All Products
Search

This Product

    :Configure security group rules to allow connections to a Windows instance

    Document Center

    :Configure security group rules to allow connections to a Windows instance

    Last Updated:Mar 01, 2023

    This topic describes how to configure security group rules to allow connections to a Windows Elastic Compute Service (ECS) instance in different scenarios.

    Background information

    You can configure security group rules to allow connections to Windows instances in the following scenarios:

    Scenario 1: Configure security group rules to allow connections to a Windows instance that resides in a VPC

    For more information, see Add security group rules. Add the following security group rule:

    • Action: Allow.

    • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

    • Protocol Type: Custom TCP.

    • Port Range: RDP (3389).

    • Authorization Object: 0.0.0.0/0, which indicates all IP addresses. For security purposes, we recommend that you follow the principle of least privilege and specify IP addresses in the Authorization Object value.

    Scenario 2: Configure security group rules to allow connections to a Windows instance that resides in the classic network

    Allow access to the Windows instance over the Internet

    1. Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances. On the Instances page, click the ID of the Windows instance.

    2. On the Instance Details page, click the Security Groups tab, find the security group to which you want to add a security group rule, and then click Add Rules in the Actions column.

    3. Add a public inbound security group rule on the Internet Ingress tab based on your business requirements.

      • Use the default Remote Desktop Protocol (RDP) port for Windows.

        • Action: Allow.

        • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

        • Protocol Type: Custom TCP.

        • Port Range: RDP (3389).

        • Authorization Object: 0.0.0.0/0, which indicates all IP addresses. For security purposes, we recommend that you follow the principle of least privilege and specify IP addresses in the Authorization Object value.

      • Specify a connection port, which must be consistent with system settings.

        • Action: Allow.

        • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

        • Protocol Type: Custom TCP.

        • Port Range: a single port or a port range in the <Start port>/<End port> format. Example: 33899/33899, which indicates port 33899.

        • Authorization Object: 0.0.0.0/0, which indicates all IP addresses. For security purposes, we recommend that you follow the principle of least privilege and specify IP addresses in the Authorization Object value.

    Allow access to the Windows instance over the internal network

    Note

    By default, ECS instances in the same security group can communicate with each other over the internal network.

    Allow an instance in another account to access the Windows instance

    1. Add an internal inbound security group rule on the Inbound tab.

    2. Configure parameters based on the port range.

      • Use the default RDP port for Windows.

        • Action: Allow.

        • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

        • Protocol Type: Custom TCP.

        • Port Range: RDP (3389).

        • Authorization Object: 10.10.XX.XX. Example: 10.10.10.1, which is the internal IP address of an instance in another account.

      • Specify a connection port, which must be consistent with system settings.

        • Action: Allow.

        • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

        • Protocol Type: Custom TCP.

        • Port Range: a single port or a port range in the <Start port>/<End port> format. Example: 33899/33899, which indicates port 33899.

        • Authorization Object: 10.10.XX.XX. Example: 10.10.10.1, which is the internal IP address of an instance in another account.

    Allow all instances in another account to access the Windows instance

    1. Add an internal inbound security group rule on the Inbound tab.

    2. Configure parameters based on the port range.

      • Use the default RDP port for Windows.

        • Action: Allow.

        • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

        • Protocol Type: Custom TCP.

        • Port Range: RDP (3389).

        • Authorization Type: Choose Security Group > Authorize Another Account.

        • Authorization Object: the ID of a security group in another account.

        • Account ID: the UID of another account.

      • Specify a connection port, which must be consistent with system settings.

        • Action: Allow.

        • Priority: 1, which indicates the highest priority. A smaller number indicates a higher priority.

        • Protocol Type: Custom TCP.

        • Authorization Type: Choose Security Group > Authorize Another Account.

        • Authorization Object: the ID of a security group in another account.

        • Account ID: the UID of another account.

    References

    You can modify the default port used by an instance to accept connections. For more information, see Modify the default port used by an instance to accept connections.