如何在Amazon Virtual Private Cloud上设置网络ACL?


I have set up an Amazon Virtual Private Cloud (VPC). Inside the VPC I have 2 networks in which I create instances. For security reasons I want to put some network access control lists (Network ACL) on those networks, besides the machines firewall. Following the Amazon example I have a public network (exposed to internet access) and 3 private network,, The traffic between them is routed.


So for the network as ACL's I put this:


Inbound: port 80 (HTTP) port 22 (SSH) port 3306 (MySql) port 3306 (MySql)


For the networks and


Inbound port 3306 (MySql)


For the public network in here I have an exposed load balancer, which is redirecting traffic to the private network, where an app is responding over HTTP:


Inbound port 80 (HTTP) port 443 (HTTPS) port 22 (SSH)


The problem is, when I put those rules in action, all traffic freezes and the app is not available. What's happening? Am I doing something wrong?


2 个解决方案




Your rules are currently lacking an additional and likely relevant fragment related to the FAQ What are the differences between security groups in a VPC and network ACLs in a VPC?:


Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. Network ACLs can be used to set both Allow and Deny rules. Network ACLs do not filter traffic between instances in the same subnet. In addition, network ACLs perform stateless filtering while security groups perform stateful filtering. [emphasis mine]

VPC中的安全组指定允许或来自Amazon EC2实例的流量。网络ACL在子网级别运行,并评估进出子网的流量。网络ACL可用于设置允许和拒绝规则。网络ACL不会过滤同一子网中的实例之间的流量。此外,网络ACL执行无状态过滤,而安全组执行有状态过滤。 [强调我的]

This is addressed further in What is the difference between stateful and stateless filtering?:


Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer. [...]

有状态过滤跟踪请求的来源,并且可以自动允许将对请求的回复返回到原始计算机。 [...]

Stateless filtering, on the other hand, only examines the source or destination IP address and the destination port, ignoring whether the traffic is a new request or a reply to a request. In the above example, two rules would need to be implemented on the filtering device: one rule to allow traffic inbound to the web server on tcp port 80, and another rule to allow outbound traffic from the webserver (tcp port range 49,152 through 65,535). [emphasis mine]

另一方面,无状态过滤仅检查源或目标IP地址和目标端口,忽略流量是新请求还是对请求的回复。在上面的示例中,需要在过滤设备上实现两个规则:一个规则允许流量入站到tcp端口80上的Web服务器,另一个规则允许来自Web服务器的出站流量(tcp端口范围49,152到65,535) 。 [强调我的]

Now, you allow all outbound traffic already, so this doesn't apply as per the example, but the same issue applies the other way round as well, so e.g. for HTTP requests originating from your EC2 instances you'll need to have a corresponding inbound rule as outlined, see section Ephemeral Ports within Network ACLs for more details on this:


The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. [...]

发起请求的客户端选择临时端口范围。范围取决于客户端的操作系统。 [...]

If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, etc.).

如果您的VPC中的实例是发起请求的客户端,则您的网络ACL必须具有入站规则,以启用发往特定于实例类型(Amazon Linux,Windows Server 2008等)的临时端口的流量。

In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you need to open ephemeral ports 1024-65535. [...]

实际上,要覆盖可能为您的VPC中的面向公众的实例启动流量的不同类型的客户端,您需要打开临时端口1024-65535。 [...]


Accordingly, section Recommended Rules for Scenario 2 within Appendix A: Recommended Network ACL Rules suggests the following inbound rule (OS dependent example) for your scenario:


Inbound: port 49152-65535 (TCP)

To test whether this issue actually applies, you might simply include the entire ephemeral port range:


Inbound: port 1024-65535 (TCP)

Initial Answer (obsolete)

For the public network in here I have an exposed load balancer, which is redirecting trafic to the private network, where an app is responding over http


Your setup suggests you intend to terminate SSL on the load balancer as usual; given your increased security requirements you might actually have setup the Elastic Load Balancing for back-end HTTPS communication as well (see Architectural Overview) - you don't seem to have an ACL rule accommodating inbound HTTPS traffic to though, so that would be the one missing in case:

您的设置建议您像往常一样在负载均衡器上终止SSL;鉴于您提高了安全性要求,您实际上也可以为后端HTTPS通信设置Elastic Load Balancing(请参阅架构概述) - 您似乎没有ACL规则可以容纳到10.0.1.0/24的入站HTTPS流量,所以那将是一个失踪的案件:

Inbound: port 80 (HTTP) port 443 (HTTPS) // <= missing in your example currently! port 22 (SSH) port 3306 (MySql) port 3306 (MySql)




If you want to open ephemeral ports except for ports below 10,000 regarding exceptions for tomcat, other servlets, etc, just create specific rules per exception range. Rules are evaluated from the lowest number first to highest number last with the highest valid rule number being 32766.