问题
I have an issue where my linux EC2 instance can't do anything outbound(ping, curl, yum update, wget, traceroute, etc..) unless I have a rule in my VPC ACL inbound rule set that allows all traffic.
My security group and VPC both have outbound rules that allows all traffic to everything.
The security group inbound list attached to the instance looks like this:
And the VPC inbound list looks like this(rule 200 is the one I'm talking about):
If I delete the inbound rule that allows all traffic(rule 200), then I can't do anything outbound.
Could there be anything that I'm missing ? Thanks!
回答1:
ACL rules are stateless, which means they don't keep track of your outbound connections when evaluating inbound connections. So if you make an outbound connection to a server, the ACL rule will block that server's response unless you have explicitly allowed inbound connections from that server in the ACL.
This is one of the primary reasons that most people only use Security Groups (which are stateful) instead of ACL rules. Looking at your network ACL rules, there is nothing happening there that isn't already covered by your Security Group rules, so why use ACLs?
来源:https://stackoverflow.com/questions/43073712/cant-connect-out-from-my-ec2-instance-unless-allow-all-traffic-inbound