Ephemeral ports on AWS Web server NACL Rule
I am new to AWS and have been experimenting with NACL rules. I went through Amazon VPC NACL default rules evaluation order to understand how NACL rules work.
I've created a test EC2 instance (with NGINX) in a public subnet with some Elastic IP. I have added EC2 to the default security group, which allows all traffic on all ports. I initially configured NACL to block all traffic. This worked fine because I was not able to SSH into or HTTPS my instance. My goal is to let 0.0.0.0/0 HTTP port 80 into my instance.
Understanding that NACLs are stateless, I added communication to/from 0.0.0.0/0 on all TCP ports. This worked fine.
Now, I thought of restricting inbound and outbound to Port 80. However, using this, I wasn't able to access test NGINX page.
I noticed that if I change the outbound rule to allow all ports, I am able to access the NGINX page. I am not sure why this is happening.
Here's the new config:
Do I need to add ephemeral ports as well? https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
Yes. You need to open ephemeral ports 1024-65535 (assuming a Linux server is being used)
Your server will receive requests on 80 (or 443) but send the response over one of those ephemeral. Blocking outbound for the ephemeral ports is blocking that response.
You do not need to open 80 (or 443) on the outbound for your web server to work. Your web server would only need port 80 (or 443) outbound open if it needs to make an HTTP request to another web server - which it may well need to do; to call a third party API.