This topic describes how to configure firewall rules on a Windows ECS instance for specific tasks.
Overview
The following table describes each feature and links to its procedure. The procedures in this topic use Windows Server 2022 as an example.
Feature | Description |
Feature 1: Allow an app or feature through Windows Defender Firewall | This setting allows a specific application or service to accept inbound connections from the internet or other networks so the program can function correctly without being blocked by the firewall. For example, you can allow file-sharing or instant messaging software to pass through the Windows Defender Firewall. |
You can allow or block access to specific local ports to reduce the risk of malware or attackers exploiting these ports. For example, if you do not require the FTP service, which uses port 21 by default, you can block access to port 21 to improve security. | |
This setting lets you control which IP addresses can access your programs, services, or ports, which helps prevent attackers from exploiting vulnerabilities. For example, you can allow the IP address of your local computer to access the instance. |
Feature 1: Allow an app or feature
Connect to the Windows instance by using VNC. For more information, see Connect to an instance by using VNC.
Go to .
Click Allow an app or feature through Windows Defender Firewall.
Click Allow another app.
In the Add an app dialog box, on the Apps tab, double-click the desired application. If the application is not listed, click Browse, locate the application file, and then double-click the file.
Feature 2: Allow or block a local port
Connect to the Windows instance by using VNC. For more information, see Connect to an instance by using VNC.
Go to .
Click Advanced Settings.
Click Inbound Rules > New Rule.
Configure the rule.
In the Rule Type step, select Port, and then click Next.
In the Protocol and Ports step, select TCP or UDP, select Specific local ports, and enter the local port number to allow or block, such as
8080. Then, click Next.
In the Action step, select Block the connection or Allow the connection. Then, click Next.
In the Profile step, select the appropriate profiles, and then click Next.
NoteSelect the profiles based on the network environment of your computer. By default, all profiles are selected.
In the Name step, enter a name and description for the rule, and then click Finish.
Feature 3: Allow or block an IP address
You can set the scope for an inbound rule to define which IP addresses it applies to. This lets you allow or block access from those IP addresses to your programs, services, or ports.
If the Action of the inbound rule is set to Allow the connection, only the specified IP addresses can access the associated program, service, or port.
If the Action of the inbound rule is set to Block the connection, the rule blocks the specified IP addresses from accessing the associated program, service, or port.
Existing rule
Connect to the Windows instance by using VNC. For more information, see Connect to an instance by using VNC.
Go to .
Click Advanced Settings.
Click Inbound Rules. Find the rule you want to modify, right-click it, and then click Properties.
On the Scope tab, under Remote IP address, select These IP addresses and click Add.
Enter an IP address or CIDR block, for example, the public IP address of your local computer. Then, click OK.
NoteYou can click Add again to add multiple IP addresses or CIDR blocks.
After adding the IP addresses, click OK. The inbound rule now applies only to the specified IP addresses.
New rule
Connect to the Windows instance by using VNC. For more information, see Connect to an instance by using VNC.
Go to .
Click Advanced Settings.
Click Inbound Rules > New Rule.
Configure the rule.
In the Rule Type step, select Customize, and then click Next.
In the Procedures step, select All programs or This program path, and then click Next.
NoteAll programs applies the rule to all programs on the computer. This program path applies the rule to a specific program.
In the Protocol and Ports step, configure the required protocols and ports, and then click Next.
In the Scope step, under Which remote IP addresses does this rule apply to?, select These IP addresses and click Add .
Enter an IP address or CIDR block, for example, the public IP address of your local computer, and then click OK. After you finish adding addresses, click Next.
NoteYou can click Add again to add multiple IP addresses or CIDR blocks.
In the Actions step, select Block the connection or Allow the connection, and then click Next.
In the Configuration File step, select the appropriate profiles, and then click Next.
NoteSelect the profiles based on the network environment of your computer. By default, all profiles are selected.
In the Name step, enter a name and description for the rule, and then click Completed.
Related documents
If you cannot connect to your instance, try adding a rule to the Windows Defender Firewall to allow remote connections. For a detailed example, see Configure firewall rules.
If you still cannot connect to the instance after confirming that the Windows Defender Firewall is configured correctly, you can troubleshoot other potential issues. For more information, see Troubleshoot remote connection issues with a Windows instance and Remote Desktop (RDP) connection issues.