Ports and Protocols for Windows Amazon Machine Images (AMIs) - Amazon Elastic Compute Cloud
AllJoyn RouterCast to DeviceCore NetworkingDelivery OptimizationDiag TrackDIAL Protocol ServerFile and Printer SharingFile Server Remote ManagementICMP v4 AllMicrosoft EdgeMicrosoft Media Foundation Network SourceMulticastRemote DesktopWindows Device ManagementWindows Feature Experience PackWindows Firewall Remote ManagementWindows Remote Management

Ports and Protocols for Windows Amazon Machine Images (AMIs)

The following tables list the ports, protocols, and directions by workload for Windows Amazon Machine Images.

AllJoyn Router

OS Rule Description Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

 AllJoyn Router (TCP-In) Inbound rule for AllJoyn Router traffic [TCP]

Local: 9955

Remote: Any

 TCP In
AllJoyn Router (TCP-Out) Outbound rule for AllJoyn Router traffic [TCP]

Local: Any

Remote: Any

 TCP Out
AllJoyn Router (UDP-In) Inbound rule for AllJoyn Router traffic [UDP]

Local: Any

Remote: Any

 UDP In
AllJoyn Router (UDP-Out) Outbound rule for AllJoyn Router traffic [UDP]

Local: Any

Remote: Any

 UDP Out

Cast to Device

OS Rule Description Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

 Cast to Device functionality (qWave-TCP-In) Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177]

Local: 2177

Remote: Any

 TCP In
Cast to Device functionality (qWave-TCP-Out) Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177] Local: Any

Remote: 2177

 TCP Out
Cast to Device functionality (qWave-UDP-In) Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177]

Local: 2177

Remote: Any

 UDP In
Cast to Device functionality (qWave-UDP-Out) Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177] Local: Any

Remote: 2177

 UDP Out
Cast to Device SSDP Discovery (UDP-In) Inbound rule to allow discovery of Cast to Device targets using SSDP Local: Ply2Disc

Remote: Any

 UDP In
Cast to Device Streaming Server (HTTP-Streaming-In) Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246] Local: 10246

Remote: Any

 TCP In
Cast to Device Streaming Server (RTCP-Streaming-In) Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP] Local: Any

Remote: Any

 UDP In
Cast to Device Streaming Server (RTP-Streaming-Out) Outbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP] Local: Any

Remote: Any

 UDP Out
Cast to Device Streaming Server (RTSP-Streaming-In) Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556] Local: 235, 542, 355, 523, 556

Remote: Any

 TCP In
Cast to Device UPnP Events (TCP-In) Inbound rule to allow receiving UPnP Events from Cast to Device targets Local: 2869

Remote: Any

 TCP In

Core Networking

Windows Server 2016, 2019, and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

 Destination Unreachable (ICMPv6-In) Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.

ICMPv6

 In
Destination Unreachable Fragmentation Needed (ICMPv4-In) Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set.

ICMPv4

 In
Core Networking - DNS (UDP-Out) Outbound rule to allow DNS requests. DNS responses based on requests that match this rule are permitted regardless of source address. This behavior is classified as loose source mapping.

Local: Any

Remote: 53

 UDP Out
Dynamic Host Configuration Protocol (DHCP-In) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

 UDP In
Dynamic Host Configuration Protocol (DHCP-Out) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

 UDP Out
Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

 UDP In
Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

 UDP Out
Core Networking - Group Policy (LSASS-Out) Outbound rule to allow remote LSASS traffic for Group Policy updates.

Local: Any

Remote: Any

 TCP Out
Core Networking - Group Policy (NP-Out) Core Networking - Group Policy (NP-Out)

Local: Any

Remote: 445

 TCP Out
Core Networking - Group Policy (TCP-Out) Outbound rule to allow remote RPC traffic for Group Policy updates.

Local: Any

Remote: Any

 TCP Out
Internet Group Management Protocol (IGMP-In) IGMP messages are sent and received by nodes to create, join, and depart multicast groups. 2 In
Core Networking - Internet Group Management Protocol (IGMP-Out) IGMP messages are sent and received by nodes to create, join, and depart multicast groups. 2 Out
Core Networking - IPHTTPS (TCP-In) Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: IPHTPS

Remote: Any

 TCP In
Core Networking - IPHTTPS (TCP-Out) Outbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: Any

Remote: IPHTPS

 TCP Out
IPv6 (IPv6-In) Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services. 41 In
IPv6 (IPv6-Out) Outbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services. 41 Out
Multicast Listener Done (ICMPv6-In) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

ICMPv6

 In
Multicast Listener Done (ICMPv6-Out) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

ICMPv6

 Out
Multicast Listener Query (ICMPv6-In) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

ICMPv6

 In
Multicast Listener Query (ICMPv6-Out) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

ICMPv6

 Out
Multicast Listener Report (ICMPv6-In) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

 In
Multicast Listener Report (ICMPv6-Out) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

 Out
Multicast Listener Report v2 (ICMPv6-In) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

 In
Multicast Listener Report v2 (ICMPv6-Out) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

 Out
Neighbor Discovery Advertisement (ICMPv6-In) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

ICMPv6

 In
Neighbor Discovery Advertisement (ICMPv6-Out) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

ICMPv6

 Out
Neighbor Discovery Solicitation (ICMPv6-In) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

ICMPv6

 In
Neighbor Discovery Solicitation (ICMPv6-Out) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

ICMPv6

 Out
Packet Too Big (ICMPv6-In) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

ICMPv6

 In
Packet Too Big (ICMPv6-Out) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

ICMPv6

 Out
Parameter Problem (ICMPv6-In) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

ICMPv6

 In
Parameter Problem (ICMPv6-Out) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

ICMPv6

 Out
Router Advertisement (ICMPv6-In) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

ICMPv6

 In
Router Advertisement (ICMPv6-Out) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

ICMPv6

 Out
Router Solicitation (ICMPv6-In) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

ICMPv6

 In
Router Solicitation (ICMPv6-Out) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

ICMPv6

 Out
Core Networking - Teredo (UDP-In) Inbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Teredo

Remote: Any

 UDP In
Core Networking - Teredo (UDP-Out) Outbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Any

Remote: Any

 UDP Out
Time Exceeded (ICMPv6-In) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

ICMPv6

 In
Time Exceeded (ICMPv6-Out) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

ICMPv6

 Out
Windows Server 2012 and 2012 R2
OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

 Destination Unreachable (ICMPv6-In) Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.

Local: 68

Remote: 67

ICMPv6

 In
Destination Unreachable Fragmentation Needed (ICMPv4-In) Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set.

Local: 68

Remote: 67

ICMPv4

 In
Core Networking - DNS (UDP-Out) Outbound rule to allow DNS requests. DNS responses based on requests that match this rule are permitted regardless of source address. This behavior is classified as loose source mapping.

Local: Any

Remote: 53

 UDP Out
Dynamic Host Configuration Protocol (DHCP-In) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

 UDP In
Dynamic Host Configuration Protocol (DHCP-Out) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

 UDP Out
Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

 UDP In
Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

 UDP Out
Core Networking - Group Policy (LSASS-Out) Outbound rule to allow remote LSASS traffic for Group Policy updates.

Local: Any

Remote: Any

 TCP Out
Core Networking - Group Policy (NP-Out) Core Networking - Group Policy (NP-Out)

Local: Any

Remote: 445

 TCP Out
Core Networking - Group Policy (TCP-Out) Outbound rule to allow remote RPC traffic for Group Policy updates.

Local: Any

Remote: Any

 TCP Out
Internet Group Management Protocol (IGMP-In) IGMP messages are sent and received by nodes to create, join, and depart multicast groups.

Local: 68

Remote: 67

 2 In
Core Networking - Internet Group Management Protocol (IGMP-Out) IGMP messages are sent and received by nodes to create, join, and depart multicast groups.

Local: 68

Remote: 67

 2 Out
Core Networking - IPHTTPS (TCP-In) Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: IPHTPS

Remote: Any

 TCP In
Core Networking - IPHTTPS (TCP-Out) Outbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: Any

Remote: IPHTPS

 TCP Out
IPv6 (IPv6-In) Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.

Local: Any

Remote: 445

 41 In
IPv6 (IPv6-Out) Outbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.

Local: Any

Remote: 445

 41 Out
Multicast Listener Done (ICMPv6-In) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

Local: 68

Remote: 67

ICMPv6

 In
Multicast Listener Done (ICMPv6-Out) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

Local: 68

Remote: 67

ICMPv6

 Out
Multicast Listener Query (ICMPv6-In) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

Local: 68

Remote: 67

ICMPv6

 In
Multicast Listener Query (ICMPv6-Out) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

Local: 68

Remote: 67

ICMPv6

 Out
Multicast Listener Report (ICMPv6-In) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

 In
Multicast Listener Report (ICMPv6-Out) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

 Out
Multicast Listener Report v2 (ICMPv6-In) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

 In
Multicast Listener Report v2 (ICMPv6-Out) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

 Out
Neighbor Discovery Advertisement (ICMPv6-In) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

Local: 68

Remote: 67

ICMPv6

 In
Neighbor Discovery Advertisement (ICMPv6-Out) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

Local: 68

Remote: 67

ICMPv6

 Out
Neighbor Discovery Solicitation (ICMPv6-In) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

Local: 68

Remote: 67

ICMPv6

 In
Neighbor Discovery Solicitation (ICMPv6-Out) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

Local: 68

Remote: 67

ICMPv6

 Out
Packet Too Big (ICMPv6-In) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

Local: 68

Remote: 67

ICMPv6

 In
Packet Too Big (ICMPv6-Out) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

Local: 68

Remote: 67

ICMPv6

 Out
Parameter Problem (ICMPv6-In) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

Local: 68

Remote: 67

ICMPv6

 In
Parameter Problem (ICMPv6-Out) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

Local: 68

Remote: 67

ICMPv6

 Out
Router Advertisement (ICMPv6-In) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

 In
Router Advertisement (ICMPv6-Out) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

 Out
Router Solicitation (ICMPv6-In) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

 In
Router Solicitation (ICMPv6-Out) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

 Out
Core Networking - Teredo (UDP-In) Inbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Teredo

Remote: Any

 UDP In
Core Networking - Teredo (UDP-Out) Outbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Any

Remote: Any

 UDP Out
Time Exceeded (ICMPv6-In) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

Local: 68

Remote: 67

ICMPv6

 In
Time Exceeded (ICMPv6-Out) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

Local: 68

Remote: 67

ICMPv6

 Out

Delivery Optimization

OS Rule Definition Port Protocol Direction

Windows Server 2019

Windows Server 2022

 DeliveryOptimization-TCP-In Inbound rule to allow Delivery Optimization to connect to remote endpoints.

Local: 7680

Remote: Any

 TCP In
DeliveryOptimization-UDP-In Inbound rule to allow Delivery Optimization to connect to remote endpoints.

Local: 7680

Remote: Any

 UDP In

Diag Track

Windows Server 2019 and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2019

Windows Server 2022

 Connected User Experiences and Telemetry Unified Telemetry Client Outbound Traffic.

Local: Any

Remote: 443

 TCP Out
Windows Server 2016
OS Rule Definition Port Protocol Direction
Windows Server 2016 Connected User Experiences and Telemetry Unified Telemetry Client Outbound Traffic.

Local: Any

Remote: Any

 TCP Out

DIAL Protocol Server

OS Rule Definition Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

 DIAL protocol server (HTTP-In) Inbound rule for DIAL protocol server to allow remote control of Apps using HTTP.

Local: 10247

Remote: Any

 TCP In

File and Printer Sharing

OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

 File and Printer Sharing (Echo Request - ICMPv4-In) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv4

 In
File and Printer Sharing (Echo Request - ICMPv4-Out) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv4

 Out
File and Printer Sharing (Echo Request - ICMPv6-In) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv6

 In
File and Printer Sharing (Echo Request - ICMPv6-Out) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv6

 Out
File and Printer Sharing (LLMNR-UDP-In) Inbound rule for File and Printer Sharing to allow Link Local Multicast Name Resolution.

Local: 5355

Remote: Any

 UDP In
File and Printer Sharing (LLMNR-UDP-Out) Outbound rule for File and Printer Sharing to allow Link Local Multicast Name Resolution.

Local: Any

Remote: 5355

 UDP Out
File and Printer Sharing (NB-Datagram-In) Inbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception.

Local: 138

Remote: Any

 UDP In
File and Printer Sharing (NB-Datagram-Out) Outbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception.

Local: Any

Remote: 138

 UDP Out
File and Printer Sharing (NB-Name-In) Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution.

Local: 137

Remote: Any

 UDP In
File and Printer Sharing (NB-Name-Out) Outbound rule for File and Printer Sharing to allow NetBIOS Name Resolution.

Local: Any

Remote: 137

 UDP Out
File and Printer Sharing (NB-Session-In) Inbound rule for File and Printer Sharing to allow NetBIOS Session Service connections.

Local: 139

Remote: Any

 TCP In
File and Printer Sharing (NB-Session-Out) Outbound rule for File and Printer Sharing to allow NetBIOS Session Service connections.

Local: Any

Remote: 139

 TCP Out
File and Printer Sharing (SMB-In) Inbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes.

Local: 445

Remote: Any

 TCP In
File and Printer Sharing (SMB-Out) Outbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes.

Local: Any

Remote: 445

 TCP Out
File and Printer Sharing (Spooler Service - RPC) Inbound rule for File and Printer Sharing to allow the Print Spooler Service to communicate via TCP/RPC.

Local: RPC

Remote: Any

 TCP In
File and Printer Sharing (Spooler Service - RPC-EPMAP) Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Spooler Service.

Local: RPC-EPMap

Remote: Any

 TCP In

File Server Remote Management

OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

 File Server Remote Management (DCOM-In) Inbound rule to allow DCOM traffic to manage the File Services role.

Local: 135

Remote: Any

 TCP In
File Server Remote Management (SMB-In) Inbound rule to allow SMB traffic to manage the File Services role.

Local: 445

Remote: Any

 TCP In
WMI-In Inbound rule to allow WMI traffic to manage the File Services role.

Local: RPC

Remote: Any

 TCP In

ICMP v4 All

OS Rule Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

 All ICMP v4

Local: 139

Remote: Any

ICMPv4

 In

Microsoft Edge

OS Rule Port Protocol Direction

Windows Server 2022

 Microsoft Edge (mDNS-In)

Local: 5353

Remote: Any

UDP

 In

Microsoft Media Foundation Network Source

OS Rule Port Protocol Direction

Windows Server 2022

 Microsoft Media Foundation Network Source IN [TCP 554]

Local: 554, 8554-8558

Remote: Any

TCP

 In
Microsoft Media Foundation Network Source IN [UDP 5004-5009]

Local: 5000-5020

Remote: Any

UDP

 In
Microsoft Media Foundation Network Source OUT [TCP ALL]

Local: Any

Remote: 554, 8554-8558

TCP

 In

Multicast

Windows Server 2019 and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2019

Windows Server 2022

 mDNS (UDP-In) Inbound rule for mDNS traffic. Local: 5353

Remote: Any

 UDP In
mDNS (UDP-Out) Outbound rule for mDNS traffic. Local: Any

Remote: 5353

 UDP Out
Windows Server 2016
OS Rule Definition Port Protocol Direction

Windows Server 2016

 mDNS (UDP-In) Inbound rule for mDNS traffic. Local: mDNS

Remote: Any

 UDP In
mDNS (UDP-Out) Outbound rule for mDNS traffic. Local: 5353

Remote: Any

 UDP Out

Remote Desktop

Windows Server 2012 R2, 2016, 2019, and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Windows Server 2022

 Remote Desktop - Shadow (TCP-In) Inbound rule for the Remote Desktop service to allow shadowing of an existing Remote Desktop session.

Local: Any

Remote: Any

 TCP In
Remote Desktop - User Mode (TCP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

 TCP In
Remote Desktop - User Mode (UDP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

 UDP In
Windows Server 2012
OS Rule Definition Port Protocol Direction
Windows Server 2012 Remote Desktop - User Mode (TCP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

 TCP In
Remote Desktop - User Mode (UDP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

 UDP In

Windows Device Management

Windows Server 2022
OS Rule Definition Port Protocol Direction
Windows Server 2022 Windows Device Management Certificate Installer (TCP out) Allow outbound TCP traffic from Windows Device Management Certificate Installer.

Local: Any

Remote: Any

 TCP Out
Windows Device Management Device Enroller (TCP out) Allow outbound TCP traffic from Windows Device Management Device Enroller.

Local: Any

Remote: 80, 443

 TCP Out
Windows Device Management Enrollment Service (TCP out) Allow outbound TCP traffic from Windows Device Management Enrollment Service.

Local: Any

Remote: Any

 TCP Out
Windows Device Management Sync Client (TCP out) Allow outbound TCP traffic from Windows Device Management Sync Client.

Local: Any

Remote: Any

 TCP Out
Windows Server 2019
OS Rule Definition Port Protocol Direction
Windows Server 2019 Windows Device Management Certificate Installer (TCP out) Allow outbound TCP traffic from Windows Device Management Certificate Installer.

Local: Any

Remote: Any

 TCP Out
Windows Device Management Enrollment Service (TCP out) Allow outbound TCP traffic from Windows Device Management Enrollment Service.

Local: Any

Remote: Any

 TCP Out
Windows Device Management Sync Client (TCP out) Allow outbound TCP traffic from Windows Device Management Sync Client.

Local: Any

Remote: Any

 TCP Out
Windows Enrollment WinRT (TCP Out) Allow outbound TCP traffic from Windows Enrollment WinRT.

Local: Any

Remote: Any

 TCP Out

Windows Feature Experience Pack

OS Rule Definition Port Protocol Direction

Windows Server 2022

 Windows Feature Experience Pack Windows Feature Experience Pack. Any Out

Windows Firewall Remote Management

OS Rule Definition Port Protocol Direction

Windows Server 2012 R2

 Windows Firewall Remote Management (RPC) Inbound rule for the Windows Firewall to be remotely managed via RPC/TCP.

Local: RPC

Remote: Any

 TCP In
Windows Firewall Remote Management (RPC-EPMAP) Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Windows Firewall.

Local: RPC-EPMap

Remote: Any

 TCP In

Windows Remote Management

OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Windows Server 2022

 Windows Remote Management (HTTP-In) Inbound rule for Windows Remote Management via WS-Management.

Local: 5985

Remote: Any

 TCP In

For more information about Amazon EC2 security groups, see Amazon EC2 Security Groups for Windows Instances.