- Newest
- Most votes
- Most comments
You can block outbound connections to the TCP ports 80 and 443 either by not allowing them in the outbound rules of any of the security groups attached to the network interfaces of your EC2 instances, or by explicitly denying traffic to those destinations in the outbound rules of the network ACL (NACL) attached to the subnet(s) hosting your EC2 instances.
If you write a "deny" rule in a NACL, you'll need to give it a rule number less than any other rule that would allow the traffic. For example, if all traffic is allowed by rule 100, the deny rule would have to have a number no higher than 99. To avoid blocking traffic inside your VPC, you might want to allow all traffic to the VPC's CIDR range in a lower-numbered rule, such as 50, and then block the specific port numbers in the next rule, such as 60, before hitting the default rule 100 that allows everything, as an example.
Note that most AWS services, such as S3, DynamoDB, SQS, and many others have their APIs on the standard HTTPS port tcp/443. If you block all outbound HTTPS traffic to the internet, also traffic to all public AWS APIs will be blocked, unless you have local VPC endpoints for those services inside your VPC's CIDR blocks.
Thank you for your answer! It did work (I was wrong on inbound/outbound). Wish it allowed us to block ports in Outbound rules as opposed to having to describe add all allowed ports. Thank you for the quick response!
NACLS allow explicit "deny" rules to be configured to accomplish that, but NACLs are stateless, processing traffic packet-by-packet, and apply to the whole subnet, making them relatively difficult to use. Security groups indeed don't allow explicit deny rules, so the inverse must be allowed, unfortunately.