AdministratorDecember 2, 2020 at 11:46 am
Thanks for your feedback.
In this scenario, the group of EC2 instances is acting as both a web server and a client. The server is listening on ports 80 and 443 as mentioned in the question (Both NACL and Security Group are configured to allow inbound traffic on ports 80 & 443.)
Unlike Security Groups, NACLs are stateless — inbound rules are not automatically applied to the outbound rules. To enable the connection to a service running on an instance, the associated network ACL must allow the inbound traffic on the port that the service is listening on and allow outbound traffic from ephemeral ports. Whenever a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client’s source port.
Since the webserver is also acting as a client, as it makes requests to a web server somewhere on the pubic internet, Ports 80 and 443 must also be applied on the outbound rule.
Carlo @ Tutorials Dojo