Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Accessing Sendgrid SMTP endpoint through NACL

0

Hi there! I’m facing a weird issue trying to access Sendgrid SMTP endpoint from a service running in EKS. There is NACL associated with the subnets that NAT-GW is on.
According to this:

# host smtp.sendgrid.net
smtp.sendgrid.net has address 54.228.39.88
smtp.sendgrid.net has address 18.197.194.208
smtp.sendgrid.net has address 52.57.139.126
smtp.sendgrid.net has address 108.128.229.184

In the associated Network ACL, I have:

  1. Egress rules that allow traffic to all four above IPs on TCP port 587
  2. Ingress rules that allow traffic from all four above IPs on TCP port 1024-65535

Just to add: I already have an ingress rule that allow inbound traffic from 0.0.0.0/0 on the ephemeral port range (1024-65535)

But it doesn’t work, unless I allow Ingress traffic to 0.0.0.0/0 on port 587. In stead of doing 0.0.0.0/0, I also tried adding the same egress rules to ingress, without any joy. The ONLY thing that works is allowing traffic to 0.0.0.0/0 on port 587 and nothing else. Does any know why I cannot restrict the Ingress rules to those 4 Sendgrid IPs?

-S

Topics
AWS Well-Architected Framework
Tags
Network SecuritySecurity
Language
English
asked a year ago538 views
3 Answers
0

Thanks for the screen shots. Sounds like your Ephemeral port is 587 from your EKS service. I would use something like VPC flow logs to find the source port from your EKS service.

As NACLs are stateless, as you are configuring you will need ports open for the return traffic. See if you can figure out the source port from your EKS Service. Usually rule 400 would cover it but somethings afoot here.

You can create 4 rules as follows set to ALLOW to limit access on the INBOUND ACL if the Ephemeral port (Source) port is 587

TypeProtocolPort RangeSource
Custom TCPTCP (6)58754.228.39.88/32
Custom TCPTCP (6)58718.197.194.208/32
Custom TCPTCP (6)58752.57.139.126/32
Custom TCPTCP (6)587108.128.229.184/32

Gary

EXPERT
answered a year ago
AWS
EXPERT
reviewed a year ago
  • Santanu
    a year ago

    Hi! thanks for you reply. Just trying to understand clearly. I think I already have those Inbound rules - #600, #604, #608 and #612 - isn't it doing that?

    -S

  • Gary Mclean EXPERT
    a year ago

    im not a fan of nacls.. let me update it. i am wrong

  • Gary Mclean EXPERT
    a year ago

    I wrote this first then changed direction. My new answer seems the logical reason for your issue.

  • Santanu
    a year ago

    I think, we already established that the return traffic has to come from port 587 but the issue that I'm trying to get to bottom of is why I have to allow entier 0.0.0.0/0 for that, as I already have the inbound allowed from those 4 specific IPs on port 587.

    Am I missing something here?

  • Santanu
    a year ago

    okay, I think I figured out: For a strange reason, which I yet to understand, I need an Inbound rule, allowing traffic from EKS VPC CIDR on port 587.....

    701   Custom TCP   TCP (6)   587   10.xx.xx.0/22   Allow

    ...... without anyother Ingress allow on port 587 from any of the piblic IP and that's the reason, it seems like it was working only from 0.0.0.0/0

    thanks @Gary Mclean for giving me the idea of cheking the VPC flow log. Now the next mystery to solve why it needs an allow from a private CIDR. -S

0

The issue you're experiencing with accessing the Sendgrid SMTP endpoint from your EKS service is likely related to how Network Access Control Lists (NACLs) handle return traffic for outbound connections.

When your service initiates an outbound connection to the Sendgrid SMTP endpoint on port 587, the return traffic from Sendgrid will use an ephemeral port (typically in the range of 1024-65535). This return traffic needs to be allowed by your NACL's inbound rules.

The reason why allowing traffic to 0.0.0.0/0 on port 587 works is that it's permitting all inbound traffic on that port, regardless of the source IP. However, this is not the ideal solution from a security standpoint.

To resolve this issue while maintaining better security practices, you should:

  1. Keep your current egress rules allowing outbound traffic to the specific Sendgrid IP addresses on TCP port 587.

  2. For the ingress rules, instead of specifying the Sendgrid IP addresses, you should allow inbound traffic from 0.0.0.0/0 (or your VPC CIDR if you want to be more restrictive) on the ephemeral port range (1024-65535). This will allow the return traffic from Sendgrid to reach your service.

  3. Ensure that your security groups are also configured correctly to allow this traffic.

Remember that NACLs are stateless, meaning they don't automatically allow return traffic like security groups do. This is why you need to explicitly allow the inbound traffic on the ephemeral ports.

If you still experience issues after making these changes, you may need to investigate further, checking your VPC configuration, route tables, and ensuring that your NAT Gateway is properly set up to allow outbound internet access from your private subnets.
Sources
Troubleshoot connection to AWS service endpoints from Linux | AWS re:Post
Network ACLs for transit gateways in Amazon VPC Transit Gateways - Amazon VPC

answered a year ago
AWS
EXPERT
reviewed a year ago
0

@Gary Mclean, didn't figure out how exactly to share, but here is the screenshots:

Ingress NACL rules

Egress NACL rules

Without the highlighted rule (#701) access to SMTP doesn't work.

-S

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content