In order for AWS FreePBX to function properly, a number of ports need to be accessible from the outside world. These include ports for things such as the SIP signaling and web server. In order to help clarify things for those with existing instances, if you have changed your Security Group and want to revert to defaults, or if you are simply unsure what all these ports are for, this page will outline our default Security Group/open ports for AWS FreePBX for your reference.
Your EC2 Security Group for AWS FreePBX should look like the following by default. Note that we are only concerned with the Inbound tab and that the "Source: 0.0.0.0/0" is the "Anywhere" option when editing the rules:
PBX Admin Access
PBX SIP and IAX Communication
PBX User Control Panel (UCP)
PBX Phone Provisioning and Phone Apps
Zulu 3
Zulu 2
Additional notes:
If you install additional modules and packages, you may need to open additional ports here to make everything work properly. Refer to the module or package's documentation for details
If you wish to use Zulu, you will need to add TCP ports 8002, 8003 & 8089 to the Security Group
If you enable TLS for chan_sip or chan_pjsip, you will need to assign and/or open the additional ports here
If you change default port assignments on any of the above services, you will need to edit the respective entry here (and always fully reboot your server for any port changes to take effect)
If you know for sure you aren't using some of these services, you may want to close (delete) some of these ports to further secure your system. Uncommonly used services include xmpp (5222, 5269, 5280), vcom (8001), asterisk-radan (8088), and asterisk-java (58080). You do not (and should not) need to disable any of these services on the server, itself...simply close these ports in the Security Group and they become inaccessible without compromising the stability of your server
If your organization's internet traffic originates from a single static IP address, you may want to edit the rules to change the source from "Anywhere" to the specific IP of your organization. You should NOT, however, make this change on ports 22, 80, or 81 unless you are certain you don't want any access to the SSH console, web admin, or for users to have access to their voicemails/faxes/etc via the web from outside your organization's network