Applications that are hosted on a server provide service externally by using the ports of the server. If you understand the default ports used by typical applications, you can add or modify security group rules in a more accurate manner. This topic describes the common ports of Elastic Compute Service (ECS) instances and the usage scenarios of the ports.
Background information
You must specify communication ports or port ranges when you add security group rules to a security group. Then, the security group allows or denies traffic to or from ECS instances based on the security group rules. For example, when you connect to a Linux instance in a security group by using an Xshell client, the security group detects an SSH request from the Internet or internal network. The security group then matches the request against each inbound rule to check whether the rule contains the IP address of the request sender and whether port 22 is open. A connection is not established to the instance until an inbound rule that allows the request is matched.
For more information about ports used by applications on Windows Server operating systems, see Service overview and network port requirements for Windows in Microsoft documentation.
Common ports
The following table describes the default ports used by typical applications.
Port | Service | Description |
---|---|---|
21 | FTP | The FTP port. It is used to upload and download files. |
22 | SSH | The SSH port. It is used to log on to Linux ECS instances by using a CLI tool or remote connection software such as PuTTY, Xshell, and SecureCRT. For more information, see Connect to a Linux instance by using a password |
23 | Telnet | The Telnet port. It is used to log on to ECS instances. |
25 | SMTP | The Simple Mail Transfer Protocol (SMTP) port. It is used to send emails. For security purposes, port 25 is disabled on ECS instances by default. We recommend that you use the SSL port instead to send emails. In most cases, the SSL port is port 465. |
53 | DNS | The Domain Name Server (DNS) port. If a security group denies all outbound access by default and allows specific outbound access based on security group rules, you must add security group rules that open the default UDP port 53 for outbound traffic to implement domain name resolution. |
80 | HTTP | The HTTP port. It is used to access services such as IIS, Apache, and NGINX. For more information about how to troubleshoot issues related to port 80, see Verify if TCP port 80 works properly. |
110 | POP3 | The POP3 port. It is used to send and receive emails. |
143 | IMAP | The Internet Message Access Protocol (IMAP) port. It is used to receive emails. |
443 | HTTPS | The HTTPS port. It is used to access services. The HTTPS protocol can implement encrypted and secure data transmission. |
1433 | SQL Server | The TCP port of SQL Server. It is used for SQL Server to provide external services. |
1434 | SQL Server | The UDP port of SQL Server. It is used to return the TCP/IP port that is occupied by SQL Server. |
1521 | Oracle | The Oracle communication port. ECS instances that run Oracle SQL must have this port open. |
3306 | MySQL | The MySQL port. It is used for MySQL to provide external services. |
3389 | Windows Server Remote Desktop Services | The Windows Server Remote Desktop Services port. It is used to log on to Windows ECS instances. For more information, see Connect to a Windows instance by using a username and password |
8080 | Proxy service | An alternative to port 80. It is commonly used for WWW proxy services. If you use port 8080, you must add :8080 to the end of your IP address when you access websites or use proxy servers. If you install the Apache Tomcat service, port 8080 is used by default. |
137, 138, and 139 | NetBIOS |
|
Usage scenarios
The following table provides examples on usage scenarios of specific common ports used by ECS instances and the security group rules that are used for the scenarios. For information about more usage scenarios., see Security groups for different use cases .
Usage scenario | Network type | Direction | Action | Protocol | Port range | Authorization type | Authorization object | Priority |
---|---|---|---|---|---|---|---|---|
Connect to Linux ECS instances over SSH | Virtual Private Cloud (VPC) | Inbound | Allow | Custom TCP | SSH (22) | IPv4 CIDR block | 0.0.0.0/0 | 1 |
Classic network | Internet ingress | |||||||
Connect to Windows ECS instances over Remote Desktop Protocol (RDP) | VPC | Inbound | Allow | Custom TCP | RDP (3389) | IPv4 CIDR block | 0.0.0.0/0 | 1 |
Classic network | Internet ingress | |||||||
Ping ECS instances over the Internet | VPC | Inbound | Allow | All ICMP | -1/-1 | CIDR block or security group | Subject to the authorization type | 1 |
Classic network | Internet ingress | |||||||
Use ECS instances as web servers | VPC | Inbound | Allow | Custom TCP | HTTP (80) | IPv4 CIDR block | 0.0.0.0/0 | 1 |
Classic network | Internet ingress | |||||||
Upload and download files over FTP | VPC | Inbound | Allow | Custom TCP | 20/21 | CIDR block | Specified CIDR block | 1 |
Classic network | Internet ingress |