Reputation: 884
aws: accessing public network over nat gateway without giving full access to inbound connections
I'm configuring an infrastructure with
- 1 VPC
- 2 subnets (1 private (A) (10.0.1.0/24) + 1 private (B) (10.0.2.0/24) + 1 public (10.0.99.0/24))
Both subnets are sub projects and I need to isolate access between subnets.
Because subnets need to access to internet, I've created a NAT gateway, which is located under public subnet.
NACL for subnet A - 10.0.1.0/24 below;
* inbound
ALLOW: 10.0.99.0/24
DENY: ALL
* outbound:
ALLOW: ALL
With this current configuration private network instances don't connect to public network, when I change inbound rule to ALLOW:ALL (or ALLOW: 8.8.8.8 for example), they do. (yes, inbound)
So the question is, how can I allow all outgoing connections without allowing all incoming connections.
ps. there are around 10 subnets, so I cannot specify incoming connections from other subnets to block, I would like to block everything but exceptions.
Upvotes: 0
Views: 798
Answers (2)
Reputation: 884
I found solution, basically after allowing internal connections from current subnet and vpn public subnet, putting a deny rule for all vpc and put allow for ephemeral ports afterwards.
Here is an example;
Explanation first
VPC: 10.0.0.0/16
project1-subnet-A: 10.0.2.0/24
project1-subnet-B: 10.0.3.0/24
project2-subnet-A: 10.0.4.0/24
project2-subnet-B: 10.0.5.0/24
management-subnet-A: 10.0.98.0/24
And explanation for rules;
10 - allow all traffic inside subnet (not required)
11 - allow all traffic from project1-B-subnet (same project, second availability zone)
50 - allow all traffic from management subnet A (vpn)
51 - allow all traffic from management subnet B(vpn)
100- deny all traffic from VPC (except above networks)
200- accept return traffic
201-accept ICMP packages for connectivity test (not required)
500-service related
Upvotes: 0
Reputation: 34377
Allow ephemeral ports to do return traffic (ie on 1024-65536) from outside and allow outgoing from private on service ports (ie 80,443)
NACL are not a stateful firewall so you must do something like this to get it to work. If you are running services on higher ports that might be in the ephemeral range then it's probably simplest to block these with security group rules
See http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html scenario 2
Upvotes: 2
Related Questions
- Can we use single NAT gateway for inbound access to RDS and Opensearch resources in private subnet?
- AWS ECS: ResourceInitializationError: unable to pull secrets or registry auth
- AWS RDS public access
- Should we use custom NACL with rules on Port Numbers, if we have a NAT gateway attached to public subnet
- AWS VPC with both internet gateway and NAT
- AWS NAT gateway
- Can a the same AWS ElasticIP be shared by a NAT gateway and an EC2 instance in a public subnet?
- what is the difference between NAT gateway and ACL with blocked inbound traffic
- AWS VPC: Strange Behaviour when using NAT and Internet Gateway with Load Balancer and Private Subnets