add ephemeral ports in nacl and security group

0

i have two subnets in a vpc, a public subnet for a web server and a private subnet for a was server i'm trying to connect a private subnet to internet using NAT gateway in a public subnet so in this case, in which nacl rules, and, on which subnet do i add ephemeral ports?

suin
asked 2 years ago512 views
3 Answers
1

Not answering your question: Do you need NACLs? If you have a security group on your instances that allows the traffic that you want - the other traffic is denied by default. And security groups are stateful so they take care of the ephemeral ports for you.

NACLs are great as blunt objects. For example, stopping specific IP addresses or subnets from communicating. But trying to encode all the ports you need to two-way communications is difficult and ends up leaving a lot of ports open all the time - which may be undesirable.

profile pictureAWS
EXPERT
answered 2 years ago
0

In the scenario you describe above you will need to deal with ephemeral ports on the following:

  • web server from the internet (inbound on public subnet)
  • nat gateway from the internet (inbound on public subnet)
  • nat gw to private subnet (outbound on public subnet)
  • private subnet from the nat gw (inbound on private subnet)

As already mentioned consider if you really need NACLs as you can see it adds a large level of complexity

AWS
EXPERT
Peter_G
answered 2 years ago
0

Since you didn't specify which port to use, I'll give you a guide for general situations. It is expected that the situation in the official document at the link below is almost the same as what you inquired about.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html#VPC_Scenario2_Security

In this scenario, a database on a private subnet and a web server located on a public subnet communicate with each other and are connected to the Internet through NAT. Therefore, the security group is supposed to open port 1433 between the web server and the DB. You can replace this part with the connection port used between the WAS server and the web server.

** Security groups allow inbound and outbound traffic for associated resources, such as EC2 instances. Network ACLs allow or deny inbound and outbound traffic at the subnet level. In most cases, security groups can meet your needs. However, you can use network ACLs if you want an additional layer of security. For more information, see Compare security groups and network ACLs. As mentioned above, it is better to solve it with SG if possible.

AWS
lecter
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions