On this question in the networking section:
"You have configured a Network ACL to allow outbound access allowing all the EC2 instances in your subnet to download application updates accessed over the internet from a trusted third party using port 443. However your instances are still not able to download any updates. What could the problem be?"
The answer is: "You need to add a rule to the Network ACL allowing inbound traffic on ephemeral ports 1024-65535"
11:55 into Ryan’s lecture "NACLs vs Security Groups" he said only use ephemeral ports for outbound rules on NACLs, not inbound rules. According to this answer, we are using ephemeral ports on inbound rules. Is this right?
I can see where the confusion has happened here, to answer your question Ryan is talking about a scenario in the lab where this wouldn’t have been appropriate. Ephemeral ports are needed to be enabled for inbound should the instances require to be agents that need information from the outside world, such as updates, patching etc.
This question comes up from time to time, we have another forum discussion on this very topic here
I will give you a link to the following documentation, it’s a handy read to realize that ephemeral ports are very useful, but some consideration needs to be taken when you use them for outbound, inbound or both.
I really hope this clears up some things, I have noted feedback and will take it back to our team.
Hopefully, we can make this a bit clearer in the future, thank you so much for your question.
And keep being awesome!