1

I have a VPC, within which I have a EC2 instance deployed in private subnet.

I have my NACL(Subnet firewall) ALLOW ALL on inbound and outbound.

I have my security group rule(Ec2 firewall) , It Blocks Public ip on Inbound rule and Allows to the public world on Outbound rule.

Now my EC2 instance initiates a connection to call provider(twilio)and initiates a call and it is successful.

From my ec2 application, it initiates a three way handshake, Since my outbound rule is ALLOW all it reaches the twilio through NAT. Packet will be like (the Source Ip: is NAT ip and Random port number and Destination ip: is twilio ip and service listening port number)

The twilio then accepts the requests and provides the SYN-ACK response to the ec2 server. Now the Packet will be (Source ip: twilio ip and random port number and Destination ip: is Ec2 instance's NAT ip and port number is (Ec2 Source Initiated Random port number). )

Now my question is, Eventhough the Inbound rule doesn't allow twilio ip address , how did the three way handshake is successful?

ram
  • 11
  • 1
  • Because the connection originated from your server. Simply stated, "return" traffic to traffic originating from your server is allowed. A firewall is meant to deny unsolicited or unallowed traffic that originates from the outside. – joeqwerty Feb 25 '20 at 05:01

1 Answers1

1

AWS Security Groups are stateful.

if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Even though you are blocking public IP addresses inbound via the security group, you're allowing outbound connections which is allowing return traffic/handshaking.

References

VPC Security Groups

kenlukas
  • 3,101
  • 2
  • 16
  • 26