At 9:43 he displays the outbound rules. I question if ports 80 (rule 100) and 22 (rule 200) are really required? Shouldn’t these be covered with the rule 300? The return traffic destination is the ephemeral ports – right?
yes I think that Azure didn’t get the point, I agree wit you @2ndwind
2ndwind you are correct. The nacl is stateless – meaning that it doesn’t keep track of the source (or any part of the state) of the tcp connection. An outside client would hit the webserver on port 80 originating from on a random high source port (1024-65534). Hence why the acl requires outbound to 1024-65534 to allow the return traffic. Allowing port 80/443 outbound in the nacl means web requests sourced from the webserver are now allowed out to the world – you probably wouldn’t want to allow that!
While you are correct in that the return traffic uses ephemeral ports, keep in mind this means any https request originating from within your subnet would be blocked. This would in essence block things you likely want like yum updates (citing a previous example).
There’s absolutely a use case for completely locking down any https requests originating from within your subnet, but I wouldn’t say its the universal default everyone uses in networking.