All Products
Search

This Product

    :Configure firewall rules for an ECS instance that runs Windows Server

    Document Center

    :Configure firewall rules for an ECS instance that runs Windows Server

    Last Updated:Aug 01, 2024

    This topic describes how to configure firewall rules for an Elastic Compute Service (ECS) instance that runs Windows Server.

    Procedure

    Perform the steps described in the following sections to configure different firewall rules for an ECS instance that runs Windows Server. In the following examples, an ECS instance that runs Windows Server 2008 is used.

    Feature 1: Allow a program or feature to pass the Windows Firewall

    1. Connect to the ECS instance that runs Windows Server.

      For more information, see Connect to a Windows instance by using a password or a key.

    2. Choose Start > Control Panel > System and Security > Windows Firewall.

    3. In the left-side navigation pane of the Windows Firewall window, click Allow a program or feature through Windows Firewall.

    4. In the Allowed Programs window, click Allow another program.

    5. In the Add a Program window, double-click a specific application in the Programs section. If you cannot find the application that you want to add in the Programs section, click Browse to find the application file in a specific directory and double-click the application file.

    Feature 2: Allow or deny access to a specific local port

    1. Connect to the ECS instance that runs Windows Server.

      For more information, see Connect to a Windows instance by using a password or a key.

    2. Choose Start > Control Panel > System and Security > Windows Firewall.

    3. Click Advanced settings.

    4. In the left-side navigation pane of the Windows Firewall with Advanced Security window, click Inbound Rules. In the right-side Actions column, click New Rule.

    5. On the Rule Type page, select Port.

    6. Click Next. Select TCP or UDP, select Specific local port, and then enter a local port to which you want to allow or deny access. Example: 8080.

    7. Click Next. On the Action page, select Allow the connection or Block the connection.

      Note

      • If the default inbound rule for the specified port is Allow, select Block the connection to close the port.

      • If the default inbound rule for the specified port is Block, select Allow the connection to open the port.

    8. Click Next. On the Profile page, select the profiles to which you want to apply the rule and click Next. On the Name page, enter a name and a description for the rule and click Finish.

      Note

      By default, all profiles are selected. Select profiles based on the local network environment.

    Feature 3: Allow or block access from specific IP addresses or CIDR blocks

    1. Connect to the ECS instance that runs Windows Server.

      For more information, see Connect to a Windows instance by using a password or a key.

    2. Choose Start > Control Panel > System and Security > Windows Firewall.

    3. Click Advanced settings.

    4. In the left-side navigation pane of the Windows Firewall with Advanced Security window, click Inbound Rules. In the right-side Actions column, click New Rule.

    5. On the Rule Type page, select Custom and click Next.

    6. Select All programs or This program path and click Next.

      Note

      All programs: The rule applies to all programs on the ECS instance. This program path: The rule applies to a specific program. Select All programs or This program path based on your business requirements.

    7. On the Protocol and Ports page, accept the default settings and click Next.

    8. For Which local IP addresses does this rule apply to?, select These IP addresses and click Add.

    9. Enter an IP address or a CIDR block, click OK, and then click Next.

    10. On the Action page, select Allow the connection or Block the connection.

    11. Click Next. On the Profile page, select the profiles to which you want to apply the rule and click Next. On the Name page, enter a name and a description for the rule and click Finish.

    Feature 4: Allow specific IP addresses to access local ports

    1. Connect to the ECS instance that runs Windows Server.

      For more information, see Connect to a Windows instance by using a password or a key.

    2. Choose Start > Control Panel > System and Security > Windows Firewall.

    3. Click Advanced settings.

    4. In the left-side navigation pane of the Windows Firewall with Advanced Security window, click Inbound Rules. Find a local port that is in the Enabled state, right-click the port, select Properties, and then click the Scope tab. In the Remote IP address section, select These IP addresses.

    5. Click Add, select This IP address or subnet, enter an IP address or a CIDR block, and then click OK.

    Feature 5: Block specific IP addresses or CIDR blocks from accessing the server

    1. Connect to the ECS instance that runs Windows Server.

      For more information, see Connect to a Windows instance by using a password or a key.

    2. Click Start, enter gpedit.msc, and then press the Enter key to open the Local Group Policy Editor window.

    3. In the left-side navigation pane, choose Computer Configuration > Windows Settings > Security Settings. Right-click IP Security Policy on Local Computer and select Create IP Security Policy. In the IP Security Policy Wizard window, click Next. On the IP Security Policy Name page, enter a name and a description for the IP security policy as prompted. Click Next, click Next, and then click Finish.

    4. Double-click the new IP security policy. Click Add. In the Security Rule Wizard window, click Next.

    5. In the Specify the tunnel endpoint for the IP security rule section, select This rule does not specify a tunnel.

    6. Click Next. In the Select the network type section, select All network connections.

    7. Click Next. In the IP filter lists section, click Add.

    8. In the IP Filter List window, specify information as prompted and click Add to create a new IP filter.

    9. Select A specific IP Address or Subnet from the Source address drop-down list, enter an IP address or subnet in the IP Address or Subnet field, and then click Next.

    10. Select Any IP Address from the Destination address drop-down list and click Next.

    11. Select Any from the Select a protocol type drop-down list, click Next, and then click Finish.

    12. In the IP Filters section, select the new IP filter and click OK.

    13. In the Filter Actions section, click Add. In the Filter Action Wizard window, click Next to create a filter action.

    14. Click Next and enter a name and a description for the filter action. Click Next and select Block. Click Next and then click Finish.

    15. After the filter action is created, select the new IP filter, click Next, and then click Finish. Click OK. A firewall rule that blocks access from the specified IP address or CIDR block is added.