AWS Certified Solutions Architect - Professional 2020
  1. Rooms
  2. AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

This answer is wrong, you will also need to open up port 22 for outbound trafic in the NACL.

This answer is wrong, you will also need to open up port 22 for outbound traffic

4 Answers

Hi Ranjith,

When declaring an answer as wrong, it helps to provide some resource or proof that indicates the issue.  I assume you are referring to this quiz question: "In an effort to increase security, you have updated the NACLs for your VPC subnets to only allow inbound port 22 from the public Internet and deny all outbound traffic. Now, you are unable to SSH into your instance from the internet where you could before. Assuming nothing else has changed, What is the reason?"

In fact, the answer is correct. I encourage you to lab it out. Setup a VPC and NACL that only allows inbound port 22 and outbound port 22. Try to connect. Then, remove outbound port 22 and open up outbound ports 1024 – 65535 and try again.

Once you have done this, decide if you still think it is a wrong answer.

–Scott

Deepak D Sampath

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html "Example: Controlling Access to Instances in a Subnet" answers this as well.

I think the confusion is because you are assuming that, given the inbound NACL specifies port 22 as the DPORT, the outbound is therefore specifying 22 as the SPORT.

I also originally made this (incorrect) assumption. However, from https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-basics :

  • [Inbound rules only] The source of the traffic (CIDR range) and the destination (listening) port or port range.

  • [Outbound rules only] The destination for the traffic (CIDR range) and the destination port or port range

So, for both INBOUND and OUTBOUND NACLs, the port is always the destination port. Which means, in the case of traffic FROM port 22 on the EC2 instance, the DPORT will be in the SSH client’s ephemeral range.

I also recommend reading up on Ephemeral Ports for a general understanding: https://en.wikipedia.org/wiki/Ephemeral_port

Hi @Scott, when you limit/add a port to the NACL rules, the security group tied to the instance will not automatically inherit the new rule. The question does not say the SG allows everything. So, would you not have to update the SG additionally?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization