Proper EC2 Security Group Ports

In order for AWS FreePBX to function properly, a number of ports need to be accessible from the outside world. These include ports for things such as the SIP signaling and web server. In order to help clarify things for those with existing instances, if you have changed your Security Group and want to revert to defaults, or if you are simply unsure what all these ports are for, this page will outline our default Security Group/open ports for AWS FreePBX for your reference.

Your EC2 Security Group for AWS FreePBX should look like the following by default. Note that we are only concerned with the Inbound tab and that the "Source: 0.0.0.0/0" is the "Anywhere" option when editing the rules:

PBX Admin Access

PBX SIP and IAX Communication

PBX User Control Panel (UCP)

PBX Phone Provisioning and Phone Apps

Zulu 3

Zulu 2

Additional notes:

If you install additional modules and packages, you may need to open additional ports here to make everything work properly. Refer to the module or package's documentation for details
If you wish to use Zulu, you will need to add TCP ports 8002, 8003 & 8089 to the Security Group
If you enable TLS for chan_sip or chan_pjsip, you will need to assign and/or open the additional ports here
If you change default port assignments on any of the above services, you will need to edit the respective entry here (and always fully reboot your server for any port changes to take effect)
If you know for sure you aren't using some of these services, you may want to close (delete) some of these ports to further secure your system. Uncommonly used services include xmpp (5222, 5269, 5280), vcom (8001), asterisk-radan (8088), and asterisk-java (58080). You do not (and should not) need to disable any of these services on the server, itself...simply close these ports in the Security Group and they become inaccessible without compromising the stability of your server
If your organization's internet traffic originates from a single static IP address, you may want to edit the rules to change the source from "Anywhere" to the specific IP of your organization. You should NOT, however, make this change on ports 22, 80, or 81 unless you are certain you don't want any access to the SSH console, web admin, or for users to have access to their voicemails/faxes/etc via the web from outside your organization's network

📢 START HERE: Introducing SmartUpgrade

Proper EC2 Security Group Ports

PBX Admin Access

PBX SIP and IAX Communication

PBX User Control Panel (UCP)

PBX Phone Provisioning and Phone Apps

Zulu 3

Zulu 2

The Home of AWS FreePBX®

30-DAY FREE TRIAL!

FreePBX® is a Registered Trademark of Sangoma Technologies and is used with permission.

TheWebMachine Networks is a fully licensed and certified Sangoma partner.

Amazon Web Services is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

TheWebMachine Networks is an AWS Partner Network Member.

Rebar IT Outsourcing • TheWebMachine Networks

P.O. Box 271365 • Dallas, TX 75227 • USA

Accessibility Statement

📢 START HERE: Introducing SmartUpgrade

Proper EC2 Security Group Ports

PBX Admin Access

PBX SIP and IAX Communication

PBX User Control Panel (UCP)

PBX Phone Provisioning and Phone Apps

Zulu 3

Zulu 2

The Home of AWS FreePBX®

30-DAY FREE TRIAL!

FreePBX® is a Registered Trademark of Sangoma Technologies and is used with permission.

TheWebMachine Networks is a fully licensed and certified Sangoma partner.

​

Amazon Web Services is a trademark of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

TheWebMachine Networks is an AWS Partner Network Member.

​

Rebar IT Outsourcing • TheWebMachine Networks

P.O. Box 271365 • Dallas, TX 75227 • USA

Accessibility Statement