Home > database >  EC2 instance can't connect to the Internet without "public" inbound rule in ACL
EC2 instance can't connect to the Internet without "public" inbound rule in ACL

Time:02-03

I have an EC2 instance and an ACL attached to it. My instance must have a possibility to be visited by only certain IP address (let's say 10.20.30.40) at 22, 80 and 443 ports, so ACL for this case has the following inbound rules:

1.  95  TCP  22     10.20.30.40/32  Allow
2. 100  TCP  443    10.20.30.40/32  Allow
3. 105  TCP  80     10.20.30.40/32  Allow
4. *    All  All         0.0.0.0/0  Deny

Outbound rules are the next:

1. 100  All  All         0.0.0.0/0  Allow
2. *    All  All         0.0.0.0/0  Deny

It seems like there must not be any problem to access the Internet from EC2, but I can't. It becomes possible only in case when I allow the whole inbound traffic by adding, at least:

5.  110  ICMP-IPv4  All  0.0.0.0/0  Allow

...or allow an absolutely all inbound traffic.

Why is it happen and how can I limit inbound traffic without opening EC2 instance to other IP addresses?

CodePudding user response:

Your issue regarding access resources on internet from your instance is because ephemeral ports.

You allow all outbound traffic, but when it returns it will be blocked by your inbound rules.

If the traffic is initiated on IP you mention it will works fine to user those specific ports. But when it is initiated at your instance it will fail due to return traffic being blocked.

Please check the documentation below. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports

CodePudding user response:

Thanks to guys who had mentioned about ephemeral ports, I found the next solution: I added two more records in ACL: allowed IPv4 traffic and allowed TCP ephemeral ports.

 95  TCP        22           10.20.30.40/32  Allow
100  TCP        443          10.20.30.40/32  Allow
105  TCP        80           10.20.30.40/32  Allow
110  ICMP-IPv4  All          0.0.0.0/0       Allow
115  TCP        32768-65535  0.0.0.0/0       Allow
*    All        All          0.0.0.0/0       Deny

This works for both "ping google.com" and "yum update". On the one hand, I allow inbound traffic to 22, 80, 443 for only one IP, on the other hand, the rest of security will be covered by Security Group which has only three open inbound ports: 22, 80 and 443 (CIDR in Security Group is 0.0.0.0/0).

  • Related