Firewall : is inbound rule required for getting SYN-ACK from the server while outbound rule already there?

Question

I have a VPC, within which I have a EC2 instance deployed in private subnet.

I have my NACL(Subnet firewall) ALLOW ALL on inbound and outbound.

I have my security group rule(Ec2 firewall) , It Blocks Public ip on Inbound rule and Allows to the public world on Outbound rule.

Now my EC2 instance initiates a connection to call provider(twilio)and initiates a call and it is successful.

From my ec2 application, it initiates a three way handshake, Since my outbound rule is ALLOW all it reaches the twilio through NAT. Packet will be like (the Source Ip: is NAT ip and Random port number and Destination ip: is twilio ip and service listening port number)

The twilio then accepts the requests and provides the SYN-ACK response to the ec2 server. Now the Packet will be (Source ip: twilio ip and random port number and Destination ip: is Ec2 instance's NAT ip and port number is (Ec2 Source Initiated Random port number). )

Now my question is, Eventhough the Inbound rule doesn't allow twilio ip address , how did the three way handshake is successful?

Answer 1

Got it after gooogling,

Firewall protection uses stateful inspection to track current connections. Stateful inspection tracks source and destination IP addresses, ports, applications, and other connection information. Before the client inspects the firewall rules, it makes the traffic flow decisions that are based on the connection information.

For example, if a firewall rule allows a computer to connect to a Web server, the firewall logs the connection information. When the server replies, the firewall discovers that a response from the Web server to the computer is expected. It permits the Web server traffic to flow to the initiating computer without inspecting the rule base. A rule must permit the initial outbound traffic before the firewall logs the connection.