4

I have two public subnets with CIDR - 10.100.0.0/24 and 10.100.3.0/24.

I am trying to add NACL for private subnets but I am unable to access the private subnet with the below configuration.

Can anyone help me to resolve this issue?

I have created two NACLs one for public subnets and one for private subnets

public subnet inbound rule] public subnet inbound rule public subnet outbound rule public subnet outbound rule private subnet inbound rule private subnet inbound rule

ANSWER: ADD follwoiing rules to private outbound enter image description here

HMT
  • 2,093
  • 1
  • 19
  • 51

1 Answers1

4

When you create a NACL you need to account for both inbound and outbound connections. A major difference between security groups and NACLs is that a security group is stateful (if traffic can speak inbound it can speak outbound), whereas a NACL is evaluated both directions of traffic.

Additionally you will need to ensure the you add the ephemeral port ranges to your rules.

Traditionally people would add the 1024-65535 range for ephemeral ports as it basically matches every scenario.

AWS have a whole page on this so take a look.

Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • I have updated the question. Can you check where is the problem ? – HMT Jun 16 '20 at 17:51
  • Can you confirm both private subnets are in this NACL and the security groups on the instance you are trying to connect to – Chris Williams Jun 16 '20 at 17:54
  • yes , private subnets are associated with private NACL and public subnets are associated with public NACL – HMT Jun 16 '20 at 17:59
  • Also, when I remove CUSTOM NACL and go with the default NACL generated . everything works fine. therefore, I am sure this is a NACL issue – HMT Jun 16 '20 at 17:59
  • Can you update your question with the images to indicate which is which. There are 3 pictures so just want to check what is what – Chris Williams Jun 16 '20 at 18:05
  • private outbound is deny all by default – HMT Jun 16 '20 at 18:09
  • Your private subnet needs to have outbound access. This is what the problem is. – Chris Williams Jun 16 '20 at 18:16
  • what should I define there ? – HMT Jun 16 '20 at 18:18
  • 1
    At minimum the ephemeral ports should be included to both inbound and outbound for the nacls, then append to the outbound any ports that your server speaking out will need to speak out over. For example if you expect updates or communications with any APIs then you'll want to whitelist 80 and 443. On the otherhand if you're not too bothered about traffic leaving the instance then you can have outbound connect to all. – Chris Williams Jun 16 '20 at 18:21
  • 1
    Glad I could help :) – Chris Williams Jun 16 '20 at 18:24