Reputation: 153
Amazon VPC NACL not permitting access on ports 80 and 443
i got to see something and did not able to understand and so asking relating AWS NACL. I created one public subnet and associated with an NACL. I created rules in NACL where 80 and 443 allowed for both inbound and outbound. Now created an EC2 instance in the subnet. When i tried yum update it did not work. I reattached the subnet to a default NACL where it allows all and yum update worked. If i am not wrong yum does download packages by http or https. my NACL had these rules and still yum update did not work. I also tried to curl the http://packages.ap-southeast-1.amazonaws.com and did not work. Is there something i am missing in NACL rules.
your answers will clear my fundamentals. please suggest.
Thanks,
Upvotes: 0
Views: 1565
Answers (1)
Reputation: 269340
You can use a NACL to restrict Inbound ports, but you'll probably have a problem restricting Outbound ports.
The way it works is:
- The remote site connects to your Amazon EC2 instance on port 80. It also includes a 'return port' identifier saying which port to send the response to.
- The EC2 instance receives the request on port 80, generates a response and sends it back to the originating IP address, to the port requested (which will not be port 80).
- The originating system receives the response.
Ports are one-way. You only receive content on a port. You don't send from the same port. This way, if you have made multiple requests, each request is received on a different port and can be matched back to which to the original request.
So, the problem with your NACL is that it is only allowing outbound traffic to 80 and 443, which is not the port that the originating system is requesting to receive the traffic. You would need to open up the range of outbound ports.
It's worth mentioning the the use-case for using NACLs is normally to block specific protocols. If you simply wish to limit access to ports 80 and 443 on your EC2 instance, you should use Security Groups. Security Groups are stateful, so you really only need to open the Inbound connection and outbound responses will be permitted.
Oh, and presumably you also opened Port 22, otherwise you wouldn't be able to login to the instance.
Upvotes: 3
Related Questions
- Why is my AWS NACL only allowing HTTP access with 'All Traffic' or 'All TCP' inbound rules?
- EC2 VPC Instance - Ports are filtered
- ACLs Configuration
- Ephemeral ports on AWS Web server NACL Rule
- Using NACL to Block traffic
- NAT instance and NACL configurations
- AWS NACL - Only works if 0.0.0.0/0 is allowed in incoming and outbound rules
- Cannot connect to EC2 unless I allow ALL TCP connection in outbound of NACL
- AWS NACL and RDP issue
- Why can't I use VPC NACL on tightening up the security?