Amazon Elastic Compute Cloud
User Guide (API Version 2014-02-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Authorizing Inbound Traffic for Your Instances

To enable network access to your instance, you must allow inbound traffic to your instance. To open a port for inbound traffic, add a rule to a security group that you associated with your instance when you launched it.

The following table describes the rule you need to set up to authorize traffic. The documentation shows you how to authorize traffic from your computer's public IP address. To allow traffic from additional IP address ranges, add another rule for each range you need to authorize.

Your InstanceProtocolDocumentation

Linux

SSH (port 22)

Adding a Rule for Inbound SSH Traffic to a Linux Instance

Windows

RDP (port 3389)

Adding a Rule for Inbound RDP Traffic to a Windows Instance

Before You Start

Decide who requires access to your instance; for example, a single host or a specific network that you trust. In this case, we use your local system's public IP address. You can get the public IP address of your local computer using a service. For example, we provide the following service: http://checkip.amazonaws.com/. To locate another service that provides your IP address, use the search phrase "what is my IP address". If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

Caution

If you use 0.0.0.0/0, you enable all IP addresses to access your instance using SSH or RDP. This is acceptable for a short time in a test environment, but it's unsafe for production environments. In production, you'll authorize only a specific IP address or range of addresses to access your instance.

For more information about security groups, see Amazon EC2 Security Groups.

Adding a Rule for Inbound SSH Traffic to a Linux Instance

Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group that enable you to connect to your instance from your IP address using SSH.

Important

The security groups page in the Amazon EC2 console has been redesigned, and you can switch between the new and old interfaces by clicking the link in the preview message at the top of the console page. You can switch back to the old interface during the trial period; however, this topic may refer to features that are only available in the new interface.

To add a rule to a security group for inbound SSH traffic using the console

  1. In the navigation pane of the Amazon EC2 console, click Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Click view rules to display a list of the rules that are in effect for the instance.

  2. In the navigation pane, click Security Groups. Select one of the security groups associated with your instance.

  3. In the details pane, on the Inbound tab, click Edit. In the dialog, click Add Rule, and then select SSH from the Type list.

  4. In the Source field, specify the public IP address of your computer, in CIDR notation. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

    For information about finding your IP address, see Before You Start.

  5. Click Save.

    Note

    If you're using the old design of the security groups page, select SSH from the Create a new rule list, specify the IP address in the Source field, click Add Rule, and then click Apply Rule Changes.

To add a rule to a security group using the command line

You can use one of the following commands. Be sure to run this command on your local system, not on the instance itself. For more information about these command line interfaces, see Accessing Amazon EC2.

Adding a Rule for Inbound RDP Traffic to a Windows Instance

Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group that enable you to connect to your Windows instance from your IP address using RDP.

Important

The security groups page in the Amazon EC2 console has been redesigned, and you can switch between the new and old interfaces by clicking the link in the preview message at the top of the console page. You can switch back to the old interface during the trial period; however, this topic may refer to features that are only available in the new interface.

To add a rule to a security group for inbound RDP traffic using the console

  1. In the navigation pane of the Amazon EC2 console, click Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Click view rules to display a list of the rules that are in effect for the instance.

  2. In the navigation pane, click Security Groups. Select one of the security groups associated with your instance.

  3. In the details pane, on the Inbound tab, click Edit. In the dialog, click Add Rule, and then select RDP from the Type list.

  4. In the Source field, specify the public IP address of your computer, in CIDR notation. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

    For information about finding your IP address, see Before You Start.

  5. Click Save.

    Note

    If you're using the old design of the security groups page, select RDP from the Create a new rule list, specify the IP address in the Source field, click Add Rule, and then click Apply Rule Changes.

To add a rule to a security group using the command line

You can use one of the following commands. Be sure to run this command on your local system, not on the instance itself. For more information about these command line interfaces, see Accessing Amazon EC2.

Assigning a Security Group to an Instance

You can assign a security group to an instance when you launch the instance. When you add or remove rules, those changes are automatically applied to all instances to which you've assigned the security group.

After you launch an instance in EC2-Classic, you can't change its security groups. After you launch an instance in a VPC, you can change its security groups. For more information, see Changing an Instance's Security Groups in the Amazon Virtual Private Cloud User Guide.