Network ACLs for private subnet (with NAT Gateway)

networking amazon-web-services nat routing

I have created two subnets in my vpc (10.11.0.0/22)

  • public subnet - 10.11.0.128/27
  • private subnet - 10.11.0.0/26

I have also created the NAT gateway in public subnet and attached it to private subnet so that instances in private subnet can access the internet.

So everything is working, I have created Linux instance in public subnet and I can do ssh and also access internet. Same is the case with private subnet instances, I can login to private instances through public instances.

But after applying Network ACLs

Inbound Rules

Inbound Rules

Outbound Rules

Outbound Rules

I can access the internet from my public instances but could not access it through the private instance.

What would be correct Network ACLs for in order to access internet from private instances?


Solution 1:

NAT Gateways are not servers, so they have no reason to use only the traditional ephemeral port range. As noted in the documentation:

A NAT gateway uses ports 1024–65535

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

So your NACL is too restrictive for a NAT Gateway to function properly.

If you are determined to use Network ACLs in your VPC, you may want to create a new public subnet for the NAT Gateway that does not use a customized NACL because there is nothing to secure on a NAT Gateway -- they are intrinsically secure because (a) they discard any traffic they don't recognize, (b) they don't allow inbound port mapping, and (c) they aren't servers so have no need for restricting access to the gateway, itself.

Additionally, for a NAT Gateway, the rules on both NACLs apply to traffic in both directions (albeit in different contexts and subject to port translation) and this makes meaningful rules more complex -- i.e. the "inbound" list applies to traffic "in" from the Internet as well as traffic "in" to the gateway from the instances (which is outbound to the Internet) and the "outbound" list applies to traffic "out" to the Internet and "out" to the instances (inbound from the Internet).

Related

Unauthorized remote connections using security camera [closed]
Filesystem to protect the storage medium
Strongswan to Cisco ASA with multiple right subnet
Running su with -c gives unrecognized command error
finding which tier 1 or isp to connect to to reduce latency [closed]
Nginx location matching with regex year/month/day/*
How to extract specific emails from Exchange Online using PowerShell and move or sort them?
Java Jar file: use resource errors: URI is not hierarchical
How to change placeholder color on focus?
Running a node express server using webpack-dev-server
Stream Way to get index of first element matching boolean
Can I adjust the "100+ matches in X files" from Intellijs "find in path"