0

I have an EC2 with has public subnet and traffic is flowing through internet gateway.

Now, i have an requirement like I have to block all outgoing traffic in EC2.

I have tried to restrict the traffic at Network ACL'S.

I have allowed ssh port with 22 and rule number as 100.

I have then blocked all traffic with with deny option and rule number 200.

I have done the above change in outbound rules of Network ACL'S that is attached to the VPC.

But after applying this in EC2, I am not able to do ssh also. Login is not happening.

How do i acheive this? I want to block all outgoing traffic but ssh should happen.

Improve this question
1
  • You've probably blocked the ephemeral ports ( en.wikipedia.org/wiki/Ephemeral_port ). Your question is a bit odd though, you should be blocking port 22 inbound, not outbound.
    – Tim
    Commented Jan 23 at 6:47

1 Answer 1

Reset to default
0

Network ACLs in AWS are not stateful, so you have to manage both in and outbound traffic. By blocking all traffic other than 22, you've blocked all the outbound connections, unless your SSH client is using port 22 outbound (which is unlikely).

From https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-basics:

NACLs are stateless, which means that information about previously sent or received traffic is not saved. If, for example, you create a NACL rule to allow specific inbound traffic to a subnet, responses to that traffic are not automatically allowed. This is in contrast to how security groups work. Security groups are stateful, which means that information about previously sent or received traffic is saved. If, for example, a security group allows inbound traffic to an EC2 instance, responses are automatically allowed regardless of outbound security group rules.

You should look at Security Groups instead, which are stateful and therefore will allow the outbound response leg of an inbound connection. You can use this to block all but 22 inbound, and all outbound (when initiated from the EC2).

Also: if you just need SSH into this EC2 and no other inbound traffic, you should really look at Session Manager (part of Systems Manager). This uses an agent on the EC2 to provide shell access without exposing traffic to the internet, only AWS services via NAT. So no inbound ports required! https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .