AWS Certified Solutions Architect - Associate (SAA-C02)
  1. Rooms
  2. AWS Certified Solutions Architect - Associate (SAA-C02)

Sign Up Free or Log In to participate!

NACL – Outbound Rules

At 9:43 he displays the outbound rules. I question if ports 80 (rule 100) and 22 (rule 200) are really required? Shouldn’t these be covered with the rule 300? The return traffic destination is the ephemeral ports – right?

Azure

The Ephemeral Port documentation on AWS answers this. The reason for the rule is rather because of the devices that are sending request/responses back to Public facing instances. You may read more here – https://go.aws/3pePrwb & https://bit.ly/30HB21u

3 Answers

yes I think that Azure didn’t get the point, I agree wit you @2ndwind

2ndwind

Thanks for the confimration!

Niko Mehtonen

I disagree. While rules 100 and 200 are used when someone from the outside makes a request, the http or ssh reply is on that same port, i.e. 80 or 22. Ephemeral ports are for when the server makes a request and the reply to that request is routed through a different port.

Leo Square

No the reply will be on ephemeral ports, if two computers behind a router are doing ssh/http to an another server how the server will know to which computer reply if they are using the same ports (they will present themselves with the same public IP and response ports in your case)? That why epehemeral ports exists (aswell as NAT/PAT)

2ndwind you are correct. The nacl is stateless – meaning that it doesn’t keep track of the source (or any part of the state) of the tcp connection. An outside client would hit the webserver on port 80 originating from on a random high source port (1024-65534). Hence why the acl requires outbound to 1024-65534 to allow the return traffic. Allowing port 80/443 outbound in the nacl means web requests sourced from the webserver are now allowed out to the world – you probably wouldn’t want to allow that!

While you are correct in that the return traffic uses ephemeral ports, keep in mind this means any https request originating from within your subnet would be blocked. This would in essence block things you likely want like yum updates (citing a previous example). 
There’s absolutely a use case for completely locking down any https requests originating from within your subnet, but I wouldn’t say its the universal default everyone uses in networking.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization