Network ACLs for private subnet (with NAT Gateway)

I have created two subnets in my vpc (10.11.0.0/22)

  • public subnet - 10.11.0.128/27
  • private subnet - 10.11.0.0/26

I have also created the NAT gateway in public subnet and attached it to private subnet so that instances in private subnet can access the internet.

So everything is working, I have created Linux instance in public subnet and I can do ssh and also access internet. Same is the case with private subnet instances, I can login to private instances through public instances.

But after applying Network ACLs

Inbound Rules

Inbound Rules

Outbound Rules

Outbound Rules

I can access the internet from my public instances but could not access it through the private instance.

What would be correct Network ACLs for in order to access internet from private instances?


Solution 1:

NAT Gateways are not servers, so they have no reason to use only the traditional ephemeral port range. As noted in the documentation:

A NAT gateway uses ports 1024–65535

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

So your NACL is too restrictive for a NAT Gateway to function properly.

If you are determined to use Network ACLs in your VPC, you may want to create a new public subnet for the NAT Gateway that does not use a customized NACL because there is nothing to secure on a NAT Gateway -- they are intrinsically secure because (a) they discard any traffic they don't recognize, (b) they don't allow inbound port mapping, and (c) they aren't servers so have no need for restricting access to the gateway, itself.

Additionally, for a NAT Gateway, the rules on both NACLs apply to traffic in both directions (albeit in different contexts and subject to port translation) and this makes meaningful rules more complex -- i.e. the "inbound" list applies to traffic "in" from the Internet as well as traffic "in" to the gateway from the instances (which is outbound to the Internet) and the "outbound" list applies to traffic "out" to the Internet and "out" to the instances (inbound from the Internet).