# ess-network

Part of **ESS**

# Auto Scaling Network Security Console Guide

## Operations Overview

| Operation | Console Entry Point | Prerequisites | Description |
|----------|---------------------|---------------|-------------|
| Configure Firewall Rules | Console > ECS > Instances > Connect to Instance > Configure Firewall Rules | A Windows ECS instance running Windows Server 2022, Access to the instance via VNC | Set up inbound firewall rules to allow or block applications, ports, and IP-based access on Windows instances in scaling groups |

## Operation Steps

### Configure Firewall Rules

**Navigation**: Console > ECS > Instances > Connect to Instance > Configure Firewall Rules

**Prerequisites**:
- A Windows ECS instance running Windows Server 2022
- Access to the instance via VNC

1. Connect to the Windows ECS instance using Virtual Network Computing (VNC)
   - Element: **VNC** (link) — top-right corner
   - Notes: Refer to the linked guide for detailed VNC connection steps.

2. Open the Start menu and navigate to Control Panel > System and Security > Windows Defender Firewall
   - Element: **Start** (menu) — Start menu

3. In the left-side navigation pane, click the link to manage allowed apps
   - Element: **Allow an app or feature through Windows Defender Firewall** (link) — left-side navigation pane

4. Click the button to add a new application to the allowed list
   - Element: **Allow another app** (button) — main content area

5. In the "Add an app" dialog box, browse to select the executable file
   - Element: **Browse** (button) — Add an app dialog box
   - Notes: Double-click the application file in the file system to add it.

6. Navigate to Windows Defender Firewall with Advanced Security and open the inbound rules section
   - Element: **Inbound Rule** (link) — left-side navigation pane

7. In the right-side panel, initiate creation of a new rule
   - Element: **New Rule** (button) — right-side panel

8. On the Rule Type screen, select port-based rule configuration
   - Element: **Port** (radio) — Rule Type step

9. On the Protocol and Ports screen, specify the protocol and enter the local port number
   - Element: **Specific local ports** (radio) — Protocol and Ports step
   - Notes: Enter a specific port such as 8080.

10. On the Action screen, choose whether to allow or block the connection
    - Element: **Block the connection** (radio) — Action step
    - Notes: Select **Allow the connection** to permit access.

11. On the Profiles screen, select applicable network environments
    - Element: **Domain** (checkbox) — Profiles step
    - Notes: By default, all profiles (Domain, Private, Public) are selected. Choose based on your network environment.

12. On the Name screen, provide a rule name and optional description, then finalize
    - Element: **Finish** (button) — Name step

13. To restrict access by IP, right-click an existing inbound rule and open its properties
    - Element: **Properties** (context_menu) — right-click menu

14. On the Scope tab, configure remote IP restrictions and add entries
    - Element: **Add** (button) — Scope tab
    - Notes: You can add multiple IP addresses or CIDR blocks.

15. In the Add IP address dialog, enter the IP or CIDR block and confirm
    - Element: **OK** (button) — Add IP address dialog
    - Notes: Example: public IP of an on-premises computer.

16. After adding all required IPs, apply the scope changes
    - Element: **OK** (button) — Scope tab

| Parameter | Type | Required | Options/Values | Description |
|-----------|------|----------|----------------|-------------|
| Apps | dropdown | No | — | List of installed applications that can be allowed through the firewall |
| Protocol | dropdown | Yes | TCP, UDP | The network protocol used by the application or service |
| Local Port | text_input | Yes | — | The specific port number to allow or block access to |
| Action | radio | Yes | Allow the connection, Block the connection | Determines whether incoming connections are permitted or denied |
| Profiles | checkbox | No | Domain, Private, Public | Specifies which network profile(s) the rule applies to |
| Rule Name | text_input | Yes | — | A descriptive name for the firewall rule |
| Description | text_input | No | — | Optional additional information about the rule |
| Remote IP Address | text_input | Yes | — | The IP address or CIDR block from which access is allowed or blocked |

## FAQ

Q: Where do I find the firewall configuration interface after connecting to my Windows ECS instance?
A: After connecting via VNC, go to Control Panel > System and Security > Windows Defender Firewall. For advanced settings like port rules and IP restrictions, use "Windows Defender Firewall with Advanced Security".

Q: Can I modify a firewall rule after it has been created?
A: Yes. Right-click the rule in the Inbound Rules list, select **Properties**, and update settings such as scope (IP restrictions), action, or profiles on the respective tabs.

Q: What happens if I don’t select any network profiles when creating a rule?
A: The rule will not apply to any network type. You must select at least one profile (Domain, Private, or Public) for the rule to take effect in that network environment.

Q: Do I need special permissions to configure firewall rules on my ECS instance?
A: Yes. You must be logged in as an administrator on the Windows instance to modify Windows Defender Firewall settings.

Q: Can I allow both TCP and UDP on the same port in one rule?
A: No. Each rule applies to a single protocol. You must create separate rules for TCP and UDP if both are needed on the same port.

## Pricing & Billing

### Billing Model
Firewall configuration is part of the standard ECS instance management and does not incur additional charges.

### Free Tier
No cost for configuring firewall rules on Windows ECS instances.

### Billing Notes
Firewall rule configuration is included with your ECS instance usage and billed as part of the underlying compute resource. There are no separate fees or metered charges for creating or managing Windows Defender Firewall rules.