Microsoft Windows Firewall is enabled and configured when you build a deployment using the Windows Esri Amazon Machine Image (AMI). All ports that are necessary for ArcGIS Enterprise components to run are open to inbound connections.
See the ArcGIS Enterprise system requirements for links to component pages and a diagram of ports in an ArcGIS Enterprise deployment.
Outbound connections are allowed by default in the Windows Firewall on the Amazon Elastic Compute Cloud (EC2) instances you create from an Esri Windows AMI.
Windows Firewall and Amazon EC2 security groups
Amazon EC2 security groups provide protection against unsolicited incoming traffic. If you need additional security, you can configure the Windows Firewall on the Windows EC2 instances.
To completely open a port to inbound traffic, the port must be allowed by both the Amazon security group and Windows Firewall.