Blog Amazon Web Services Simplifying Ephemeral Ports with Example
Ephemeral Ports

Simplifying Ephemeral Ports with Example

So aspirants, how’s your preparation going on for the AWS Certified Solutions Architect Associate exam? To help you in your preparation, here we bring another exciting topic “Ephemeral ports”. We often receive a lot of queries from learners on this topic. So, let’s make it easy for you to understand this with the help of an example. Let’s dive in!

The topic ephemeral ports is also covered in the AWS Certified SysOps Administrator Associate exam. So if you are preparing for the AWS Certified SysOps Administrator Associate exam or AWS Certified Solutions Architect Associate exam, this article will prove an invaluable resource for you. For a better understanding of the concept, It is recommended to solve the following problem.

AWS Certified Solutions Architect Associate Online Course

Problem Statement

Following are network ACL rules for a subnet. Let’s say, the request is originating from IP address. Which of the requests out of HTTPS (443), SSH (22), and HTTP (80) would succeed?
It could also be the case that all of them would succeed or fail. Go through the rules carefully & take your time to answer.

Inbound Rules

Inbound Rules

Outbound Rules

Outbound Rules

Now, let’s find out what is the correct answer.

Try Now:

AWS Certified Solutions Architect Associate Free Test

AWS Certified SysOps Administrator Associate Free Test


And the answer is “All requests would fail”!

Yes! that’s the answer. I know some of you must be wondering why the HTTPS (443) is not allowed? It has the matching allow rule (rule# 200) in the outbound rule. It will come to that in just a minute.

First, let’s start with SSH. It is pretty straight forward. SSH is denied by inbound rule# 200 so the incoming request would fail.

For HTTP,  ALL Traffic is allowed by rule# 300 so the HTTP request will be allowed inbound. As the NACLs are stateless we need to check for the response. Let’s check outbound rules, there is no matching rule in outbound except ALL Traffic denied (rule# *) so the response will fail. Hence HTTP request would also fail.

To check for HTTPs let’s understand the concept of Ephemeral ports.

What are the Ephemeral Ports?

The ephemeral ports are the short-lived transport protocol ports for Internet Protocol (IP) communications. Ephemeral ports are allocated automatically from a predefined range by the IP stack software. An ephemeral port is typically used by the Transmission Control Protocol (TCP), User Datagram Protocol (UDP) or the Stream Control Transmission Protocol (SCTP) as the port assignment for the client end of a client-server communication to a well-known port on a server. (Source: Wikipedia)

What that means is, when a client initiates a request it choose a random port from ephemeral port range and it expects the response at that port only. Take note of the below statement:

When we say that the client initiates an HTTPs or HTTP request it actually means that the destination port is 443 or 80. It is NOT the sender port.

It is the client’s operating system that chooses the sender’s port from the ephemeral port range and this range varies depending on the OS. For example, many Linux kernels including Amazon Linux kernel use port 32768-61000. Windows OS through Windows Server 2003 use port 1025-5000. While Windows Server 2008 and later use port 49152-65535. Elastic load balancers and NAT gateways use port 1024-65535.

After understanding this, let’s come back to our problem statement.

For HTTPS, the outbound rule (rule# 200) allows the response at port 443. Now, this doesn’t allow outbound HTTPS traffic because that is not the port from which request was initiated. For the request to succeed we would have to set Outbound Port Range to 1024-65535 and NOT to 443.

As discussed above, the client that initiates the request chooses the ephemeral port range. So in order to allow outbound IPv4 responses to clients, for example serving web pages to people visiting the web servers in the subnet, you need to allow traffic through the ephemeral ports depending on the clients.

AWS SysOps Administrator Associate Online Course

Here’s a Simplified Diagram to Demonstrate What’s Going on

Ephemeral Ports

This diagram depicts the communication between a client and a server. As an example port 24000 (i.e. of the ephemeral ports) is shown here. Although there are a lot of other fields in an IP packet, I have shown only a few of them to make you understand the concept. Since we don’t know what source port client’s OS going to choose we have to specify an ephemeral port range in the outbound rules of NACL to allow the response back to the client.

Other Helpful Resources

S3 One Zone IA vs S3 Standard IA – Which One to Use and When?

Route 53 Policies: Latency-based Routing vs Geolocation Routing

DNS Records – A, CNAME, ALIAS, MX & AAAA                                     

Hope this article helped you understand the concept of Ephemeral ports. Whizlabs practice tests series has been prepared by the team of subject matter experts and certified professionals to help you prepare and pass the certification exam. If you think that you’re done with your preparation, try practice test series for AWS Certified Solutions Architect Associate and AWS Certified SysOps Administrator Associate to check your current level of preparation.

Join us now and make yourself ready to become a Certified AWS Associate.

About Pavan Rao

Programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. - "May the Force of Cloud Computing be with You"
Spread the love



Please enter your comment!
Please enter your name here