- Newest
- Most votes
- Most comments
NACLs are stateless, the response is not implicitly allowed therefore you need to explicitly allow the Ephemeral ports. On the other hand Security groups are stateful, you only would need to allow inbound access, return response would be allowed implicitly.
yea.. I am understand that that I have port 80 up inbound and also outbound..... just dont understand why I need the ephemeral ports open for http.. I would think if I have port 80 allow on the in and out it would work
For http the Request traffic is on port 80. Response traffic isn't on port 80, it's on one of the ephemeral ports. So for inbound connections your NACL needs to allow port 80 inbound but NOT outbound! Just the ephemeral ports outbound.
Let's say I connect to your webserver, which is listening on port 80.
The TCP connection originates from a socket on my device, which is bound to an ephemeral port. It'll connect, say, TCP port 54785 on my Mac to port 80 on your webserver.
Stateful firewalls understand that the traffic sent from port 80 on your webserver to port 54785 on my machine represents a connection / conversation, so they don't need explicit rules to permit the traffic.
NACLs on the other hand are completely stateless, and have no concept of what has happened at any other point in time, much like an AWS service team building a way to run containers, oblivious of the countless other services that do the same thing. As a result, the traffic from port 80 to the ephemeral ports has to be explicitly permitted.
All of that said, the default best practice guidance on NACLs is "avoid them if at all possible." They're annoying to troubleshoot, and easy to forget they're there...
Relevant content
- asked 2 years ago
- asked 2 years ago
- I host a website on an EC2 instance. How do I allow my users to connect on HTTP (80) or HTTPS (443)?AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago