I have a VPC with 3 subnets:
- Public (FE layer, inbound internet access only)
- Protected (app layer, outbound internet access only)
- Private (DB layer, no internet access at all)
The public subnet NACL blocks all inbound from the internet on any ports other than 443.
The private subnet NACL blocks all in and out from the internet.
The NACL for the protected subnet has to allow:
- outbound on 443 to 0.0.0.0/0 for outbound internet https requests
- inbound from 0.0.0.0/0 on 1024-65535 for responses to those requests
The protected subnet routes to the internet through a NAT Gateway, which lives in the public subnet.
The problem is this: outbound traffic from the protected subnet to the internet only works if the NACL for the public subnet is opened to allow inbound on ports 1024 - 65535. This is presumably because the traffic goes through the public subnet (since that's where the NAT Gateway lives).
So I can open up the NACL for the public subnet (inbound from 0.0.0.0/0 on 1024-65535), but that makes it less secure; in fact if I'm opening all those ports, I may as well just not bother with a NACL at all (obviously I am also using security groups).
Am I missing something?
NACLs are stateless. You've discovered that you need to open the Ephemeral Ports to allow traffic back into your subnet. Do some reading around ephemeral ports.
Typically you're better off using security groups rather than NACLs, as they're stateful and cater for ephemeral ports automatically. You can use both if you like.
I typically only use two subnets, public and private. Public has only NAT gateway or load balancer, and that subnet allows public IPs. The private subnet has all internal resources, and I tier using security groups rather than subnets.
For example, create a security group for web servers, a security group for app servers, and a security group for database servers, then allow access between security groups on the ports you require.
IE: