I host my website on an EC2 instance, and I want users to connect to my website on HTTP (port 80) or HTTPS (port 443). How can I do that?
To allow traffic on port 80 and 443, you must configure the associated security group and network access control list (network ACL).
Security group rules
For HTTP traffic, add an inbound rule on port 80 from the source address 0.0.0.0/0. For HTTPS traffic, add an inbound rule on port 443 from the source address 0.0.0.0/0. These inbound rules allow traffic from IPv4 addresses. To allow IPv6 traffic, add inbound rules on the same ports from the source address ::/0. For more information on creating or modifying security groups, see Working with Security Groups.
Because security groups are stateful, the return traffic from the instance to users is allowed automatically, so you don't need to modify the security group's outbound rules.
The following example shows the security group rules for allowing both IPv4 and IPv6 traffic on port 80 and 443:
Inbound rules
| Type |
Protocol | Port Range | Source |
| HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 |
| HTTP (80) | TCP (6) |
80 | ::/0 |
| HTTPS (443) | TCP (6) |
443 | 0.0.0.0/0 |
| HTTPS (443) | TCP (6) |
443 | ::/0 |
Network ACL
The default network ACL allows all inbound and outbound traffic. If you use a custom network ACL with more restrictive rules, then explicitly allow traffic on port 80 and 443. Network ACLs are stateless, so add both inbound and outbound rules to enable the connection to your website. For more information on modifying network ACL rules, see Network ACLs.
Note: If your users connect over IPv6 and your Amazon Virtual Private Cloud (Amazon VPC) has an associated IPv6 CIDR block, then your default network ACL automatically adds rules allowing all inbound and outbound IPv6 traffic.
The following example shows a custom network ACL that allows traffic on port 80 and 443:
Inbound rules
| Rule # | Type | Protocol | Port Range | Source | Allow/Deny |
| 100 | HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 | ALLOW |
| 101 | HTTPS (443) | TCP (6) |
443 | 0.0.0.0/0 | ALLOW |
| 102 | HTTP (80) |
TCP (6) |
80 | ::/0 | ALLOW |
| 103 | HTTPS (443) |
TCP (6) |
443 | ::/0 | ALLOW |
| * | ALL Traffic | ALL | ALL | ::/0 | DENY |
| * | ALL Traffic | ALL | ALL | 0.0.0.0/0 | DENY |
Outbound rules
| Rule # | Type | Protocol | Port Range | Destination | Allow/Deny |
| 100 | Custom TCP Rule | TCP (6) |
1024-65535 | 0.0.0.0/0 | ALLOW |
| 101 | Custom TCP Rule |
TCP (6) |
1024-65535 |
::/0 | ALLOW |
| * | ALL Traffic | ALL | ALL | ::/0 | DENY |
| * | ALL Traffic | ALL | ALL | 0.0.0.0/0 | DENY |
Note: When the previous security group and network ACL example configurations are used together, all internet users can connect to the website. If the website owner or administrator wants to access other websites from the EC2 instance, then the following configurations must be allowed:
- Network ACL outbound rules allowing traffic on port 80 or port 443 to the destination IP address
- Network ACL inbound rules allowing traffic on ephemeral ports (1024-65535)
- Security group rules allowing outbound traffic
Did this page help you? Yes | No
Back to the AWS Support Knowledge Center
Need help? Visit the AWS Support Center
Published: 2017-12-18
