Why can't I connect to a service when the security group and network ACL allow inbound traffic?

Last updated: 2022-11-29

I can't connect to a service running on an Amazon Elastic Compute Cloud (Amazon EC2) instance. I allowed inbound traffic to the necessary ports in both the security group and the network access control list (network ACL), but it's still not working. How can I fix this?

Short description

Security groups are stateful, so allowing inbound traffic to the necessary ports activates the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic.

Resolution

To turn on the connection to a service running on an instance, the associated network ACL must allow the following:

  • Inbound traffic on the port that the service is listening on
  • Outbound traffic to ephemeral ports

When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port.

The designated ephemeral port becomes the destination port for return traffic from the service. Outbound traffic to the ephemeral port must be allowed in the network ACL. For more information on modifying network ACL rules, see Add and delete rules.

By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you need to explicitly allow traffic to the ephemeral port range.

Note: If you accept traffic from the internet, then you also must establish a route through an internet gateway. If you accept traffic over VPN/AWS Direct Connect/Transit Gateway, then you must establish a corresponding route through a virtual private gateway/transit gateway.