Authorize inbound traffic for your Windows instances
Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using RDP. If your instance is a web server, you can allow all IP addresses to access your instance using HTTP or HTTPS, so that external users can browse the content on your web server.
Your default security groups and newly created security groups include default rules that do not enable you to access your instance from the internet. For more information, see Default security groups and Custom security groups. To enable network access to your instance, you must allow inbound traffic to your instance. To open a port for inbound traffic, add a rule to a security group that you associated with your instance when you launched it.
To connect to your instance, you must set up a rule to authorize RDP traffic from your computer's public IPv4 address. To allow RDP traffic from additional IP address ranges, add another rule for each range you need to authorize.
If you've enabled your VPC for IPv6 and launched your instance with an IPv6 address, you can connect to your instance using its IPv6 address instead of a public IPv4 address. Your local computer must have an IPv6 address and must be configured to use IPv6.
If you need to enable network access to a Linux instance, see Authorizing inbound traffic for your Linux instances in the Amazon EC2 User Guide for Linux Instances.
Before you start
Decide who requires access to your instance; for example, a single host or a
specific network that you trust such as your local computer's public IPv4 address.
The security group editor in the Amazon EC2 console can automatically detect the public
IPv4 address of your local computer for you. Alternatively, you can use the search
phrase "what is my IP address" in an internet browser, or use the following service:
Check IP
If you use 0.0.0.0/0
, you enable all IPv4 addresses to access
your instance using RDP. If you use ::/0
, you enable
all IPv6 address to access your instance. You should authorize only a specific
IP address or range of addresses to access your instance.
Windows Firewall may also block incoming traffic. If you're having trouble setting up access to your instance, you may have to disable Windows Firewall. For more information, see Remote Desktop can't connect to the remote computer.
Add a rule for inbound RDP traffic to a Windows instance
Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level. You must add rules to a security group to enable you to connect to your Windows instance from your IP address using RDP.
If you launched an instance with an IPv6 address and want to connect to your instance using its IPv6 address, you must add rules that allow inbound IPv6 traffic over RDP.
Be sure to run the following commands on your local system, not on the instance itself. For more information about these command line interfaces, see Access Amazon EC2.
To add a rule to a security group using the command line
-
Find the security group that is associated with your instance using one of the following commands:
-
describe-instance-attribute (AWS CLI)
aws ec2 describe-instance-attribute --region
region
--instance-idinstance_id
--attribute groupSet -
Get-EC2InstanceAttribute (AWS Tools for Windows PowerShell)
PS C:\>
(Get-EC2InstanceAttribute -Regionregion
-InstanceIdinstance_id
-Attribute groupSet).Groups
Both commands return a security group ID, which you use in the next step.
-
-
Add the rule to the security group using one of the following commands:
-
authorize-security-group-ingress (AWS CLI)
aws ec2 authorize-security-group-ingress --region
region
--group-idsecurity_group_id
--protocol tcp --port 3389 --cidrcidr_ip_range
-
Grant-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)
The
Grant-EC2SecurityGroupIngress
command needs anIpPermission
parameter, which describes the protocol, port range, and IP address range to be used for the security group rule. The following command creates theIpPermission
parameter:PS C:\>
$ip1 = @{ IpProtocol="tcp"; FromPort="3389"; ToPort="3389"; IpRanges="cidr_ip_range
" }PS C:\>
Grant-EC2SecurityGroupIngress -Regionregion
-GroupIdsecurity_group_id
-IpPermission @($ip1)
-
Assign a security group to an instance
You can assign a security group to an instance when you launch the instance. When you add or remove rules, those changes are automatically applied to all instances to which you've assigned the security group.
After you launch an instance, you can change its security groups. For more information, see Changing an instance's security groups in the Amazon VPC User Guide.