Configure firewall rules for a Windows ECS instance

Updated at:
Copy as MD

Configure Windows Defender Firewall to allow or block applications, ports, and IP addresses on a Windows ECS instance.

Prerequisites

Ensure that you have:

  • An ECS instance running Windows Server.

  • Access to connect to the instance using VNC.

Which configuration to use

Configuration What it does When to use
Allow an application through the firewall Opens ports only while the application is running Your application is blocked by the firewall
Allow or block access to specific local ports Opens or closes a port permanently Block unused services (for example, deny port 21 if FTP is not needed)
Allow or block access from specific IP addresses Restricts which IP addresses can reach your applications, services, or ports Limit access to trusted IP addresses only

Allow an application through Windows Defender Firewall

Allow a specific application to accept inbound connections without permanently opening a port.

  1. Connect to your Windows ECS instance using VNC.

  2. Go to Start > Control Panel > System and Security > Windows Defender Firewall.

  3. In the left-side navigation pane, click Allow an app or feature through Windows Defender Firewall.

  4. Click Allow another app.

  5. In the Add an app dialog box, double-click the application in the Apps section. If the application is not listed, click Browse and locate the application file.

    image

Allow or block access to specific local ports

Create an inbound rule that permanently allows or denies traffic on a specific port — for example, deny port 21 to disable FTP.

Note

This rule keeps a port open or closed permanently. Use it only for ports tied to services you intentionally want to expose or block. For application-specific control, use "Allow an application through Windows Defender Firewall" instead.

  1. Connect to your Windows ECS instance using VNC.

  2. Go to Start > Control Panel > System and Security > Windows Defender Firewall.

  3. Click Advanced Settings.

    image

  4. In the left-side navigation pane, click Inbound Rule. In the right-side Actions pane, click New Rule.

    image

  5. Complete the rule wizard:

    1. For Rule Type, select Port and click Next.

      image

    2. In the Protocol and Ports step, select TCP or UDP, select Specific local ports, enter the port number (for example, 8080), and click Next.

      image

    3. In the Actions step, select Allow the connection or Block the connection, and click Next.

      image

    4. In the Configuration File step, select the applicable profiles and click Next.

      Note

      All profiles are selected by default. Adjust based on your network environment.

    5. In the Name step, enter a rule name and description, then click Completed.

Allow or block access from specific IP addresses

Restrict inbound traffic to or from specific IP addresses or CIDR blocks. The rule's action determines the effect:

  • Allow the connection — listed IP addresses can access the covered applications, services, or ports.

  • Block the connection — listed IP addresses cannot access the covered applications, services, or ports.

Apply an IP scope to an existing rule, or configure it when creating a new rule.

Apply an IP scope to an existing inbound rule

Add IP-based filtering to a rule you have already created.

  1. Connect to your Windows ECS instance using VNC.

  2. Go to Start > Control Panel > System and Security > Windows Defender Firewall.

  3. Click Advanced Settings.

    image

  4. Click Inbound Rules, right-click the rule to update, and select Type.

    image

  5. On the Scope tab, under Remote IP address, select These IP addresses and click Add.

    image

  6. Enter an IP address or CIDR block (for example, the public IP of your on-premises computer) and click OK.

    Note

    Click Add again to add more IP addresses or CIDR blocks.

    image

  7. Click OK. The rule now applies only to the specified IP addresses or CIDR blocks.

Create a rule with an IP scope

Build a new rule that targets both specific ports and specific IP addresses.

  1. Connect to your Windows ECS instance using VNC.

  2. Go to Start > Control Panel > System and Security > Windows Defender Firewall.

  3. Click Advanced Settings.

    image

  4. In the left-side navigation pane, click Inbound Rule. In the right-side Actions pane, click New Rule.

    image

  5. Complete the rule wizard:

    1. For Rule Type, select Customize and click Next.

      image

    2. In the Program step, select All programs or This program path, and click Next.

      Note

      All programs applies the rule to all programs. This program path applies it to a single program.

      image

    3. In the Protocol and Ports step, specify the ports and protocols, and click Next.

      image

    4. In the Scope step, under Which remote IP addresses does this rule apply to?, select These IP addresses and click Add.

      image

    5. Enter an IP address or CIDR block (for example, the public IP of your on-premises computer) and click OK. Click Next.

      Note

      Click Add again to add more IP addresses or CIDR blocks.

      image

    6. In the Actions step, select Allow the connection or Block the connection, and click Next.

      image

    7. In the Configuration File step, select the applicable profiles and click Next.

      Note

      All profiles are selected by default. Adjust based on your network environment.

    8. In the Name step, enter a rule name and description, then click Completed.

Next steps