How to Open Firewall Ports on a Windows VPS: Step-by-Step Guide
Learn how to open firewall ports on a Windows Server VPS using the GUI and PowerShell, with ready-to-use commands and connection verification steps.
When you install an application on a Windows VPS — a web server, database, admin panel, or game server — it runs on a specific port. By default, Windows Server Firewall blocks inbound connections on ports that have not been explicitly allowed. Without that rule, the service is only accessible locally, even if it is running correctly.
This tutorial is for anyone who just provisioned a Windows VPS and needs to open a specific port so a service is reachable from the internet. No prior networking knowledge is required — we cover two paths: the graphical interface (more visual) and PowerShell (faster, ideal when you already know the port number).
Prerequisites
You need a Windows Server VPS (2019, 2022, or 2025) with administrative access via Remote Desktop Protocol (RDP). Have the port number ready along with the protocol your service uses — TCP or UDP. When in doubt, most web services use TCP.
Common ports that typically require manual firewall rules:
80 (TCP) 443 (TCP) 3306 (TCP) 25565 (TCP) Port 3389 (RDP) is already open by default — it is the port you are using right now to access the server. Do not close that port without setting up an alternative access method first, or you will lose remote control of the machine.
Understanding Ports and the Firewall
A port is a number from 1 to 65535 that identifies which service should receive a given network connection. When someone visits http://yourserver.com, the browser connects to port 80 on your IP address. If Windows Firewall does not allow inbound traffic on that port, the connection is dropped before it even reaches the web server.
Windows Firewall operates through rules. Each rule defines: protocol (TCP or UDP), port or port range, direction (inbound or outbound), and action (allow or block). To open a port, you create an inbound rule that permits traffic on that specific port.
Method 1: Open a Port via the GUI
This is the recommended path if you prefer to see what you are doing. All steps are performed inside the VPS while connected via RDP.
Open the Start menu, type wf.msc, and press Enter. This opens the “Windows Firewall with Advanced Security” console.
This is the full rule management panel. Do not confuse it with the simplified “Windows Defender Firewall” in Control Panel — on servers, always use wf.msc.
In the left panel, click Inbound Rules. You will see the full list of existing rules.
In the right panel, click New Rule…. This opens the rule creation wizard.
On the first screen of the wizard, select Port and click Next.
The “Program” option opens all traffic for a specific executable — useful in some scenarios, but less precise. “Port” is what you want when you know the exact number.
Choose TCP or UDP based on your service’s protocol. Under “Specific local ports”, enter the port number — for example, 8080. To open multiple ports at once, separate with commas: 8080,8081,9000. For a range, use a hyphen: 7000-7010.
Click Next.
Leave Allow the connection selected and click Next.
The other options apply to IPSec-authenticated connections, which is not the scenario here.
On the profile screen, check Domain, Private, and Public. On a VPS exposed to the internet, the active profile is usually Public — but checking all three ensures the rule applies regardless of the detected network profile.
Click Next.
Give the rule a descriptive name, for example: Web App - Port 8080. Add an optional description explaining what it is for. Click Finish.
The rule appears immediately in the list and is already active. No server restart is needed.
Six months from now you will not remember what port 8743 was for. Always include the application name in the rule name — it makes auditing and removing stale rules much easier.
Method 2: Open a Port via PowerShell
When you know exactly what you need, PowerShell gets it done in one line. Open PowerShell as administrator (right-click the Start menu > Windows PowerShell (Administrator)).
Use New-NetFirewallRule to create the rule. Example to open TCP port 8080:
New-NetFirewallRule -DisplayName "Web App 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action AllowThe command returns the details of the created rule. If you see Enabled: True in the output, the rule is active.
To open a UDP port, change the protocol:
New-NetFirewallRule -DisplayName "Game Server 27015" -Direction Inbound -Protocol UDP -LocalPort 27015 -Action AllowTo open a port range:
New-NetFirewallRule -DisplayName "App Range" -Direction Inbound -Protocol TCP -LocalPort 7000-7010 -Action AllowFor multiple non-consecutive ports, pass an array:
New-NetFirewallRule -DisplayName "Web Ports" -Direction Inbound -Protocol TCP -LocalPort 80,443,8080 -Action AllowVerification: Is the Port Actually Open?
Creating the rule does not guarantee the service is responding — it only means Windows Firewall will not block it. Verification has two parts: confirming the rule and testing the connection.
List the rule to confirm it is enabled:
Get-NetFirewallRule -DisplayName "Web App 8080" | Format-List DisplayName,Enabled,Direction,ActionThe output should show Enabled: True, Direction: Inbound, and Action: Allow.
Check whether any service is actually listening on that port inside the VPS:
Get-NetTCPConnection -LocalPort 8080 -State ListenIf the output is empty, no process is listening on port 8080 — you need to start your application first. If a line appears with the local address, the service is ready to accept connections.
From an external machine (your local PC, not the VPS), test the connection. On Windows, use PowerShell:
Test-NetConnection -ComputerName YOUR_VPS_IP -Port 8080The key result is TcpTestSucceeded: True. If it shows False, the port is still blocked somewhere — either the Windows Firewall rule is not in effect, the application is not running, or an external network filter is interfering.
Troubleshooting
Rule exists but connection still fails
Verify the application is running and listening on the correct port with Get-NetTCPConnection. A common issue is that the service listens only on 127.0.0.1 (localhost) and needs to be configured to listen on 0.0.0.0 (all interfaces). Check the application’s documentation for the bind address setting.
Works internally but not externally
If Test-NetConnection returns True from inside the VPS but False from outside, the problem is at a network layer above Windows. Your VPS provider may apply additional network filters or security groups that block the port at the infrastructure level.
Many providers enforce network-level filtering in addition to Windows Firewall. If you opened the port in Windows and connections from the outside still fail, check whether the provider’s control panel has additional inbound rules blocking that port.
How to remove a rule
If you created a rule by mistake, remove it via PowerShell:
Remove-NetFirewallRule -DisplayName "Web App 8080"Or via wf.msc: find the rule in the list, right-click it, and select Delete.
Next Steps
After opening the necessary ports, consider these follow-up topics:
- Restrict the rule to a specific source IP using the
-RemoteAddressparameter — recommended for administrative ports like 3389 or database ports that should not be exposed to the entire internet. - Configure an SSL certificate on your web application before exposing port 443 publicly.
- Document all custom firewall rules in a text file on the VPS itself — your future self will appreciate it.
- Enable the Windows Firewall log to audit blocked connection attempts.
If you are deploying an application to production, a Hostini Windows VPS comes with full administrative access and an edge-layer network filter — you manage Windows Firewall as usual, with additional protection at the infrastructure level.
Frequently asked questions
Do I need to restart the Windows VPS after opening a port in the Firewall?
No. Windows Firewall rules take effect immediately after creation, whether you use the GUI or PowerShell. If the connection still does not work after adding the rule, the issue is elsewhere — the application may not be running, it may be binding to the wrong address, or an external network filter may be blocking it.
How do I know whether a port uses TCP or UDP?
Most services use TCP: HTTP, HTTPS, RDP, MySQL, SQL Server, and the vast majority of web applications. UDP is common in game servers, VoIP, DNS, and streaming. When in doubt, check the application's documentation — some require both protocols to be opened.
Can I just open all ports at once to fix the issue faster?
Technically yes, but it is a bad idea. Disabling the firewall or creating a rule that allows all ports exposes every service running on the VPS, including ones you may not be aware of. Always open only the specific ports each application requires.
The port is open in Windows Firewall but the website does not load. What could be wrong?
The most common causes are: the web application is not running, it is listening on 127.0.0.1 instead of 0.0.0.0, a provider-level network filter is blocking the port, or the domain's DNS does not yet point to the correct IP. Use Test-NetConnection from an external machine to isolate where the block is occurring.
What is the difference between Windows Defender Firewall and Windows Firewall with Advanced Security?
They use the same underlying engine but expose different levels of control. The Control Panel version is simplified and suited for desktops. The wf.msc console (Advanced Security) exposes all options: rules by port, range, source IP, network profile, and logging. On servers, always use wf.msc.
How do I open a port only for my IP address, not for everyone?
Use the -RemoteAddress parameter in PowerShell. Example: New-NetFirewallRule -DisplayName "MySQL Restricted" -Direction Inbound -Protocol TCP -LocalPort 3306 -RemoteAddress 200.x.x.x -Action Allow. In the GUI, go to the rule's "Scope" tab and define the allowed remote IP addresses there.