Authorizing Inbound Traffic for Your Windows Instances
Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using RDP. If your instance is a web server, you can allow all IP addresses to access your instance via HTTP, so that external users can browse the content on your web server.
To enable network access to your instance, you must allow inbound traffic to your instance. To open a port for inbound traffic, add a rule to a security group that you associated with your instance when you launched it.
To connect to your instance, you must set up a rule to authorize RDP traffic from your computer's public IPv4 address. To allow RDP traffic from additional IP address ranges, add another rule for each range you need to authorize.
If you've enabled your VPC for IPv6 and launched your instance with an IPv6 address, you can connect to your instance using its IPv6 address instead of a public IPv4 address. Your local computer must have an IPv6 address and must be configured to use IPv6.
If you need to enable network access to a Linux instance, see Authorizing Inbound Traffic for Your Linux Instances in the Amazon EC2 User Guide for Linux Instances.
Before You Start
Decide who requires access to your instance; for example, a single host or a specific network that you trust such as your local computer's public IPv4 address. The security group editor in the Amazon EC2 console can automatically detect the public IPv4 address of your local computer for you. Alternatively, you can use the search phrase "what is my IP address" in an Internet browser, or use the following service: http://checkip.amazonaws.com/. If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.
If you use
0.0.0.0/0, you enable all IPv4 addresses to access
your instance using RDP. If you use
::/0, you enable
all IPv6 address to access your instance. This is acceptable for a short time in
a test environment, but it's unsafe for production environments. In production,
you'll authorize only a specific IP address or range of addresses to access your
For more information about security groups, see Amazon EC2 Security Groups for Windows Instances.
Windows Firewall may also block incoming traffic. If you're having trouble setting up access to your instance, you may have to disable Windows Firewall. For more information, see Remote Desktop can't connect to the remote computer.
Adding a Rule for Inbound RDP Traffic to a Windows Instance
Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group that enable you to connect to your Windows instance from your IP address using RDP.
To add a rule to a security group for inbound RDP traffic over IPv4 using the console
In the navigation pane of the Amazon EC2 console, choose Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Choose view rules to display a list of the rules that are in effect for the instance.
In the navigation pane, choose Security Groups. Select one of the security groups associated with your instance.
In the details pane, on the Inbound tab, choose Edit. In the dialog, choose Add Rule, and then choose RDP from the Type list.
In the Source field, choose My IP to automatically populate the field with the public IPv4 address of your local computer. Alternatively, choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. For example, if your IPv4 address is
203.0.113.25/32to list this single IPv4 address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as
For information about finding your IP address, see Before You Start.
(VPC only) If you launched an instance with an IPv6 address and want to connect to your instance using its IPv6 address, you must add rules that allow inbound IPv6 traffic over RDP.
To add a rule to a security group for inbound RDP traffic over IPv6 using the console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Security Groups. Select the security group for your instance.
Choose Inbound, Edit, Add Rule.
For Type, choose RDP.
In the Source field, specify the IPv6 address of your computer in CIDR notation. For example, if your IPv6 address is
2001:db8:1234:1a00:9691:9503:25ad:1761/128to list the single IP address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as
To add a rule to a security group using the command line
You can use one of the following commands. Be sure to run this command on your local system, not on the instance itself. For more information about these command line interfaces, see Accessing Amazon EC2.
Assigning a Security Group to an Instance
You can assign a security group to an instance when you launch the instance. When you add or remove rules, those changes are automatically applied to all instances to which you've assigned the security group.
After you launch an instance in EC2-Classic, you can't change its security groups. After you launch an instance in a VPC, you can change its security groups. For more information, see Changing an Instance's Security Groups in the Amazon VPC User Guide.