f you know any thing about this (maybe you are a network engineer) you probably see right away what the problem is.
The problem is rooted in these concepts:
- Ephemeral ports
- Stateless and Stateful
- Connection Tracking
- NACLs are Stateless
- Security Groups are Stateful
Read about it here:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
https://en.wikipedia.org/wiki/Ephemeral_port
Image may be NSFW.
Clik here to view.
The corrected confiuration is below. The change that really corrected the connectivity between the Public and Private subnets was enabling response traffic on the Ephemeral ports for both In Bound Public subnet NACL and Out Bound Private subnet NACL rules.I also cleaned up some redundant and insecure Out Bound rules in the NACLS and Security Groups.
VPC NACL
In Bound80 0.0.0.0/0 AllowOut Bound32768-65535 0.0.0.0/0 AllowPublic Subnet NACL
InBound80 0.0.0.0/0 Allow32768-65535 172.30.4.0/0 AllowOut Bound32768-65535 0.0.0.0/0 Allow5432 172.30.4.0/24 Allow (PostgreSQL)Private Subnet NACL
InBound5432 172.30.1.0/24 AllowOut Bound32768-65535 172.30.1.0/24 Allow VPC Security Group
InBound80 VPC-Security-Group-ID AllowOut BoundPublic Subnet Security Group
InBound80 0.0.0.0/0 AllowOut Bound5432 172.30.4.0/0 AllowPrivate Subnet Security Group
InBound5432 172.30.1.0/24 AllowOut BoundThis is a working configuration. Hopefully this helps someone. If you see anyhting that can be improved let me know and let me know if you have questions.
