When I was setting up VPC in aws, I had created an instance in public subnet. The instance was not able to ping to google and was giving timeout when connecting to yum repository.
The security groups were open with required ports. When I edited the ACL to add ICMP from 0.0.0.0/0 in inbound the instance was able to ping to google. But the yum repository was still was giving timeout. All the curl/wget/telnet commands were returning error. Only ping was working.
When I added the following port range for inbound in ACL 1024-65535 from all 0.0.0.0/0 that is when the yum repository was reachable. Why is that?
The outbound traffic was allow all in ACL. Why do we need to allow inbound from these ports to connect to any site?
In AWS, NACLs are attached to subnets. Security Groups are attached to instances (actually the network interface of an instance).
You must have deleted NACL Inbound Rule 100, which then uses Rule *, which blocks ALL incoming traffic. Unless you have specific reasons, I would use the default rules in your NACL. Control access using Security Groups which are "stateful". NACLs are "stateless".
The default Inbound rules for NACLs:
Rule 100 "ALL Traffic" ALL ALL 0.0.0.0/0 ALLOW Rule * "ALL Traffic" ALL ALL 0.0.0.0/0 DENY
Your Outbound rules should look like this:
Rule 100 "ALL Traffic" ALL ALL 0.0.0.0/0 ALLOW Rule * "ALL Traffic" ALL ALL 0.0.0.0/0 DENY
When your EC2 instance connects outbound to another system, the return traffic will usually be between ports 1024 to 65534. Ports 1 - 1023 are considered privileged ports and are reserved for specific services such as HTTP (80), HTTPS (443), SMPT (25, 465, 587), etc. A Security Group will remember the connection attempt and automatically open the required return port.