Why can't I connect to a service when the security group and network ACL allow inbound traffic?

2 minute read
0

I can't connect to a service running on an Amazon Elastic Compute Cloud (Amazon EC2) instance. I allowed inbound traffic to the necessary ports in both the security group and the network access control list (network ACL), but it's still not working.

Short description

Security groups are stateful, so allowing inbound traffic to the necessary ports activates the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic.

Resolution

To turn on the connection to a service running on an instance, the associated network ACL must allow the following:

  • Inbound traffic on the port that the service is listening on.
  • Outbound traffic to ephemeral ports.

When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port.

The designated ephemeral port becomes the destination port for return traffic from the service. Outbound traffic to the ephemeral port must be allowed in the network ACL. For more information on modifying network ACL rules, see Add and delete rules.

By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you must explicitly allow traffic to the ephemeral port range.

Note: If you accept traffic from the internet, then you also must establish a route through an internet gateway. If you accept traffic over a VPN, AWS Direct Connect, or transit gateway, then you must establish a corresponding route. To establish a corresponding route, see Step 2: Create a target gateway.

To troubleshoot further ACL network issues, see Logging IP traffic using VPC Flow Logs and Troubleshoot VPC Flow Logs.

Related information

Control traffic to subnets using Network ACLs

Control traffic to resources using security groups

AWS OFFICIAL
AWS OFFICIALUpdated a month ago