According to AWS documentation, creating the right security group configuration should be sufficient to allow for desired communication between your AWS EC2 instance and public internet. However, that’s not quite the case when you provision a Microsoft Windows 2012 VM as an EC2 instance.
I provisioned a windows 2012 EC2 instance and opened the following ports on it (Security Group Configuration Image below).
- Port 80 for HTTP communication
- Port 3389 for RDP communication
- Port 443 for HTTPS communication
- Port 8080 for TCP communication over port 8080. This was primarily because my Java app was a Liferay web app which comes bundled together with Tomcat 8 server and deploys to port 8080 by default. You can modify server.xml to change this port.
After configuring the security group settings above and provisioning the EC2 instance, I needed to be able to access a very basic web app deployed on a Tomcat 8 server from the public internet. Navigating to http://localhost:8080 worked fine from within the Windows VM, however, if I accessed http://<vm-public- ip-address>:8080 from my web browser on the public internet I was not able to navigate to the app.
Turns out the only way to fix this is to modify the windows firewall rules on the VM in addition to the security group configurations above.
To modify the firewall rules on your windows server:
- Navigate to Control Panel -> System and Security -> Windows Firewall
- Click on Advanced Settings. This should open Windows Firewall with Advanced Security windows.
- Click on Inbound Rules. This should display all the inbound rules for the firewall on the server.
- Click on New Rule… This should open ‘New Inbound Rule Wizard’.
- Select ‘Port’ radio button -> Click Next -> Enter 8080, 80, 443 in ‘Specific local ports’ -> Click Next -> Select ‘allow the connection’ -> Click Next -> Click Next -> Enter “Custom Inbound rules” under Name -> Click Finish.
- If you try to access your app web app from the public network, you should be able to access it.