If you are familiar with the ports that are commonly used by ECS instances, you can specify them in access control list (ACL) rules to facilitate precise network traffic filtering. This topic describes the ports that are commonly used by ECS instances and the application scenarios of these ports.
Ports
The following table lists the ports and the services that use these ports.
| Port | Service | Description |
|---|---|---|
| 21 | FTP | The FTP port. It is used to upload and download files. |
| 22 | SSH | The SSH port. It is used to log on to Linux instances in the command line method by using username and password pairs. |
| 23 | Telnet | The Telnet port. It is used to remotely log on to ECS instances. |
| 25 | SMTP | The SMTP port. It is used to send emails. |
| 80 | HTTP | The HTTP port. It is used to access services such as IIS, Apache, and NGINX. |
| 110 | POP3 | The POP3 port. It is used to send and receive emails. |
| 143 | IMAP | The Internet Message Access Protocol (IMAP) port. It is used to receive emails. |
| 443 | HTTPS | The HTTPS port. It is used to access services. The HTTPS protocol can implement encrypted and secure data transmission. |
| 1433 | SQL Server | The TCP port of SQL Server. It is used for SQL Server to provide external services. |
| 1434 | SQL Server | The UDP port of SQL Server. It is used to return the TCP/IP port occupied by SQL Server. |
| 1521 | Oracle | The Oracle communication port. ECS instances that run Oracle SQL must have this port open. |
| 3306 | MySQL | The MySQL port. It is used for MySQL databases to provide external services. |
| 3389 | Windows Server Remote Desktop Services | The Windows Server Remote Desktop Services port. It is used to log on to a Windows instance. |
| 8080 | Proxy port | An alternative to port 80. It is commonly used for WWW proxy services. |
Custom network ACLs
Table 1 and Table 2 describe a network ACL example for VPCs that support IPv4 addresses only.
- The inbound rules in effective order 1, 2, 3, and 4 respectively allow HTTP, HTTPS, SSH, and RDP traffic to the vSwitch. Outbound response rules are those in effective order 3.
- The outbound rules in effective order 1 and 2 respectively allow HTTP and HTTPS traffic from the vSwitch. Outbound response rules are those in effective order 5.
- The inbound rule in effective order 6 denies all inbound IPv4 traffic. This rule ensures that packets that do not match any other rules are denied.
- The outbound rule in effective order 4 denies all outbound IPv4 traffic. This rule ensures that packets that do not match any other rules are denied.
Note An inbound or outbound rule must correspond to an inbound or outbound rule that allows
response traffic.
| Effective order | Protocol | Source IP addresses | Destination port range | Action | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80/80 | Accept | Allows inbound HTTP traffic from any IPv4 addresses. |
| 2 | TCP | 0.0.0.0/0 | 443/443 | Accept | Allows inbound HTTPS traffic from any IPv4 addresses. |
| 3 | TCP | 0.0.0.0/0 | 22/22 | Accept | Allows inbound SSH traffic from any IPv4 addresses. |
| 4 | TCP | 0.0.0.0/0 | 3389/3389 | Accept | Allows inbound RDP traffic from any IPv4 addresses. |
| 5 | TCP | 0.0.0.0/0 | 32768/65535 | Accept | Allows inbound IPv4 traffic from the Internet.
This port range is for reference only. For more information on how to select appropriate ephemeral ports, see Ephemeral ports. |
| 6 | All | 0.0.0.0/0 | -1/-1 | Drop | Denies all inbound IPv4 traffic. |
| Effective order | Protocol | Destination IP addresses | Destination port range | Action | Description |
|---|---|---|---|---|---|
| 1 | TCP | 0.0.0.0/0 | 80/80 | Accept | Allows outbound IPv4 HTTP traffic from the vSwitch to the Internet. |
| 2 | TCP | 0.0.0.0/0 | 443/443 | Accept | Allows outbound IPv4 HTTPS traffic from the vSwitch to the Internet. |
| 3 | TCP | 0.0.0.0/0 | 32768/65535 | Accept | Allows outbound IPv4 traffic from the vSwitch to the Internet.
This port range is for reference only. For more information on how to select appropriate ephemeral ports, see Ephemeral ports. |
| 4 | All | 0.0.0.0/0 | -1/-1 | Drop | Denies all outbound IPv4 traffic. |
Network ACLs for SLB
If the ECS instance in the vSwitch acts as the backend server of an SLB instance,
you must add the following network ACL rules.
- Inbound rules
Effective order Protocol Source IP addresses Destination port range Action Description 1 SLB listener protocol Client IP addresses allowed to access the SLB instance SLB listener port Accept Allows inbound traffic from specified client IP addresses. 2 Health check protocol 100.64.0.0/10 Health check port Accept Allows inbound traffic from health check IP addresses. - Outbound rules
Effective order Protocol Destination IP addresses Destination port range Action Description 1 All Client IP addresses allowed to access the SLB instance -1/-1 Accept Allows all outbound traffic to specified client IP addresses. 2 All 100.64.0.0/10 -1/-1 Accept Allows outbound traffic to health check IP addresses.
Ephemeral ports
Clients use different ports to initiate requests. You can select different port ranges
for network ACL rules based on the client type. The following table lists ephemeral
port ranges for common clients.
| Client | Port range |
|---|---|
| Linux | 32768/61000 |
| Windows Server 2003 | 1025/5000 |
| Windows Server 2008 and later | 49152/65535 |
| NAT gateway | 1024/65535 |