Lightsail firewall rules reference - Amazon Lightsail

Lightsail firewall rules reference

You can add rules to an Amazon Lightsail instance's firewall that reflects the role of the instance. For example, an instance that's configured as a web server needs firewall rules that allow inbound HTTP and HTTPS access. A database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL. For more information about firewalls, see Firewalls and ports

This guide provides examples of the kinds of firewall rules that you can add to an instance firewall for specific kinds of access. The rules are listed as application, protocol, port, and source IP address (for example, application - protocol - port - source IP address), unless otherwise stated.

Contents

Web server rules

The following inbound rules allow HTTP and HTTPS access.

Note

Some Lightsail instances have the following firewall rules configured by default. For more information, see Firewalls and ports.

HTTP

HTTP - TCP - 80 - all IP addresses

HTTPS

HTTPS - TCP - 443 - all IP addresses

Rules to connect to your instance from your computer

To connect to your instance, you add a rule that allows SSH access (for Linux instances) or RDP access (for Windows instances).

Note

All Lightsail instances have either of the following firewall rules configured by default. For more information, see Firewalls and ports.

SSH

SSH - TCP - 22 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

RDP

RDP - TCP - 3389 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

Database server rules

The following inbound rules are examples of rules that you might add for database access, depending on what type of database you're running on your instance.

SQL Server

Custom - TCP - 1433 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

MySQL/Aurora

MySQL/Aurora - TCP - 3306 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

PostgreSQL

PostgreSQL - TCP - 5432 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

Oracle-RDS

Oracle-RDS - TCP - 1521 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

Amazon Redshift

Custom - TCP - 5439 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

DNS server rules

If you've set up your instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.

DNS (TCP)

DNS (TCP) - TCP - 53 - The IP address of a computer, or a range of IP addresses (in CIDR block notation) in your local network

DNS (UDP)

DNS (UDP) - UDP - 53 - The IP address of a computer, or a range of IP addresses (in CIDR block notation) in your local network

SMTP email

To enable SMTP on your instance, you must configure the following firewall rule.

Important

After configuring the following rule, you must also configure reverse DNS for your instance. Otherwise, your email may be limited over TCP port 25. For more information, see Configure reverse DNS for an email server.

SMTP

Custom - TCP - 25 - The IP addresses of the hosts that communicate with your instance