![]() > NACL in (in rule 100 - ALLOW source 0.0.0.0/0 on port 80) SYN + ACK Packet in to continue the connection handshake > NACL out (out rule 200 - ALLOW destination 0.0.0.0/0 on port 80) SYN Packet out to stablish the connection (ephemeral port on VM to port 80)ĮC2 vm (somewhere in 10.0.0.0/16:ephemeral) In ascii art, this is my understanding of the rules EC2 instance does a curl on (port 80) I have the feeling I'm missing simple, but crucial point here :). ![]() I'm just struggling to understand this behaviour, as the inbound rule should allow any ec2 instance to open an ephemeral port and talk to the router, and then the router can talk to port 80 and 443 of any host. If I change this rule to apply to all sources ( 0.0.0.0/0) I can access the internet from all ec2 instances in both subnets (I'm testing this by running different apps curl and yum mostly. I know the "problem rule" is inbound no 1000, which allows all ephemeral ports from 10.0.0.0/16. The problem I have is that I cannot access the internet (port 80 and 443) from inside any of the EC2 instances in either the public or private subnets. I have a few security groups, but I know the issue is in the NACL, as if I relax the rules, everything works. I'm building the typical VPC with a private and public subnet and trying to lock it down as much as possible. I've been stuck looking at my screen for about 2 hours trying to figure out why this is not working.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |