AWS Certified Solutions Architect - Associate (SAA-C02)

Sign Up Free or Log In to participate!

After setting up the new NACL

After setting up the new NACL I can no longer ping or ssh from the web server to the DB server in the private subnet. What did I forget?

Stephen Otradovec

Make sure you have ICMP enabled for pinging on onbound and inbound rules. This at least allows me to ping. Probably look into SSH after this.

Carlos Amador

Don’t forget that NACL are stateless so like Stephen suggested be sure to allow tcp both inbound and outbound. Should work fine after that.

Erik Swanson

As others have said, it has to do with the limited Inbound rules. I found that I could no longer ping from the Web Server to the DB Server, nor could I run updates on the Web Server. I just copied the Outbound rule for Custom TCP and included it as an Inbound rule as well. Everything works fine now, but I would further research before using this in Production environment..

Erik Swanson

From the AWS documentation: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports

Erik Swanson

"If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on)."

2 Answers

Make sure you have ICMP enabled for pinging on onbound and inbound rules. This at least allows me to ping. Probably look into SSH after this.

Allow ICMP for both inbound and outbound as NACL is stateless

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?