AWS NACL and RDP issue

Question

I have a VPC with public subnets in three AZs. Each AZ has one subnet. Each of these subnets uses a NACL allowing only HTTP/HTTPS/RDS/SSH connections. I have windows server running in each of the subnets for testing. And outbound rule which allows all outbound traffic. With this NACL setup I am able to do RDP . The minute I change my outbound rules where I changed outgoing connections from ALL to RDP only, I get a connection timeout.

Can anyone help me understand and why my RDP session fails here? I want to use this instance to RDP into other instances on the same subnet, without providing all outgoing traffic allowed.

Answer 1

In AWS, NACL enforces you to add ALLOW or DENY rule for ephermal ports. When a client makes a socket connection, it provides an ephermal port on the client side to receive the response. The ephermal ports are randomly picked from a range depending on the OS.

Refer AWS official documentation about ephermal port.

Want to Learn AWS, check out this AWS Course by Intellipaat.