- 新しい順
- 投票が多い順
- コメントが多い順
You should definitely run a test without the NACLs in place to ensure that the network configuration is correct. Then you can try putting back the NACLs to see when things fail.
As a general note (and to try and help with your troubleshooting): NACLs are stateless - so you do need to add the ephemeral ports if you want to use NACLs.
But in this case, I would ask "why use NACL?" - because if most of your traffic is outbound (i.e. initiated from instances/containers in your VPC) from a private subnet then (a) NAT Gateway won't allow traffic to be initiated from the internet to your resources; and (b) security groups (which are stateful) are there to protect your resources.
The advice I normally give customers is: use security groups as much as possible because they are stateful and easy to manage. Use NACLs where you must but only as a blunt object - for example, to stop two networks from communicating with each other completely. Trying to nail down ephemeral ports with NACLs is a lot of hard work for (probably) little benefit. Of course, every situation is different and NACLs are a useful tool; but useful when used for the right reasons.
Were you able to find a solution? I am facing the same issue.