Ports and Protocols for Amazon Windows AMIs - Amazon Windows AMIs
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Ports and Protocols for Amazon Windows AMIs

The following tables list the ports, protocols, and directions by workload for Amazon Windows Amazon Machine Images (AMIs).

AllJoyn Router

OS Rule Description Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

AllJoyn Router (TCP-In) Inbound rule for AllJoyn Router traffic [TCP]

Local: 9955

Remote: Any

TCP In
AllJoyn Router (TCP-Out) Outbound rule for AllJoyn Router traffic [TCP]

Local: Any

Remote: Any

TCP Out
AllJoyn Router (UDP-In) Inbound rule for AllJoyn Router traffic [UDP]

Local: Any

Remote: Any

UDP In
AllJoyn Router (UDP-Out) Outbound rule for AllJoyn Router traffic [UDP]

Local: Any

Remote: Any

UDP Out

Cast to Device

OS Rule Description Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

Cast to Device functionality (qWave-TCP-In) Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177]

Local: 2177

Remote: Any

TCP In
Cast to Device functionality (qWave-TCP-Out) Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [TCP 2177] Local: Any

Remote: 2177

TCP Out
Cast to Device functionality (qWave-UDP-In) Inbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177]

Local: 2177

Remote: Any

UDP In
Cast to Device functionality (qWave-UDP-Out) Outbound rule for the Cast to Device functionality to allow use of the Quality Windows Audio Video Experience Service. [UDP 2177] Local: Any

Remote: 2177

UDP Out
Cast to Device SSDP Discovery (UDP-In) Inbound rule to allow discovery of Cast to Device targets using SSDP Local: Ply2Disc

Remote: Any

UDP In
Cast to Device Streaming Server (HTTP-Streaming-In) Inbound rule for the Cast to Device server to allow streaming using HTTP. [TCP 10246] Local: 10246

Remote: Any

TCP In
Cast to Device Streaming Server (RTCP-Streaming-In) Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP] Local: Any

Remote: Any

UDP In
Cast to Device Streaming Server (RTP-Streaming-Out) Outbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [UDP] Local: Any

Remote: Any

UDP Out
Cast to Device Streaming Server (RTSP-Streaming-In) Inbound rule for the Cast to Device server to allow streaming using RTSP and RTP. [TCP 23554, 23555, 23556] Local: 235, 542, 355, 523, 556

Remote: Any

TCP In
Cast to Device UPnP Events (TCP-In) Inbound rule to allow receiving UPnP Events from Cast to Device targets Local: 2869

Remote: Any

TCP In

Core Networking

Windows Server 2016, 2019, and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

Destination Unreachable (ICMPv6-In) Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.

ICMPv6

In
Destination Unreachable Fragmentation Needed (ICMPv4-In) Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set.

ICMPv4

In
Core Networking - DNS (UDP-Out) Outbound rule to allow DNS requests. DNS responses based on requests that match this rule are permitted regardless of source address. This behavior is classified as loose source mapping.

Local: Any

Remote: 53

UDP Out
Dynamic Host Configuration Protocol (DHCP-In) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

UDP In
Dynamic Host Configuration Protocol (DHCP-Out) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

UDP Out
Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

UDP In
Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

UDP Out
Core Networking - Group Policy (LSASS-Out) Outbound rule to allow remote LSASS traffic for Group Policy updates.

Local: Any

Remote: Any

TCP Out
Core Networking - Group Policy (NP-Out) Core Networking - Group Policy (NP-Out)

Local: Any

Remote: 445

TCP Out
Core Networking - Group Policy (TCP-Out) Outbound rule to allow remote RPC traffic for Group Policy updates.

Local: Any

Remote: Any

TCP Out
Internet Group Management Protocol (IGMP-In) IGMP messages are sent and received by nodes to create, join, and depart multicast groups. 2 In
Core Networking - Internet Group Management Protocol (IGMP-Out) IGMP messages are sent and received by nodes to create, join, and depart multicast groups. 2 Out
Core Networking - IPHTTPS (TCP-In) Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: IPHTPS

Remote: Any

TCP In
Core Networking - IPHTTPS (TCP-Out) Outbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: Any

Remote: IPHTPS

TCP Out
IPv6 (IPv6-In) Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services. 41 In
IPv6 (IPv6-Out) Outbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services. 41 Out
Multicast Listener Done (ICMPv6-In) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

ICMPv6

In
Multicast Listener Done (ICMPv6-Out) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

ICMPv6

Out
Multicast Listener Query (ICMPv6-In) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

ICMPv6

In
Multicast Listener Query (ICMPv6-Out) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

ICMPv6

Out
Multicast Listener Report (ICMPv6-In) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

In
Multicast Listener Report (ICMPv6-Out) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

Out
Multicast Listener Report v2 (ICMPv6-In) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

In
Multicast Listener Report v2 (ICMPv6-Out) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

ICMPv6

Out
Neighbor Discovery Advertisement (ICMPv6-In) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

ICMPv6

In
Neighbor Discovery Advertisement (ICMPv6-Out) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

ICMPv6

Out
Neighbor Discovery Solicitation (ICMPv6-In) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

ICMPv6

In
Neighbor Discovery Solicitation (ICMPv6-Out) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

ICMPv6

Out
Packet Too Big (ICMPv6-In) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

ICMPv6

In
Packet Too Big (ICMPv6-Out) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

ICMPv6

Out
Parameter Problem (ICMPv6-In) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

ICMPv6

In
Parameter Problem (ICMPv6-Out) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

ICMPv6

Out
Router Advertisement (ICMPv6-In) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

ICMPv6

In
Router Advertisement (ICMPv6-Out) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

ICMPv6

Out
Router Solicitation (ICMPv6-In) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

ICMPv6

In
Router Solicitation (ICMPv6-Out) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

ICMPv6

Out
Core Networking - Teredo (UDP-In) Inbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Teredo

Remote: Any

UDP In
Core Networking - Teredo (UDP-Out) Outbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Any

Remote: Any

UDP Out
Time Exceeded (ICMPv6-In) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

ICMPv6

In
Time Exceeded (ICMPv6-Out) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

ICMPv6

Out
Windows Server 2012 and 2012 R2
OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

Destination Unreachable (ICMPv6-In) Destination Unreachable error messages are sent from any node that a packet traverses which is unable to forward the packet for any reason except congestion.

Local: 68

Remote: 67

ICMPv6

In
Destination Unreachable Fragmentation Needed (ICMPv4-In) Destination Unreachable Fragmentation Needed error messages are sent from any node that a packet traverses which is unable to forward the packet because fragmentation was needed and the don't fragment bit was set.

Local: 68

Remote: 67

ICMPv4

In
Core Networking - DNS (UDP-Out) Outbound rule to allow DNS requests. DNS responses based on requests that match this rule are permitted regardless of source address. This behavior is classified as loose source mapping.

Local: Any

Remote: 53

UDP Out
Dynamic Host Configuration Protocol (DHCP-In) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

UDP In
Dynamic Host Configuration Protocol (DHCP-Out) Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.

Local: 68

Remote: 67

UDP Out
Dynamic Host Configuration Protocol for IPv6(DHCPV6-In) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

UDP In
Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.

Local: 546

Remote: 547

UDP Out
Core Networking - Group Policy (LSASS-Out) Outbound rule to allow remote LSASS traffic for Group Policy updates.

Local: Any

Remote: Any

TCP Out
Core Networking - Group Policy (NP-Out) Core Networking - Group Policy (NP-Out)

Local: Any

Remote: 445

TCP Out
Core Networking - Group Policy (TCP-Out) Outbound rule to allow remote RPC traffic for Group Policy updates.

Local: Any

Remote: Any

TCP Out
Internet Group Management Protocol (IGMP-In) IGMP messages are sent and received by nodes to create, join, and depart multicast groups.

Local: 68

Remote: 67

2 In
Core Networking - Internet Group Management Protocol (IGMP-Out) IGMP messages are sent and received by nodes to create, join, and depart multicast groups.

Local: 68

Remote: 67

2 Out
Core Networking - IPHTTPS (TCP-In) Inbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: IPHTPS

Remote: Any

TCP In
Core Networking - IPHTTPS (TCP-Out) Outbound TCP rule to allow IPHTTPS tunneling technology to provide connectivity across HTTP proxies and firewalls.

Local: Any

Remote: IPHTPS

TCP Out
IPv6 (IPv6-In) Inbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.

Local: Any

Remote: 445

41 In
IPv6 (IPv6-Out) Outbound rule required to permit IPv6 traffic for ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) and 6to4 tunneling services.

Local: Any

Remote: 445

41 Out
Multicast Listener Done (ICMPv6-In) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

Local: 68

Remote: 67

ICMPv6

In
Multicast Listener Done (ICMPv6-Out) Multicast Listener Done messages inform local routers that there are no longer any members remaining for a specific multicast address on the subnet.

Local: 68

Remote: 67

ICMPv6

Out
Multicast Listener Query (ICMPv6-In) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

Local: 68

Remote: 67

ICMPv6

In
Multicast Listener Query (ICMPv6-Out) An IPv6 multicast-capable router uses the Multicast Listener Query message to query a link for multicast group membership.

Local: 68

Remote: 67

ICMPv6

Out
Multicast Listener Report (ICMPv6-In) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

In
Multicast Listener Report (ICMPv6-Out) The Multicast Listener Report message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

Out
Multicast Listener Report v2 (ICMPv6-In) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

In
Multicast Listener Report v2 (ICMPv6-Out) Multicast Listener Report v2 message is used by a listening node to either immediately report its interest in receiving multicast traffic at a specific multicast address or in response to a Multicast Listener Query.

Local: 68

Remote: 67

ICMPv6

Out
Neighbor Discovery Advertisement (ICMPv6-In) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

Local: 68

Remote: 67

ICMPv6

In
Neighbor Discovery Advertisement (ICMPv6-Out) Neighbor Discovery Advertisement messages are sent by nodes to notify other nodes of link-layer address changes or in response to a Neighbor Discovery Solicitation request.

Local: 68

Remote: 67

ICMPv6

Out
Neighbor Discovery Solicitation (ICMPv6-In) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

Local: 68

Remote: 67

ICMPv6

In
Neighbor Discovery Solicitation (ICMPv6-Out) Neighbor Discovery Solicitations are sent by nodes to discover the link-layer address of another on-link IPv6 node.

Local: 68

Remote: 67

ICMPv6

Out
Packet Too Big (ICMPv6-In) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

Local: 68

Remote: 67

ICMPv6

In
Packet Too Big (ICMPv6-Out) Packet Too Big error messages are sent from any node that a packet traverses which is unable to forward the packet because the packet is too large for the next link.

Local: 68

Remote: 67

ICMPv6

Out
Parameter Problem (ICMPv6-In) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

Local: 68

Remote: 67

ICMPv6

In
Parameter Problem (ICMPv6-Out) Parameter Problem error messages are sent by nodes when packets are incorrectly generated.

Local: 68

Remote: 67

ICMPv6

Out
Router Advertisement (ICMPv6-In) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

In
Router Advertisement (ICMPv6-Out) Router Advertisement messages are sent by routers to other nodes for stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

Out
Router Solicitation (ICMPv6-In) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

In
Router Solicitation (ICMPv6-Out) Router Solicitation messages are sent by nodes seeking routers to provide stateless auto-configuration.

Local: 68

Remote: 67

ICMPv6

Out
Core Networking - Teredo (UDP-In) Inbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Teredo

Remote: Any

UDP In
Core Networking - Teredo (UDP-Out) Outbound UDP rule to allow Teredo edge traversal. This technology provides address assignment and automatic tunneling for unicast IPv6 traffic when an IPv6/IPv4 host is located behind an IPv4 network address translator.

Local: Any

Remote: Any

UDP Out
Time Exceeded (ICMPv6-In) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

Local: 68

Remote: 67

ICMPv6

In
Time Exceeded (ICMPv6-Out) Time Exceeded error messages are generated from any node that a packet traverses if the Hop Limit value is decremented to zero at any point on the path.

Local: 68

Remote: 67

ICMPv6

Out

Delivery Optimization

OS Rule Definition Port Protocol Direction

Windows Server 2019

Windows Server 2022

DeliveryOptimization-TCP-In Inbound rule to allow Delivery Optimization to connect to remote endpoints.

Local: 7680

Remote: Any

TCP In
DeliveryOptimization-UDP-In Inbound rule to allow Delivery Optimization to connect to remote endpoints.

Local: 7680

Remote: Any

UDP In

Diag Track

Windows Server 2019 and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2019

Windows Server 2022

Connected User Experiences and Telemetry Unified Telemetry Client Outbound Traffic.

Local: Any

Remote: 443

TCP Out
Windows Server 2016
OS Rule Definition Port Protocol Direction
Windows Server 2016 Connected User Experiences and Telemetry Unified Telemetry Client Outbound Traffic.

Local: Any

Remote: Any

TCP Out

DIAL Protocol Server

OS Rule Definition Port Protocol Direction

Windows Server 2016

Windows Server 2019

Windows Server 2022

DIAL protocol server (HTTP-In) Inbound rule for DIAL protocol server to allow remote control of Apps using HTTP.

Local: 10247

Remote: Any

TCP In

File and Printer Sharing

OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

File and Printer Sharing (Echo Request - ICMPv4-In) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv4

In
File and Printer Sharing (Echo Request - ICMPv4-Out) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv4

Out
File and Printer Sharing (Echo Request - ICMPv6-In) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv6

In
File and Printer Sharing (Echo Request - ICMPv6-Out) Echo Request messages are sent as ping requests to other nodes.

Local: 5355

Remote: Any

ICMPv6

Out
File and Printer Sharing (LLMNR-UDP-In) Inbound rule for File and Printer Sharing to allow Link Local Multicast Name Resolution.

Local: 5355

Remote: Any

UDP In
File and Printer Sharing (LLMNR-UDP-Out) Outbound rule for File and Printer Sharing to allow Link Local Multicast Name Resolution.

Local: Any

Remote: 5355

UDP Out
File and Printer Sharing (NB-Datagram-In) Inbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception.

Local: 138

Remote: Any

UDP In
File and Printer Sharing (NB-Datagram-Out) Outbound rule for File and Printer Sharing to allow NetBIOS Datagram transmission and reception.

Local: Any

Remote: 138

UDP Out
File and Printer Sharing (NB-Name-In) Inbound rule for File and Printer Sharing to allow NetBIOS Name Resolution.

Local: 137

Remote: Any

UDP In
File and Printer Sharing (NB-Name-Out) Outbound rule for File and Printer Sharing to allow NetBIOS Name Resolution.

Local: Any

Remote: 137

UDP Out
File and Printer Sharing (NB-Session-In) Inbound rule for File and Printer Sharing to allow NetBIOS Session Service connections.

Local: 139

Remote: Any

TCP In
File and Printer Sharing (NB-Session-Out) Outbound rule for File and Printer Sharing to allow NetBIOS Session Service connections.

Local: Any

Remote: 139

TCP Out
File and Printer Sharing (SMB-In) Inbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes.

Local: 445

Remote: Any

TCP In
File and Printer Sharing (SMB-Out) Outbound rule for File and Printer Sharing to allow Server Message Block transmission and reception via Named Pipes.

Local: Any

Remote: 445

TCP Out
File and Printer Sharing (Spooler Service - RPC) Inbound rule for File and Printer Sharing to allow the Print Spooler Service to communicate via TCP/RPC.

Local: RPC

Remote: Any

TCP In
File and Printer Sharing (Spooler Service - RPC-EPMAP) Inbound rule for the RPCSS service to allow RPC/TCP traffic for the Spooler Service.

Local: RPC-EPMap

Remote: Any

TCP In

File Server Remote Management

OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

File Server Remote Management (DCOM-In) Inbound rule to allow DCOM traffic to manage the File Services role.

Local: 135

Remote: Any

TCP In
File Server Remote Management (SMB-In) Inbound rule to allow SMB traffic to manage the File Services role.

Local: 445

Remote: Any

TCP In
WMI-In Inbound rule to allow WMI traffic to manage the File Services role.

Local: RPC

Remote: Any

TCP In

ICMP v4 All

OS Rule Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

All ICMP v4

Local: 139

Remote: Any

ICMPv4

In

Microsoft Edge

OS Rule Port Protocol Direction

Windows Server 2022

Microsoft Edge (mDNS-In)

Local: 5353

Remote: Any

UDP

In

Microsoft Media Foundation Network Source

OS Rule Port Protocol Direction

Windows Server 2022

Microsoft Media Foundation Network Source IN [TCP 554]

Local: 554, 8554-8558

Remote: Any

TCP

In
Microsoft Media Foundation Network Source IN [UDP 5004-5009]

Local: 5000-5020

Remote: Any

UDP

In
Microsoft Media Foundation Network Source OUT [TCP ALL]

Local: Any

Remote: 554, 8554-8558

TCP

In

Multicast

Windows Server 2019 and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2019

Windows Server 2022

mDNS (UDP-In) Inbound rule for mDNS traffic. Local: 5353

Remote: Any

UDP In
mDNS (UDP-Out) Outbound rule for mDNS traffic. Local: Any

Remote: 5353

UDP Out
Windows Server 2016
OS Rule Definition Port Protocol Direction

Windows Server 2016

mDNS (UDP-In) Inbound rule for mDNS traffic. Local: mDNS

Remote: Any

UDP In
mDNS (UDP-Out) Outbound rule for mDNS traffic. Local: 5353

Remote: Any

UDP Out

Remote Desktop

Windows Server 2012 R2, 2016, 2019, and 2022
OS Rule Definition Port Protocol Direction

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Windows Server 2022

Remote Desktop - Shadow (TCP-In) Inbound rule for the Remote Desktop service to allow shadowing of an existing Remote Desktop session.

Local: Any

Remote: Any

TCP In
Remote Desktop - User Mode (TCP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

TCP In
Remote Desktop - User Mode (UDP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

UDP In
Windows Server 2012
OS Rule Definition Port Protocol Direction
Windows Server 2012 Remote Desktop - User Mode (TCP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

TCP In
Remote Desktop - User Mode (UDP-In) Inbound rule for the Remote Desktop service to allow RDP traffic.

Local: 3389

Remote: Any

UDP In

WindowsDevice Management

Windows Server 2022
OS Rule Definition Port Protocol Direction
Windows Server 2022 WindowsDevice Management Certificate Installer (TCP out) Allow outbound TCP traffic from WindowsDevice Management Certificate Installer.

Local: Any

Remote: Any

TCP Out
WindowsDevice Management Device Enroller (TCP out) Allow outbound TCP traffic from WindowsDevice Management Device Enroller.

Local: Any

Remote: 80, 443

TCP Out
WindowsDevice Management Enrollment Service (TCP out) Allow outbound TCP traffic from WindowsDevice Management Enrollment Service.

Local: Any

Remote: Any

TCP Out
WindowsDevice Management Sync Client (TCP out) Allow outbound TCP traffic from WindowsDevice Management Sync Client.

Local: Any

Remote: Any

TCP Out
Windows Server 2019
OS Rule Definition Port Protocol Direction
Windows Server 2019 WindowsDevice Management Certificate Installer (TCP out) Allow outbound TCP traffic from WindowsDevice Management Certificate Installer.

Local: Any

Remote: Any

TCP Out
WindowsDevice Management Enrollment Service (TCP out) Allow outbound TCP traffic from WindowsDevice Management Enrollment Service.

Local: Any

Remote: Any

TCP Out
WindowsDevice Management Sync Client (TCP out) Allow outbound TCP traffic from WindowsDevice Management Sync Client.

Local: Any

Remote: Any

TCP Out
WindowsEnrollment WinRT (TCP Out) Allow outbound TCP traffic from WindowsEnrollment WinRT.

Local: Any

Remote: Any

TCP Out

WindowsFeature Experience Pack

OS Rule Definition Port Protocol Direction

Windows Server 2022

WindowsFeature Experience Pack WindowsFeature Experience Pack. Any Out

WindowsFirewall Remote Management

OS Rule Definition Port Protocol Direction

Windows Server 2012 R2

WindowsFirewall Remote Management (RPC) Inbound rule for the WindowsFirewall to be remotely managed via RPC/TCP.

Local: RPC

Remote: Any

TCP In
WindowsFirewall Remote Management (RPC-EPMAP) Inbound rule for the RPCSS service to allow RPC/TCP traffic for the WindowsFirewall.

Local: RPC-EPMap

Remote: Any

TCP In

WindowsRemote Management

OS Rule Definition Port Protocol Direction

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Windows Server 2022

WindowsRemote Management (HTTP-In) Inbound rule for WindowsRemote Management via WS-Management.

Local: 5985

Remote: Any

TCP In

For more information about Amazon EC2 security groups, see Amazon EC2 Security Groups for WindowsInstances.