Why am I unable to connect to a port on an EC2 Windows instance?

Last updated: 2020-08-10

I can't connect to an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance on a certain port. How do I determine if the port is open?

Short description

The following issues can prevent a connection to an EC2 Windows instance on a specific port:

  • The service that uses the port isn't running on the instance.
  • Windows Firewall is blocking traffic to the port.
  • A security group is blocking traffic.
  • Network access control lists (ACLs) are blocking traffic.
  • Incorrect routes are in the route table or local Windows routes.


To identify the source of the connectivity issue, follow these steps:

1.    Verify that the application is running properly and is listening on the correct network port. If the application is stopped, start it.

To accept traffic on a port, an EC2 Windows instance must host an application or service that listens on the specified port. From the EC2 Windows instance that is hosting the service, run the netstat command to display active connections and ports.

2.    Perform a port test using Telnet or Test-NetConnection locally on the instance to confirm that the port can be connected to locally.

Using a command prompt, enter the following:

telnet <Private IP> <port number>

Using Windows PowerShell, enter the following:

tnc <Private IP> -port <port number>

If the port test fails, check the antivirus and security software that runs on the instance. Set up an allow list for the application or service that uses this port on the antivirus or security software, and then test again.

3.    Repeat step 2 using a different instance. If possible, choose an instance on the same subnet. If the port test on another instance also fails, the issue might be with the Operating System (OS) or EC2 instance configuration.

Troubleshoot OS issues

Verify that Windows Firewall, and any other security software that runs on the instance, allows the required port.

Troubleshoot EC2 instance configuration issues

  • Verify that the security groups associated with the instance allow inbound or outbound traffic on the specified port.
  • Verify that network ACLs have rules to allow inbound or outbound traffic on the specified port.
  • Check the route table to determine if there is a route from the source and destination EC2 Windows instance.