Reputation: 7092
Can't connect out from my EC2 instance unless allow all traffic inbound
I have an issue where my linux EC2 instance can't do anything outbound(ping, curl, yum update, wget, traceroute, etc..) unless I have a rule in my VPC ACL inbound rule set that allows all traffic.
My security group and VPC both have outbound rules that allows all traffic to everything.
The security group inbound list attached to the instance looks like this:
And the VPC inbound list looks like this(rule 200 is the one I'm talking about):
If I delete the inbound rule that allows all traffic(rule 200), then I can't do anything outbound.
Could there be anything that I'm missing ? Thanks!
Upvotes: 1
Views: 1358
Answers (1)
Reputation: 200607
ACL rules are stateless, which means they don't keep track of your outbound connections when evaluating inbound connections. So if you make an outbound connection to a server, the ACL rule will block that server's response unless you have explicitly allowed inbound connections from that server in the ACL.
This is one of the primary reasons that most people only use Security Groups (which are stateful) instead of ACL rules. Looking at your network ACL rules, there is nothing happening there that isn't already covered by your Security Group rules, so why use ACLs?
Upvotes: 4
Related Questions
- Amazon EC2 HTTP connection refused, but HTTP port is open
- EC2 instance refused to connect
- Can't connect to my EC2 instance through the public IP
- AWS EC2 instance not letting TCP connection
- Cannot connect to EC2 unless I allow ALL TCP connection in outbound of NACL
- AWS Ec2 "Connection refused"
- Can't connect to EC2 instance over HTTP from outside AWS
- Can't connect to AWS EC2 public ip
- Can't connect to EC2 instance via web browser
- Amazon ec2 public ip can't access