Web server rules Rules to connect to your instance from your computer Database server rules DNS server rules SMTP email

Lightsail firewall rules reference

You can add rules to an Amazon Lightsail instance's firewall that reflects the role of the instance. For example, an instance that's configured as a web server needs firewall rules that allow inbound HTTP and HTTPS access. A database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL. For more information about firewalls, see Instance firewalls in Lightsail.

This guide provides examples of the kinds of firewall rules that you can add to an instance firewall for specific kinds of access. The rules are listed as application, protocol, port, and source IP address (for example, application - protocol - port - source IP address), unless otherwise stated.

Contents

Web server rules
Rules to connect to your instance from your computer
Database server rules
DNS server rules
SMTP email

Web server rules

The following inbound rules allow HTTP and HTTPS access.

Note

Some Lightsail instances have the following firewall rules configured by default. For more information, see Firewalls and ports.

HTTP: HTTP - TCP - 80 - all IP addresses
HTTPS: HTTPS - TCP - 443 - all IP addresses

Rules to connect to your instance from your computer

To connect to your instance, you add a rule that allows SSH access (for Linux instances) or RDP access (for Windows instances).

Note

All Lightsail instances have either of the following firewall rules configured by default. For more information, see Firewalls and ports.

SSH: SSH - TCP - 22 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
RDP: RDP - TCP - 3389 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

Database server rules

The following inbound rules are examples of rules that you might add for database access, depending on what type of database you're running on your instance.

SQL Server: Custom - TCP - 1433 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
MySQL/Aurora: MySQL/Aurora - TCP - 3306 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
PostgreSQL: PostgreSQL - TCP - 5432 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
Oracle-RDS: Oracle-RDS - TCP - 1521 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network
Amazon Redshift: Custom - TCP - 5439 - The public IP address of your computer, or a range of IP addresses (in CIDR block notation) in your local network

DNS server rules

If you've set up your instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.

DNS (TCP): DNS (TCP) - TCP - 53 - The IP address of a computer, or a range of IP addresses (in CIDR block notation) in your local network
DNS (UDP): DNS (UDP) - UDP - 53 - The IP address of a computer, or a range of IP addresses (in CIDR block notation) in your local network

SMTP email

To enable SMTP on your instance, you must configure the following firewall rule.

Important

After configuring the following rule, you must also configure reverse DNS for your instance. Otherwise, your email may be limited over TCP port 25. For more information, see Configure reverse DNS for an email server.

SMTP: Custom - TCP - 25 - The IP addresses of the hosts that communicate with your instance

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Windows security best practices

Instance firewalls