I host my website on an EC2 instance, and I want users to connect to my website on HTTP (port 80) or HTTPS (port 443). How can I do that?

To allow traffic on port 80 and 443, you must configure the associated security group and network access control list (network ACL).

Security group rules

For HTTP traffic, add an inbound rule on port 80 from the source address 0.0.0.0/0. For HTTPS traffic, add an inbound rule on port 443 from the source address 0.0.0.0/0. These inbound rules allow traffic from IPv4 addresses. To allow IPv6 traffic, add inbound rules on the same ports from the source address ::/0. For more information on creating or modifying security groups, see Working with Security Groups.

Because security groups are stateful, the return traffic from the instance to users is allowed automatically, so you don't need to modify the security group's outbound rules.

The following example shows the security group rules for allowing both IPv4 and IPv6 traffic on port 80 and 443:

Inbound rules

Type
Protocol Port Range Source
HTTP (80) TCP (6) 80 0.0.0.0/0
HTTP (80) TCP (6)
80 ::/0
HTTPS (443) TCP (6)
443 0.0.0.0/0
HTTPS (443) TCP (6)
443 ::/0

Network ACL

The default network ACL allows all inbound and outbound traffic. If you use a custom network ACL with more restrictive rules, then explicitly allow traffic on port 80 and 443. Network ACLs are stateless, so add both inbound and outbound rules to enable the connection to your website. For more information on modifying network ACL rules, see Network ACLs.

Note: If your users connect over IPv6 and your Amazon Virtual Private Cloud (Amazon VPC) has an associated IPv6 CIDR block, then your default network ACL automatically adds rules allowing all inbound and outbound IPv6 traffic.

The following example shows a custom network ACL that allows traffic on port 80 and 443:

Inbound rules

Rule # Type Protocol Port Range Source Allow/Deny
100 HTTP (80) TCP (6) 80 0.0.0.0/0 ALLOW
101 HTTPS (443) TCP (6)
443 0.0.0.0/0

ALLOW

102 HTTP (80)
TCP (6)
80 ::/0 ALLOW
103 HTTPS (443)
TCP (6)
443 ::/0 ALLOW
* ALL Traffic ALL ALL ::/0 DENY
* ALL Traffic ALL ALL 0.0.0.0/0 DENY

Outbound rules

Rule # Type Protocol Port Range Destination Allow/Deny
100 Custom TCP Rule TCP (6)
1024-65535 0.0.0.0/0 ALLOW
101 Custom TCP Rule
TCP (6)
1024-65535
::/0

ALLOW

* ALL Traffic ALL ALL ::/0 DENY
* ALL Traffic ALL ALL 0.0.0.0/0 DENY

Note: When the previous security group and network ACL example configurations are used together, all internet users can connect to the website. If the website owner or administrator wants to access other websites from the EC2 instance, then the following configurations must be allowed:

  • Network ACL outbound rules allowing traffic on port 80 or port 443 to the destination IP address
  • Network ACL inbound rules allowing traffic on ephemeral ports (1024-65535)
  • Security group rules allowing outbound traffic

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-12-18