
| Windows Server 2008 or later | 49152/65535 |
| NAT gateways | 1024/65535 |