I have an EC2 instance and an ACL attached to it. My instance must have a possibility to be visited by only certain IP address (let’s say 10.20.30.40) at 22, 80 and 443 ports, so ACL for this case has the following inbound rules:
1. 95 TCP 22 10.20.30.40/32 Allow
2. 100 TCP 443 10.20.30.40/32 Allow
3. 105 TCP 80 10.20.30.40/32 Allow
4. * All All 0.0.0.0/0 Deny
Outbound rules are the next:
1. 100 All All 0.0.0.0/0 Allow
2. * All All 0.0.0.0/0 Deny
It seems like there must not be any problem to access the Internet from EC2, but I can’t. It becomes possible only in case when I allow the whole inbound traffic by adding, at least:
5. 110 ICMP-IPv4 All 0.0.0.0/0 Allow
…or allow an absolutely all inbound traffic.
Why is it happen and how can I limit inbound traffic without opening EC2 instance to other IP addresses?
2
Answers
Thanks to guys who had mentioned about ephemeral ports, I found the next solution: I added two more records in ACL: allowed IPv4 traffic and allowed TCP ephemeral ports.
This works for both "ping google.com" and "yum update". On the one hand, I allow inbound traffic to 22, 80, 443 for only one IP, on the other hand, the rest of security will be covered by Security Group which has only three open inbound ports: 22, 80 and 443 (CIDR in Security Group is 0.0.0.0/0).
Your issue regarding access resources on internet from your instance is because ephemeral ports.
You allow all outbound traffic, but when it returns it will be blocked by your inbound rules.
If the traffic is initiated on IP you mention it will works fine to user those specific ports. But when it is initiated at your instance it will fail due to return traffic being blocked.
Please check the documentation below.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports