2 Answers
Make sure you have ICMP enabled for pinging on onbound and inbound rules. This at least allows me to ping. Probably look into SSH after this.
Allow ICMP for both inbound and outbound as NACL is stateless
Sign Up Free or Log In to participate!
After setting up the new NACL I can no longer ping or ssh from the web server to the DB server in the private subnet. What did I forget?
Make sure you have ICMP enabled for pinging on onbound and inbound rules. This at least allows me to ping. Probably look into SSH after this.
Allow ICMP for both inbound and outbound as NACL is stateless
Psst…this one if you’ve been moved to ACG!
Make sure you have ICMP enabled for pinging on onbound and inbound rules. This at least allows me to ping. Probably look into SSH after this.
Don’t forget that NACL are stateless so like Stephen suggested be sure to allow tcp both inbound and outbound. Should work fine after that.
As others have said, it has to do with the limited Inbound rules. I found that I could no longer ping from the Web Server to the DB Server, nor could I run updates on the Web Server. I just copied the Outbound rule for Custom TCP and included it as an Inbound rule as well. Everything works fine now, but I would further research before using this in Production environment..
From the AWS documentation: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
"If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on)."