Reputation: 3727
Why can't I use VPC NACL on tightening up the security?
I came across the following scenario question in my AWS study:
You have a business-to-business web application running in a VPC consisting of an Application Load Balancer (ALB), application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? Choose 2 answers
Options:
A. Configure web server VPC security groups to allow traffic from your customers’ IPs
B. Configure your web servers to filter traffic based on the ALB’s "X-forwarded-for" header
C. Configure your web servers to filter traffic based on the ALB’s "Proxy Protocol" header
D. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
E. Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
Correct Answer
B. Configure your web servers to filter traffic based on the ALB’s "X-forwarded-for" header
D. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
My question is Why E is not an accepted answer here?
Thank you very much, any enlightening is appreciated.
Upvotes: 1
Views: 289
Answers (1)
Reputation: 68715
I believe the E is invalid because of the second portion of the answer "and deny all outbound traffic" . NACL are stateless in nature, what it means is that the inbound traffic opened in NACL does not allow the outgoing traffic by default for a request. So if your web-server recieves a request on port 80 it needs to respond back using the ephermal port, which are in the range of 1024-65535. So your NACL must have an outbound ALLOW rule to send the response on those port.
This is different from security groups which are stateful in nature and don't require an explicit ALLOW for the ephermal ports.
For further reading, search for stateless in the below documentaton to get a better understanding if I couldn't explain here:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html
Upvotes: 2
Related Questions
- Why is AWS NACL stateless?
- Why is my AWS NACL only allowing HTTP access with 'All Traffic' or 'All TCP' inbound rules?
- ACLs Configuration
- Using NACL to Block traffic
- Does a security group rule overide NACL in VPC?
- AWS deny access to VPC
- Amazon VPC NACL not permitting access on ports 80 and 443
- Amazon VPC NACL default rules evaluation order
- How to set up network ACL on Amazon Virtual Private Cloud?
- Can we increase the limit of ACL rules in AWS