SSH into private VPC subnet

Question

I'm playing around with AWS VPC's and I'm hitting an interesting case that I don't understand.

Here's what I've created so far:

• A VPC
• A single subnet in that VPC
• An internet gateway to allow for access into the VPC
• A route table to properly route traffic to my subnet.
• An EC2 instance in the subnet, with a security group that only allows SSH into it.
• A Network ACL that only allows inbound and outbound SSH from any IP into that subnet.

For some reason, with this setup I cannot SSH into my EC2 instance. However, when I update the NACL to allow all outbound TCP traffic I can SSH in.

Is there some other external traffic that the EC2 instance is needing to do in order to enable SSH to work correctly?

Answer 1

This is because you have to specifically open both inbound and outbound ports in AWS Network ACLs, unlike Security Groups which are stateful and automatically open the corresponding ephemeral ports to allow a response to be returned for an incoming network request.

---

Also, note that a subnet with an Internet Gateway providing direct access to the Internet is generally called a "Public Subnet", while subnets that must be routed to a NAT Gateway in another subnet are generally called "Private Subnets".

Answer 2

You will not be including ephemeral ports in your NACL.

These are only relevant to NACLs in AWS.

Ephemeral ports are the ports the host machine opens when communicating with the target port.

It’s generally suggested to allow outbound for 1024-65535.

AWS explain these further in their documentation.