Hello Everyone,
Im new to this forum and also new to AWS Cloud learning, Im pursuing a course on AWS SAA and I came across on issue or maybe its a protocol but wanted some clarification on it for my understanding.
I created a NACL
In bound
- SSH - Allowed
Outbound
- All Traffic - Allowed
What did I do?
I SSHd into the ec2 instance and it worked.
Now, when I change the scenario to below and try to SSH into ec-2 it doesn’t works.
In bound
- SSH - Allowed
Outbound
- SSH - Allowed
Question: So Outbound Rules in NACL should always allow all traffic then only SSH or ping or even HTTP/HTTPS will work? or Am I missing something over here?
Regards
Anshuman M.
A NACL creates what is known as a stateless firewall. This basically means that simply permitting an inbound connection does not imply that replies from that connection can get back out, therefore the NACL’s egress must allow for this (more on this later)
A security group on the other hand is a stateful firewall, which means that you don’t need to consider the return path of incoming connections you allow.
So, back to the stateless firewall concept. When you allow ingress (inbound) for SSH (port 22), or HTTP (80), HTTPS (443) etc, then the request will get in. The receiving server needs to open a connection back to the sender in order to send replies. It is this connection that will be blocked by strict outbound rules in the NACL. An inbound connection on port 22 (SSH) does not mean that the reverse connection will also be port 22 - in fact it never is!
“How do I know what port it will be then?” you ask.
TCP has a concept called “ephemeral ports” which are the set of ports used to send replies on. An ephemeral port is chosen when the connection is established, and lies in the range 32768–60999. Therefore if you create an outbound rule in the NACL that permits all traffic in this port range to pass, then have a deny all rule after it, it should work, whilst also locking down the internal network from making calls to the outside world for well-known services like SSH, HTTP etc. which you can open individually on a case-by-case basis. But if you did that, you would also have to add the ephemeral ports to the inbound rules, or calls to the outside world from the EC2 instances wouldn’t get their replies!
Stateless firewalls are much faster and use less memory because they don’t manage the state of connections. This is why they’re applied to entire subnets rather than individual instances like security groups. A maximum sized subnet in AWS can support just over 65,500 instances. Trying to manage state for that much traffic would soon crash the NACL device!