Why add an ephemeral port range in an Outbound NACL rule as a opposed to an Inbound NACL rule? Ive seen this question several times, and am not sure of when and where to use ephemeral port ranges.
I think if your EC2 instances (such as NAT instances) send the traffics, then you will need to allow the returned traffic on the ephemeral port range by adding a rule to the NACL inbound rule list. If your EC2 instances such as your web servers are on the receiving end of network traffics, then you need to allow the return traffic on the ephemeral port range by adding a rule to the NACL outbound rule list.
I notice, as Ryan was going through the documentation [see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports] that the docs indicated that the client initiating the request specified the ephemeral port. I take that to be the ephemeral-port on which it wants to receive communications. Imagine the http-request being sent to a web-server on port 80 saying "send me the web-content on port 32551."
I also noticed in the documentation (paragraph 3) that "If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on)."
I am building the VPC right now and have the t2.micro setup in the public subnet. My webNACL includes SSH, HTTP, HTTPS all set to allow (on inbound), ports 1024-65535 set to Deny (on-inbound); and then the outbound side set to SSH, HTTP, HTTPS, and 1024-65535 set to ALLOW. With the NACL, I could not run ‘yum update -y’ on the web-server (I presume because the ephemeral ports were blocked. I changed the NACL to ‘Allow’ on the ephemeral-port rule and the command ‘yum update -y’ ran fine. So I believe this is correct.
It’s probably best to open the ephemeral ports on the inbound side when you explicitly want to run updates and then close it off otherwise.
Your server actually becomes a client when updating its os, or adding utilities via yum or apt etc. Clients initiate requests to an external server on the outbound side. When the requests are completed, the port is no longer needed and is closed. Ephemerally complete. 🙂
NACLs could add an interesting twist to troubleshooting connectivity issues 🙂
a different ephemeral port is used by the client for each outbound connection too which is why the range is needed
Thanks for the information!