Exchange Online mail routing with WorkMail via connectors - opening a port for an EC2 instance

Hi,

Does WorkMail or SES spin up their own EC2 instances in the background? How can I access them as the admin of the account? Context below

I am following the steps in this Microsoft documentation so an organisation can continue using Office 365 for their emails but forward emails to WorkMail for testing and processing. However, when validating the connector, I get the error:

450 4.4.316 Connection refused [Message=Socket error code 10061] [LastAttemptedServerName=imap.mail.us-west-2.awsapps.com] [LastAttemptedIP=XX.XX.XX.XX:25]...

Things I've checked:

• MX entry is pointing at Outlook and is at a higher priority
• SPF record is {v=spf1 include:amazonses.com include:spf.protection.outlook.com -all}
• The domain and email address for the WorkMail address is verified in SES
• The organisation's domain is not registered in Route 53, it is with Microsoft

The associated host name of the LastAttemptedIP was ec2-XX-XX-XX-XX.us-west-2.compute.amazonaws.com, and after looking into the error message, it seems I'll need to open Port 25 for the instance. But this instance doesn't show under my account - is it an instance spun up by my WorkMail organisation? How do I get access to this instance to open the port?