So aspirants, how’s your preparation going on for the AWS Certified Solutions Architect Associate exam? To help you in your preparation, here we bring another exciting topic “Ephemeral ports”. We often receive a lot of queries from learners on this topic. So, let’s make it easy for you to understand this with the help of an example. Let’s dive in!
The topic ephemeral ports is also covered in the AWS Certified SysOps Administrator Associate exam. So if you are preparing for the AWS Certified SysOps Administrator Associate exam or AWS Certified Solutions Architect Associate exam, this article will prove an invaluable resource for you. For a better understanding of the concept, It is recommended to solve the following problem.
Following are network ACL rules for a subnet. Let’s say, the request is originating from 10.10.1.148 IP address. Which of the requests out of HTTPS (443), SSH (22), and HTTP (80) would succeed?
It could also be the case that all of them would succeed or fail. Go through the rules carefully & take your time to answer.
Now, let’s find out what is the correct answer.
And the answer is “All requests would fail”!
Yes! that’s the answer. I know some of you must be wondering why the HTTPS (443) is not allowed? It has the matching allow rule (rule# 200) in the outbound rule. It will come to that in just a minute.
First, let’s start with SSH. It is pretty straight forward. SSH is denied by inbound rule# 200 so the incoming request would fail.
For HTTP, ALL Traffic is allowed by rule# 300 so the HTTP request will be allowed inbound. As the NACLs are stateless we need to check for the response. Let’s check outbound rules, there is no matching rule in outbound except ALL Traffic denied (rule# *) so the response will fail. Hence HTTP request would also fail.
To check for HTTPs let’s understand the concept of Ephemeral ports.
What are the Ephemeral Ports?
The ephemeral ports are the short-lived transport protocol ports for Internet Protocol (IP) communications. Ephemeral ports are allocated automatically from a predefined range by the IP stack software. An ephemeral port is typically used by the Transmission Control Protocol (TCP), User Datagram Protocol (UDP) or the Stream Control Transmission Protocol (SCTP) as the port assignment for the client end of a client-server communication to a well-known port on a server. (Source: Wikipedia)
What that means is, when a client initiates a request it choose a random port from ephemeral port range and it expects the response at that port only. Take note of the below statement:
When we say that the client initiates an HTTPs or HTTP request it actually means that the destination port is 443 or 80. It is NOT the sender port.
It is the client’s operating system that chooses the sender’s port from the ephemeral port range and this range varies depending on the OS. For example, many Linux kernels including Amazon Linux kernel use port 32768-61000. Windows OS through Windows Server 2003 use port 1025-5000. While Windows Server 2008 and later use port 49152-65535. Elastic load balancers and NAT gateways use port 1024-65535.
After understanding this, let’s come back to our problem statement.
For HTTPS, the outbound rule (rule# 200) allows the response at port 443. Now, this doesn’t allow outbound HTTPS traffic because that is not the port from which request was initiated. For the request to succeed we would have to set Outbound Port Range to 1024-65535 and NOT to 443.
As discussed above, the client that initiates the request chooses the ephemeral port range. So in order to allow outbound IPv4 responses to clients, for example serving web pages to people visiting the web servers in the subnet, you need to allow traffic through the ephemeral ports depending on the clients.
Here’s a Simplified Diagram to Demonstrate What’s Going on
This diagram depicts the communication between a client and a server. As an example port 24000 (i.e. of the ephemeral ports) is shown here. Although there are a lot of other fields in an IP packet, I have shown only a few of them to make you understand the concept. Since we don’t know what source port client’s OS going to choose we have to specify an ephemeral port range in the outbound rules of NACL to allow the response back to the client.
Other Helpful Resources
Hope this article helped you understand the concept of Ephemeral ports. Whizlabs practice tests series has been prepared by the team of subject matter experts and certified professionals to help you prepare and pass the certification exam. If you think that you’re done with your preparation, try practice test series for AWS Certified Solutions Architect Associate and AWS Certified SysOps Administrator Associate to check your current level of preparation.
Join us now and make yourself ready to become a Certified AWS Associate.
- Understanding IAM Roles for AWS Lambda Function - May 24, 2019
- How did I Pass AWS Certified Developer Associate (AWS CDA) Exam? - April 9, 2019
- Acquisition of CloudEndure by Amazon Web Services is Confirmed - February 12, 2019
- How to Create a Backup Plan using AWS Backup Service? - February 4, 2019
- Amazon WorkLink – Secure Access to Internal Websites and Apps - February 1, 2019