you would need 8080 for the management interface for AMP if running without TLS. Then you should just need the connection port of instance you are running. Normally only the host firewall should be an issue with this as it is inbound traffic it is blocking and your router firewall shouldn’t block internal traffic unless you have the setup between vlans or subnets but I am guessing you don’t have a setup like that since you are referencing a nest.
First test is from another machine can you connect to the web interface of AMP. if you can’t then there is something blocking you,