nat gateway network acl inbound outbound rule


hello I'm trying to make a VPC with public and private subnets (NAT) and referring to this nacl rule

I was wondering why do we need ephemeral ports in inbound rules of a public and a private subnet As I know of, ephemeral ports are used for the NAT gateway, which only uses outbound traffic? Also, I'm not sure of 32768-65535 ports used in outbound rules Any help would be appreciated Thanks in advance!

4 Answers

Hello AWS Customer,

Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).[1]

And stateless protocol is a communication protocol in which the receiver must not retain session state from previous requests. The sender transfers relevant session state to the receiver in such a way that every request can be understood in isolation, that is without reference to session state from previous requests retained by the receiver.[2]

In further, in most TCP/IP client/server communications, the client uses a random ephemeral port number and sends a request to the appropriate reserved port number at the server’s IP address. The server sends its reply back to whatever port number it finds in the Source Port field of the request.

Therefore, when using NAT gateway for TCP communication with the internet, Ephemeral Port (1024 ~ 65535) must be allowed in the ACL inbound rule applied to NAT gateway in order to receive response packets.

Hope you will find this information useful. Please let me know if you have any further questions or concerns. I will be more than glad to assist you.

I hope you are always healthy and have a nice day.

profile pictureAWS
answered a year ago

NACLs are stateless so for any outbound requests you need to allow for inbound return traffic which will be on the ephemeral ports, so you need to open a wide range of inbound ports. It's not just related to NAT Gateway. For this reason NACLs are probably best left open except for specific use cases, and you should rely on least-privilege Security Groups instead which are stateful.

If you do want to define ephemeral ports in your NACLs anyway, note that the client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000. Requests originating from Elastic Load Balancing use ports 1024-65535. Windows operating systems through Windows Server 2003 use ports 1025-5000. Windows Server 2008 and later versions use ports 49152-65535. A NAT gateway uses ports 1024-65535. For example, if a request comes into a web server in your VPC from a Windows XP client on the Internet, your network ACL must have an outbound rule to enable traffic destined for ports 1025-5000.

answered a year ago

Network ACLs are stateless, which means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

In this example for the public subnet w.r.t to ephemeral ports

  1. [Inbound] Allows inbound return traffic from hosts on the internet that are responding to requests originating in the subnet.
  2. [Outbound] Allows outbound responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet)

Now In the example for the private subnet w.r.t to ephemeral ports

  1. [Inbound] Allows inbound return traffic from the NAT device in the public subnet for requests originating in the private subnet.
  2. [Outbound] Allows *outbound responses to the public subnet *(for example, responses to web servers in the public subnet that are communicating with DB servers in the private subnet).

Note : The range is an example only. For information about choosing the correct ephemeral ports for your configuration, see Ephemeral ports.

profile pictureAWS
answered a year ago

Hi Suin,

100% agree with others here that NACLs are stateless so inbound and outbound rules need to account for return traffic that traverses your NAT Gateway.

Depending on your use case, it is important to remember that NAT Gateway only supports NACLs (NOT Security Groups). If you are planning to "open" your NACL to allow all traffic bi-directionally, be sure to address your Security Groups on your instances to only allow appropriate traffic. Security needs to be top of mind for all of us!

Hope this helps!

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions