AWS Network ACL and Ephemeral Ports

Troubleshooting with VPC Flowlog

Generated by Meta AI

I have a route53 outbound resolver to resolve the hostname from on premise DNS servers. I need to have the network ACL implemented to tighten the security.

For the outbound resolver, it has two ENI cards in the subnet of 10.10.0.0/24 with the IP addresses of 10.10.0.53 and 10.10.0.54 respectively. Therefore we could quickly create the NACL rules for the UDP/TCP traffic of DNS.

The ingress rule can be represented as below terraform,

  ingress {
    protocol   = "udp"
    rule_no    = 10
    action     = "allow"
    cidr_block = "10.10.0.0/16"
    from_port  = 53
    to_port    = 53
  }
  ingress {
    protocol   = "tcp"
    rule_no    = 11
    action     = "allow"
    cidr_block = "10.10.0.0/16"
    from_port  = 53
    to_port    = 53
  }

Apply it and create the NACL. Suddenly the DNS resolving is no longer working.

VPC flow log

Let’s create the VPC flow log to aid the troubleshooting.

First let’s create a IAM role to allow the vpc flow log write into cloudwatch log group. Define the permissions then the assume role, create the IAM role.

resource aws_iam_policy vpc-flowlog-policy {
  name = "policy-vpc-flowlog"…