By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Not able to connect to EC2 instance using windows remote desktop, when I'm whitelisting only a single ip

0

I have hosted an EC2 instance on AWS, the instance is protected using 2 security groups, network ACL, and a route table.

network acl inbound rules:

Rule NumberTypeProtocolPort rangeSourceAllow/Deny
10RDP(3389)TCP(6)338949.37.0.0/16Allow

network acl outbound rules:

Rule NumberTypeProtocolPort rangeSourceAllow/Deny
10RDP(3389)TCP(6)338949.37.0.0/16Allow

Security Group 1 inbound rules:

IP versionTypeProtocolPort rangeSource
IPV4RDPTCP338949.37.0.0/16

As security group, allow reverse traffic, I did not add any outbound rule.

Route table routes:

DestinationTargetStatusPropagated
::/0Internet gatewayActiveNo
0.0.0.0/0Internet gatewayActiveNo
1.0.0.0/16localActiveNo

I tried to connect to the EC2 instance using:

  • Windows Remote Desktop from 49.37.10.140/32
  • and telnet at port 3389

but getting an error that the Ec2 instance can't be reached.

Can anyone please let me know, if is there any misconfiguration in the settings that I have done?

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Networking & Content DeliveryComputeWindows Provisioning
Language
English
rePost-User-4072452
asked a year ago472 views
1 Answer
2
Accepted Answer

There appears to be a problem with the outbound rules of the network ACL.
Network ACLs are stateless security layers.
So we need to add a rule to evaluate the return packet.
Please allow 1024-65535 as ephemeral ports with outbound rule 49.37.10.140/32

network acl outbound rules:

Rule NumberTypeProtocolPort rangedestinationAllow/Deny
10Custom TCPTCP (6)1024 - 6553549.37.10.140/32Allow

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

profile picture
EXPERT
Riku_Kobayashi
answered a year ago
  • rePost-User-4072452
    a year ago

    If I'm doing telnet at port 3389, and the request is going to EC2, then why EC2 is not responding back on port 3389?

    Or, if it's responding back on port 3389, and nacl already has outbound rule to allow traffic on port 3389, then why is the request failing?

  • Riku_Kobayashi EXPERT
    a year ago

    When communicating from the client to the destination, the client is assigned one of the ephemeral ports (1024-65535) as the source port.
    So after communicating to the destination port (3389 in this case), the return destination port will be one of 1024-65535 and must be allowed in the network ACL.
    Even though port 3389 is allowed in the outbound rules, the destination port of return does not match, so it is denied

  • Riku_Kobayashi EXPERT
    a year ago

    Additional information. https://repost.aws/knowledge-center/resolve-connection-sg-acl-inbound

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content