Why can't I connect to a service when the security group and network ACL allow inbound traffic?

Last updated: 2021-03-03

I can't connect to a service running on an Amazon Elastic Compute Cloud (Amazon EC2) instance. I enabled inbound traffic to the necessary ports in both the security group and the network access control list (network ACL), but it's still not working. How can I fix this?

Short description

Security groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic.

Resolution

To enable the connection to a service running on an instance, the associated network ACL must allow both:

  • Inbound traffic on the port that the service is listening on
  • Outbound traffic to ephemeral ports

When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port.

The designated ephemeral port becomes the destination port for return traffic from the service. Outbound traffic to the ephemeral port must be allowed in the network ACL. For more information on modifying network ACL rules, see Adding and deleting rules.

By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you need to explicitly allow traffic to the ephemeral port range.

Note: If you accept traffic from the internet, then you also must establish a route through an internet gateway. If you accept traffic over VPN or AWS Direct Connect, then you must establish a route through a virtual private gateway.


Did this article help?


Do you need billing or technical support?