0

Suppose we have a basic architecture, where we have VPC with two subnets(One private and one public). The private subnet is connected to internet with a NAT gateway residing in Public Subnet.(As shown in below image)

Now suppose we implement a Network ACL in public subnet. Would it be wise to deny some ports in it?

The reason I am asking is because I learned that NAT works using Port Numbers to connect many Private IP to Single public IP(Elastic Ip in our case, which is attached to NAT), So wouldn't the NACL create problem.

Here is what I learned about how Nat Functions - https://www.youtube.com/watch?v=01ajHxPLxAw

enter image description here

Kush Pandya
  • 77
  • 8
  • My advice is that for most simple VPCs, don't configure NACLs. Just use the defaults. Once you have a complex application *and* you know AWS well, then maybe. – jarmod Feb 10 '22 at 03:28

1 Answers1

0

Yeah we can use NACL but we need to take care that it does not interfere NAT port numbers. Its not just NAT gateway, but other resources might have problem functioning if NACL is not configured properly.

Nat uses Port numbers - 1024-65535.

Source - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports

Kush Pandya
  • 77
  • 8