When two endpoints establish a TCP/UDP connection, one side uses a fixed (well-known) port, and the other side uses a temporary, high-numbered ephemeral port.
- Clients connect to a known port (e.g., 443 for HTTPS) and expect responses on an ephemeral port.
- Ephemeral port ranges vary by OS:
- IANA / Windows 10:
49152β65535 - Many Linux kernels:
32768β60999
Example: HTTPS Request
Web Server
- IP:
55.66.77.88
- Port:
443(fixed)
Client
- IP:
11.22.33.44
- Ephemeral Port:
50105
Request (Client β Server)
- Source:
11.22.33.44:50105
- Destination:
55.66.77.88:443
Response (Server β Client)
- Source:
55.66.77.88:443
- Destination:
11.22.33.44:50105
NACLs and Ephemeral Ports
If a connection is initiated from one subnet to another, the return traffic often uses ephemeral ports.
NACLs must allow these ports in both directions.
Example: Web Tier β Database Tier
Architecture
- Web Subnet (public)
- DB Subnet (private)
- DB listens on port
3306(MySQL default)
Web Subnet NACL
- Outbound: Allow TCP
3306to DB subnet
- Inbound: Allow TCP
1024β65535from DB subnet
DB Subnet NACL
- Inbound: Allow TCP
3306from Web subnet
- Outbound: Allow TCP
1024β65535to Web subnet
Why This Matters
When the web tier initiates a DB connection:
- Request: Source ephemeral port β Destination
3306
- Response: Source
3306β Destination ephemeral port
If NACLs donβt allow the ephemeral range, the return traffic is blocked.