Amazon Elastic Compute Cloud (EC2) and Amazon Virtual Private Cloud (VPC) instances can only allow network traffic from sources and ports defined in their security groups. Therefore, you may need to configure rules for your security groups that correspond to the types of things you'll be doing with your Amazon instances. This topic describes some common security group settings you can configure for different ArcGIS deployments.
By default, security groups are completely locked down. You can add rules to a security group specifying the type of traffic allowed, the ports it will be allowed through, and the computers from which communication will be accepted. The ports you decide to open and the type of traffic you need to allow depend on what you are doing with the instance.
The following are suggestions of security group names and rules that you can configure for your instances in the Amazon Web Services (AWS) Management Console. Allowed ports and protocols may vary based on your organization's information technology (IT) policies. The suggestions below use the most common port numbers. If your organization has an IT specialist, consult with him or her to devise the best security strategy for your instances.
Consider creating a security group specifically for EC2 or VPC instances that you use for development and testing purposes. This type of group could allow the following access:
- Remote Desktop Protocol (RDP) access through port 3389 for your IP address or a range of approved IP addresses within your organization (Microsoft Windows only).
This allows you to administer your instance through Windows Remote Desktop. You must use Classless Inter-Domain Routing (CIDR) notation to specify a range of IP addresses (or one IP address) that can make connections. For example, 0.0.0.0/0 allows everyone to connect, whereas 22.214.171.124/32 allows one specific IP address to connect. Check with your system administrator if you need help obtaining the external-facing IP address of your local machine.
- TCP access through port 22 for your IP address or a range of approved IP addresses within your organization (Linux only).
Opening port 22 allows you to work with your Linux instances through SSH.
- TCP access through port 6080 or 6443 for everyone (if not using an Elastic Load Balancer) or the Elastic Load Balancer's security group (if using an Elastic Load Balancer).
Port 6080 is used for HTTP communication and 6443 is used for HTTPS communication with ArcGIS Server sites. If you're not putting an Elastic Load Balancer in front of your site, you need to open either port 6080 or 6443 to everyone who will use your development ArcGIS Server web services. If you're using an Elastic Load Balancer, open port 6080 or 6443 to the Elastic Load Balancer's security group (which is discoverable through the AWS Management Console and is most likely a value such as amazon-elb/amazon-elb-sg).
- Access from other machines in this group.
This is required for the ArcGIS Server machines in a site to communicate with each other and for the components of an ArcGIS Enterprise portal to communicate with one another. It also facilitates file sharing.
Once you've developed and tested your application and are ready to move it to a production tier, it's a good idea to disable remote desktop access. If a problem occurs and you need to log in to the machine, you can temporarily change the security group configuration to allow yourself access. An ArcGIS production group could allow the following access:
- TCP access through port 6443 for a range of IP addresses (if not using an Elastic Load Balancer) or the Elastic Load Balancer's security group (if using an Elastic Load Balancer).
- TCP access through port 7443 for a range of IP addresses.
- Access from other machines in this group.
Secured production instances
If you want to require encrypted communication with your machine, you should configure an Elastic Load Balancer on your site that receives traffic through port 443, the port typically used for encrypted communication through SSL. Then configure the load balancer to forward traffic to port 6443 for multimachine ArcGIS Server sites and port 7443 for ArcGIS Enterprise portals. On your security group, open the ports described above for ArcGIS production.
Commonly used ports
Following are some of the most common ports you may work with as you create security groups. Some of these ports you may not need to explicitly open; rather, you may just decide to give machines within your security group full access to each other. If you want to allow access from machines not participating in your security groups (for example, your desktop workstation in your office), you need to open specific port numbers.
Connections via SSH
HTTP access to IIS web server or load balancer
HTTPS access to IIS web server or load balancer
Windows file sharing
Connections via Windows Remote Desktop
HTTP access to ArcGIS Server
HTTPS access to ArcGIS Server
HTTPS access to Portal for ArcGIS
ArcGIS Data Store communication*
*External clients do not access ArcGIS Data Store directly; connections go through the ArcGIS Server site for which you created the data store.
Windows Firewall is enabled on any Windows instance that you launch using the Esri Amazon Machine Image. If you install a third-party application that requires ports other than those listed above, ensure that Windows Firewall is also configured to allow the port.
For information on additional ports used by ArcGIS Enterprise components, see the following pages: