- Newest
- Most votes
- Most comments
Not answering your question: Do you need NACLs? If you have a security group on your instances that allows the traffic that you want - the other traffic is denied by default. And security groups are stateful so they take care of the ephemeral ports for you.
NACLs are great as blunt objects. For example, stopping specific IP addresses or subnets from communicating. But trying to encode all the ports you need to two-way communications is difficult and ends up leaving a lot of ports open all the time - which may be undesirable.
In the scenario you describe above you will need to deal with ephemeral ports on the following:
- web server from the internet (inbound on public subnet)
- nat gateway from the internet (inbound on public subnet)
- nat gw to private subnet (outbound on public subnet)
- private subnet from the nat gw (inbound on private subnet)
As already mentioned consider if you really need NACLs as you can see it adds a large level of complexity
Since you didn't specify which port to use, I'll give you a guide for general situations. It is expected that the situation in the official document at the link below is almost the same as what you inquired about.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html#VPC_Scenario2_Security
In this scenario, a database on a private subnet and a web server located on a public subnet communicate with each other and are connected to the Internet through NAT. Therefore, the security group is supposed to open port 1433 between the web server and the DB. You can replace this part with the connection port used between the WAS server and the web server.
** Security groups allow inbound and outbound traffic for associated resources, such as EC2 instances. Network ACLs allow or deny inbound and outbound traffic at the subnet level. In most cases, security groups can meet your needs. However, you can use network ACLs if you want an additional layer of security. For more information, see Compare security groups and network ACLs. As mentioned above, it is better to solve it with SG if possible.
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago