NAT instance and NACL configurations

Question

I have

1. two public subnet which has one NAT EC2 instance and one bastion host
2. one private subnet which has one EC2 instance

I am able to ping google.com from my bastion host but I am unable to do so from my private EC2 instnace.I have checked all steps mentioned here:- https://aws.amazon.com/premiumsupport/knowledge-center/ec2-internet-connectivity/

I think the problem is with my NACL.

INBOUND RULES OF THE NACL ATTACHED TO THE PRIVATE SUBNET

OUTBOUND RULES OF NACL ATTACHED TO THE PRIVATE SUBNET

Pinging google.com works in case I detach the NACLS from private subnet. Please verify these NACLS

NOTE: - 10.100.3.0/24 and 10.100.0.0/24 are the CIDRs of my public subnet

Answer 1

Your outbound NACL rules are blocking all traffic except those destined to have a final destination of 2 private IP ranges.

Whilst the NAT might be in these subnets, the target is not, you should allow any IP ranges you want to be able to speak out to.

Answer 2

The NACL is stateless. That means you have to open the respective protocol and ports for outgoing requests and you also need inbound rules for the return traffic of outgoing requests. To allow a response to outgoing ping requests, it must allow inbound ICMP traffic. If you want to send HTTP/S requests, you must allow inbound traffic on the ephemeral ports on TCP.

You can learn more about Network ACLs and ephemeral ports here.