- Newest
- Most votes
- Most comments
You should definitely run a test without the NACLs in place to ensure that the network configuration is correct. Then you can try putting back the NACLs to see when things fail.
As a general note (and to try and help with your troubleshooting): NACLs are stateless - so you do need to add the ephemeral ports if you want to use NACLs.
But in this case, I would ask "why use NACL?" - because if most of your traffic is outbound (i.e. initiated from instances/containers in your VPC) from a private subnet then (a) NAT Gateway won't allow traffic to be initiated from the internet to your resources; and (b) security groups (which are stateful) are there to protect your resources.
The advice I normally give customers is: use security groups as much as possible because they are stateful and easy to manage. Use NACLs where you must but only as a blunt object - for example, to stop two networks from communicating with each other completely. Trying to nail down ephemeral ports with NACLs is a lot of hard work for (probably) little benefit. Of course, every situation is different and NACLs are a useful tool; but useful when used for the right reasons.
Relevant content
- Accepted Answerasked 7 months ago
- Accepted Answerasked 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Were you able to find a solution? I am facing the same issue.