Aws private Link interface endpoint outbound rules

Hi,

With Privatelink interface endpoints, this will create an ENI (Elastic Network Interface) is the associated subnet that is chosen when you create the VPC endpoint. These also have security groups attached to the VPC endpoint. Security groups are stateful, so you can account for whatever access is needed and not be concerned with any return traffic (like NACLs for AWS VPCs).

Some additional information around this topic is in they documentation located here

Hi , I appreciate your response .

So the interface endpoint act as entry point to reach aws endpoint service (producer ) . The actual storage gateway instance running on private subnet will receive the response from AWS endpoint services through the interface endpoint.

With this scenario there is requirement to open 1026-1031 port in inbound in interface SG , its done .

The private network is completely controlled by NACL . My storage gateway instance and interface endpoint in the same subnet , now security group side all clear . Related with NACL is I need to open 1026-1031 inbound or outbound level. Because there is return traffic coming from AWS into private subnet or it will work without opening any port in NACL . (Its custom NACL associated)

also is ephemeral port needs to be allowed 1024-65535 in NACL?

https://docs.aws.amazon.com/filegateway/latest/files3/gateway-private-link.html