Which solution will provide the vendors access to the application?
Modify the security group that is associated with the EC2 instances to have the same outbound rules as inbound rules.
Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.
Modify the inbound rules on the internet gateway to allow the required ports.
Modify the network ACL that is associated with the CIDR range to have the same outbound rules as inbound rules.
Explanations:
Security groups in AWS are stateful, meaning that if an inbound rule allows traffic, the response traffic is automatically allowed, so outbound rules do not need to match inbound rules.
Network ACLs in AWS are stateless, so they require explicit outbound rules to allow return traffic. Allowing outbound traffic to ephemeral ports will enable the response connection.
Internet gateways do not have configurable rules for inbound or outbound traffic. Access control is managed through security groups and network ACLs.
While network ACLs require matching inbound and outbound rules for two-way traffic, the specific issue here involves allowing outbound traffic to ephemeral ports, not all inbound ports.
If I had to guess, I’d say the answer is:
Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.
I compute that the answer is:
Modify the network ACL that is associated with the CIDR range to allow outbound traffic to ephemeral ports.