- 最新
- 最多得票
- 最多評論
You should definitely run a test without the NACLs in place to ensure that the network configuration is correct. Then you can try putting back the NACLs to see when things fail.
As a general note (and to try and help with your troubleshooting): NACLs are stateless - so you do need to add the ephemeral ports if you want to use NACLs.
But in this case, I would ask "why use NACL?" - because if most of your traffic is outbound (i.e. initiated from instances/containers in your VPC) from a private subnet then (a) NAT Gateway won't allow traffic to be initiated from the internet to your resources; and (b) security groups (which are stateful) are there to protect your resources.
The advice I normally give customers is: use security groups as much as possible because they are stateful and easy to manage. Use NACLs where you must but only as a blunt object - for example, to stop two networks from communicating with each other completely. Trying to nail down ephemeral ports with NACLs is a lot of hard work for (probably) little benefit. Of course, every situation is different and NACLs are a useful tool; but useful when used for the right reasons.
相關內容
- 已提問 4 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 9 個月前
- AWS 官方已更新 1 年前
Were you able to find a solution? I am facing the same issue.