The following tables list the ports, protocols, and directions by workload for AWS Windows Amazon Machine Images (AMIs).
Contents
AllJoyn Router
| OS | Rule | Description | Port | Protocol | Direction |
|---|---|---|---|---|---|
Windows Server 2016 Windows Server 2019 Windows Server 2022 |
AllJoyn Router (TCP-In) | Inbound rule for AllJoyn Router traffic [TCP] | Local: 9955 Remote: Any |
TCP | In |
| AllJoyn Router (TCP-Out) | Outbound rule for AllJoyn Router traffic [TCP] | Local: Any Remote: Any |
TCP | Out | |
| AllJoyn Router (UDP-In) | Inbound rule for AllJoyn Router traffic [UDP] | Local: Any Remote: Any |
UDP | In | |
| AllJoyn Router (UDP-Out) | Outbound rule for AllJoyn Router traffic [UDP] | Local: Any Remote: Any |
UDP | Out |
Cast to Device
| OS | Rule | Description | Port | Protocol | Direction |
|---|---|---|---|---|---|
Windows Server 2016 Windows Server 2019 Windows Server 2022 |
Cast to Device functionality (qWave-TCP-In) | Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177] | Local: 2177 Remote: Any |
TCP | In |
| Cast to Device functionality (qWave-TCP-Out) | Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177] | Local: Any Remote: 2177 |
TCP | Out | |
| Cast to Device functionality (qWave-UDP-In) | Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177] |
Local: 2177 Remote: Any |
UDP | In | |
| Cast to Device functionality (qWave-UDP-Out) | Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177] | Local: Any Remote: 2177 |
UDP | Out | |
| Cast to Device SSDP Discovery (UDP-In) | Inbound rule to allow discovery of Cast to Device targets using SSDP | Local: Ply2Disc Remote: Any |
UDP | In | |
| Cast to Device Streaming Server (HTTP-Streaming-In) | Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246] | Local: 10246 Remote: Any |
TCP | In | |
| Cast to Device Streaming Server (RTCP-Streaming-In) | Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP] | Local: Any Remote: Any |
UDP | In | |
| Cast to Device Streaming Server (RTP-Streaming-Out) | Outbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP] | Local: Any Remote: Any |
UDP | Out | |
| Cast to Device Streaming Server (RTSP-Streaming-In) | Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556] | Local: 235, 542, 355, 523, 556 Remote: Any |
TCP | In | |
| Cast to Device UPnP Events (TCP-In) | Inbound rule to allow receiving UPnP Events from Cast to Device targets | Local: 2869 Remote: Any |
TCP | In |
Core Networking
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2016 Windows Server 2019 Windows Server 2022 |
Destination Unreachable (ICMPv6-In) | Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion. |
ICMPv6 |
In | |
| Destination Unreachable Fragmentation Needed (ICMPv4-In) | Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set. |
ICMPv4 |
In | ||
| Core Networking - DNS (UDP-Out) | Outbound rule to allow DNS requests. DNS responses based on requests that match this rule are permitted regardless of source address. This behavior is classified as loose source mapping. |
Local: Any Remote: 53 |
UDP | Out | |
| Dynamic Host Configuration Protocol (DHCP-In) | Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration. |
Local: 68 Remote: 67 |
UDP | In | |
| Dynamic Host Configuration Protocol (DHCP-Out) | Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration. |
Local: 68 Remote: 67 |
UDP | Out | |
| Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) | Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration. |
Local: 546 Remote: 547 |
UDP | In | |
| Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) | Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration. |
Local: 546 Remote: 547 |
UDP | Out | |
| Core Networking - Group Policy (LSASS-Out) | Outbound rule to allow remote LSASS traffic for Group Policy updates. |
Local: Any Remote: Any |
TCP | Out | |
| Core Networking - Group Policy (NP-Out) | Core Networking - Group Policy (NP-Out) |
Local: Any Remote: 445 |
TCP | Out | |
| Core Networking - Group Policy (TCP-Out) | Outbound rule to allow remote RPC traffic for Group Policy updates. |
Local: Any Remote: Any |
TCP | Out | |
| Internet Group Management Protocol (IGMP-In) | IGMP messages are sent and received by nodes to create, join, and depart multicast groups. | 2 | In | ||
| Core Networking - Internet Group Management Protocol (IGMP-Out) | IGMP messages are sent and received by nodes to create, join, and depart multicast groups. | 2 | Out | ||
| Core Networking - IPHTTPS (TCP-In) | Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls. |
Local: IPHTPS Remote: Any |
TCP | In | |
| Core Networking - IPHTTPS (TCP-Out) | Outbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls. |
Local: Any Remote: IPHTPS |
TCP | Out | |
| IPv6 (IPv6-In) | Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services. | 41 | In | ||
| IPv6 (IPv6-Out) | Outbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services. | 41 | Out | ||
| Multicast Listener Done (ICMPv6-In) | Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet. |
ICMPv6 |
In | ||
| Multicast Listener Done (ICMPv6-Out) | Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet. |
ICMPv6 |
Out | ||
| Multicast Listener Query (ICMPv6-In) | An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership. |
ICMPv6 |
In | ||
| Multicast Listener Query (ICMPv6-Out) | An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership. |
ICMPv6 |
Out | ||
| Multicast Listener Report (ICMPv6-In) | The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query. |
ICMPv6 |
In | ||
| Multicast Listener Report (ICMPv6-Out) | The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query. |
ICMPv6 |
Out | ||
| Multicast Listener Report v2 (ICMPv6-In) | Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query. |
ICMPv6 |
In | ||
| Multicast Listener Report v2 (ICMPv6-Out) | Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query. |
ICMPv6 |
Out | ||
| Neighbor Discovery Advertisement (ICMPv6-In) | Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request. |
ICMPv6 |
In | ||
| Neighbor Discovery Advertisement (ICMPv6-Out) | Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request. |
ICMPv6 |
Out | ||
| Neighbor Discovery Solicitation (ICMPv6-In) | Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node. |
ICMPv6 |
In | ||
| Neighbor Discovery Solicitation (ICMPv6-Out) | Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node. |
ICMPv6 |
Out | ||
| Packet Too Big (ICMPv6-In) | Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link. |
ICMPv6 |
In | ||
| Packet Too Big (ICMPv6-Out) | Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link. |
ICMPv6 |
Out | ||
| Parameter Problem (ICMPv6-In) | Parameter Problem error messages are sent by nodes when packets are incorrectly generated. |
ICMPv6 |
In | ||
| Parameter Problem (ICMPv6-Out) | Parameter Problem error messages are sent by nodes when packets are incorrectly generated. |
ICMPv6 |
Out | ||
| Router Advertisement (ICMPv6-In) | Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration. |
ICMPv6 |
In | ||
| Router Advertisement (ICMPv6-Out) | Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration. |
ICMPv6 |
Out | ||
| Router Solicitation (ICMPv6-In) | Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration. |
ICMPv6 |
In | ||
| Router Solicitation (ICMPv6-Out) | Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration. |
ICMPv6 |
Out | ||
| Core Networking - Teredo (UDP-In) | Inbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator. |
Local: Teredo Remote: Any |
UDP | In | |
| Core Networking - Teredo (UDP-Out) | Outbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator. |
Local: Any Remote: Any |
UDP | Out | |
| Time Exceeded (ICMPv6-In) | Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path. |
ICMPv6 |
In | ||
| Time Exceeded (ICMPv6-Out) | Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path. |
ICMPv6 |
Out |
Delivery Optimization
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
Windows Server 2019 Windows Server 2022 |
DeliveryOptimization-TCP-In | Inbound rule to allow Delivery Optimization to connect to remote endpoints. | Local: 7680 Remote: Any |
TCP | In |
| DeliveryOptimization-UDP-In | Inbound rule to allow Delivery Optimization to connect to remote endpoints. |
Local: 7680 Remote: Any |
UDP | In |
Diag Track
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2019 Windows Server 2022 |
Connected User Experiences and Telemetry | Unified Telemetry Client Outbound Traffic. |
Local: Any Remote: 443 |
TCP | Out |
DIAL Protocol Server
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
Windows Server 2016 Windows Server 2019 Windows Server 2022 |
DIAL protocol server (HTTP-In) | Inbound rule for DIAL protocol server to allow remote control of Apps using HTTP. |
Local: 10247 Remote: Any |
TCP | In |
File and Printer Sharing
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2012 Windows Server 2012 R2 |
File and Printer Sharing (Echo Request - ICMPv4-In) | Echo Request messages are sent as ping requests to other nodes. |
Local: 5355 Remote: Any |
ICMPv4 |
In |
| File and Printer Sharing (Echo Request - ICMPv4-Out) | Echo Request messages are sent as ping requests to other nodes. |
Local: 5355 Remote: Any |
ICMPv4 |
Out | |
| File and Printer Sharing (Echo Request - ICMPv6-In) | Echo Request messages are sent as ping requests to other nodes. |
Local: 5355 Remote: Any |
ICMPv6 |
In | |
| File and Printer Sharing (Echo Request - ICMPv6-Out) | Echo Request messages are sent as ping requests to other nodes. |
Local: 5355 Remote: Any |
ICMPv6 |
Out | |
| File and Printer Sharing (LLMNR-UDP-In) | Inbound rule for File and Printer Sharing to allow Link Local Multicast Name Resolution. | Local: 5355 Remote: Any |
UDP | In | |
| File and Printer Sharing (LLMNR-UDP-Out) | Outbound rule for File and Printer Sharing to allow Link Local Multicast Name Resolution. |
Local: Any Remote: 5355 |
UDP | Out | |
| File and Printer Sharing (NB-Datagram-In) | Inbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception. |
Local: 138 Remote: Any |
UDP | In | |
| File and Printer Sharing (NB-Datagram-Out) | Outbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception. |
Local: Any Remote: 138 |
UDP | Out | |
| File and Printer Sharing (NB-Name-In) | Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution. |
Local: 137 Remote: Any |
UDP | In | |
| File and Printer Sharing (NB-Name-Out) | Outbound rule for File and Printer Sharing to allow NetBIOS Name Resolution. |
Local: Any Remote: 137 |
UDP | Out | |
| File and Printer Sharing (NB-Session-In) | Inbound rule for File and Printer Sharing to allow NetBIOS Session Service connections. | Local: 139 Remote: Any |
TCP | In | |
| File and Printer Sharing (NB-Session-Out) | Outbound rule for File and Printer Sharing to allow NetBIOS Session Service connections. |
Local: Any Remote: 139 |
TCP | Out | |
| File and Printer Sharing (SMB-In) | Inbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes. | Local: 445 Remote: Any |
TCP | In | |
| File and Printer Sharing (SMB-Out) | Outbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes. |
Local: Any Remote: 445 |
TCP | Out | |
| File and Printer Sharing (Spooler Service - RPC) | Inbound rule for File and Printer Sharing to allow the Print Spooler Service to communicate via TCP/RPC. | Local: RPC Remote: Any |
TCP | In | |
| File and Printer Sharing (Spooler Service - RPC-EPMAP) | Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Spooler Service. | Local: RPC-EPMap Remote: Any |
TCP | In |
File Server Remote Management
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2012 Windows Server 2012 R2 |
File Server Remote Management (DCOM-In) | Inbound rule to allow DCOM traffic to manage the File Services role. | Local: 135 Remote: Any |
TCP | In |
| File Server Remote Management (SMB-In) | Inbound rule to allow SMB traffic to manage the File Services role. | Local: 445 Remote: Any |
TCP | In | |
| WMI-In | Inbound rule to allow WMI traffic to manage the File Services role. | Local: RPC Remote: Any |
TCP | In |
ICMP v4 All
| OS | Rule | Port | Protocol | Direction |
|---|---|---|---|---|
Windows Server 2012 Windows Server 2012 R2 |
All ICMP v4 | Local: 139 Remote: Any |
ICMPv4 |
In |
Microsoft Edge
| OS | Rule | Port | Protocol | Direction |
|---|---|---|---|---|
Windows Server 2022 |
Microsoft Edge (mDNS-In) | Local: 5353 Remote: Any |
UDP |
In |
Microsoft Media Foundation Network Source
| OS | Rule | Port | Protocol | Direction |
|---|---|---|---|---|
Windows Server 2022 |
Microsoft Media Foundation Network Source IN [TCP 554] | Local: 554, 8554-8558 Remote: Any |
TCP |
In |
| Microsoft Media Foundation Network Source IN [UDP 5004-5009] | Local: 5000-5020 Remote: Any |
UDP |
In | |
| Microsoft Media Foundation Network Source OUT [TCP ALL] | Local: Any Remote: 554, 8554-8558 |
TCP |
In |
Multicast
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2019 Windows Server 2022 |
mDNS (UDP-In) | Inbound rule for mDNS traffic. | Local: 5353 Remote: Any |
UDP | In |
| mDNS (UDP-Out) | Outbound rule for mDNS traffic. | Local: Any Remote: 5353 |
UDP | Out |
Remote Desktop
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 |
Remote Desktop - Shadow (TCP-In) | Inbound rule for the Remote Desktop service to allow shadowing of an existing Remote Desktop session. |
Local: Any Remote: Any |
TCP | In |
| Remote Desktop - User Mode (TCP-In) | Inbound rule for the Remote Desktop service to allow RDP traffic. |
Local: 3389 Remote: Any |
TCP | In | |
| Remote Desktop - User Mode (UDP-In) | Inbound rule for the Remote Desktop service to allow RDP traffic. |
Local: 3389 Remote: Any |
UDP | In |
WindowsDevice Management
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
| Windows Server 2022 | WindowsDevice Management Certificate Installer (TCP out) | Allow outbound TCP traffic from WindowsDevice Management Certificate Installer. |
Local: Any Remote: Any |
TCP | Out |
| WindowsDevice Management Device Enroller (TCP out) | Allow outbound TCP traffic from WindowsDevice Management Device Enroller. |
Local: Any Remote: 80, 443 |
TCP | Out | |
| WindowsDevice Management Enrollment Service (TCP out) | Allow outbound TCP traffic from WindowsDevice Management Enrollment Service. |
Local: Any Remote: Any |
TCP | Out | |
| WindowsDevice Management Sync Client (TCP out) | Allow outbound TCP traffic from WindowsDevice Management Sync Client. |
Local: Any Remote: Any |
TCP | Out |
WindowsFeature Experience Pack
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2022 |
WindowsFeature Experience Pack | WindowsFeature Experience Pack. | Any | Out |
WindowsFirewall Remote Management
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2012 R2 |
WindowsFirewall Remote Management (RPC) | Inbound rule for the WindowsFirewall to be remotely managed via RPC/TCP. |
Local: RPC Remote: Any |
TCP | In |
| WindowsFirewall Remote Management (RPC-EPMAP) | Inbound rule for the RPCSS service to allow RPC/TCP traffic for the WindowsFirewall. |
Local: RPC-EPMap Remote: Any |
TCP | In |
WindowsRemote Management
| OS | Rule | Definition | Port | Protocol | Direction |
|---|---|---|---|---|---|
|
Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 Windows Server 2019 Windows Server 2022 |
WindowsRemote Management (HTTP-In) | Inbound rule for WindowsRemote Management via WS-Management. | Local: 5985 Remote: Any |
TCP | In |
For more information about Amazon EC2 security groups, see Amazon EC2 Security Groups for WindowsInstances.
