0

I want to only ALLOW ssh and port 8000 connection on my EC2 machine in AWS.

I set my inbound and outbound connection to ALLOW port 22 and 8000 (see pictures below).
Inbound: enter image description here Outbound: enter image description here

But When I try to curl/SSH into the machine it does not works, unless I set ALL_TCP port to be opened on the outbound connection (like in the picture below).

Of course, I can open the ALL TCP Port but I do this for the sake of experimenting with the NACL.

enter image description here

Why?

Aldy syahdeini
  • 349
  • 1
  • 4
  • 16
  • Are you trying to SSH into the machine from 31.201.1.1 ? If you use curl from inside the instance to the outside network, you will have to let it talk to the entire outside network 0.0.0.0/0 in the outbound rules. And if you want to be able to SSH into your instance from a bastion host. You should have 2 public subnets( for bastion host and nat gateway), 2 private subnets(for private instances) with 2 ACLs(to protect private subnet and public subnets) – Arnab Saha Dec 30 '19 at 15:16
  • 2
    Don't use (stateless) ACLs unless you understand them and you absolutely need them. Typically you do not need them and should simply use Security Groups, which are stateful. – jarmod Dec 30 '19 at 16:02
  • @ArnabSaha Thanks you for the comments, I was doing it to learn about ACL – Aldy syahdeini Dec 30 '19 at 16:27

1 Answers1

6

This is due to ephemeral ports:

To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port.

Reference : https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/

AWS PS
  • 4,420
  • 1
  • 9
  • 22