'Should we use custom NACL with rules on Port Numbers, if we have a NAT gateway attached to public subnet
Suppose we have a basic architecture, where we have VPC with two subnets(One private and one public). The private subnet is connected to internet with a NAT gateway residing in Public Subnet.(As shown in below image)
Now suppose we implement a Network ACL in public subnet. Would it be wise to deny some ports in it?
The reason I am asking is because I learned that NAT works using Port Numbers to connect many Private IP to Single public IP(Elastic Ip in our case, which is attached to NAT), So wouldn't the NACL create problem.
Here is what I learned about how Nat Functions - https://www.youtube.com/watch?v=01ajHxPLxAw
amazon-web-servicesSolution 1:[1]
Yeah we can use NACL but we need to take care that it does not interfere NAT port numbers. Its not just NAT gateway, but other resources might have problem functioning if NACL is not configured properly.
Nat uses Port numbers - 1024-65535.
Source - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Kush Pandya |