Providing internet access to private Ec2 instance using NAT instance

Question

I was able to connect my private Ec2 instance to the internet through NAT instance. wget google.com was successful. But when I attached a NACL to my private subnet.I wasn't able to connect to the internet.Can anyone please tell me what is wrong with my NACL. 10.0.1.0/24 and 10.0.2.0/24 are CIDRs of public subnet(which has the NAT instance)

private NACL inbound rule

private NACL outbound rule

Also, when I add rule to accept all traffic from internet.It works. Is it correct practice to add this rule ?

Answer 1

Based on the comments.

The issue was due to blocking inbound internet traffic (0.0.0.0/0). From the Instances cannot access the internet in AWS docs, to enable internet access of the instance using NAT, the following must be ensured:

Ensure that the network ACLs that are associated with the private subnet and public subnets do not have rules that block inbound or outbound internet traffic . For the ping command to work, the rules must also allow inbound and outbound ICMP traffic.

Question from comments:

But just one question how will whitelisting work in this case. If I only want to download certain libraries using the internet and not allow any api requests ?

If you know IP ranges of the public servers that these libraries are going to be downloaded from, then you could limit the internet traffic to only these ranges. But if the range is not fixed or unknown you have to allow all (0.0.0.0/0) internet traffic in the rules.

Generally, security groups are used as primary way of controlling network traffic. NACLs are good due to their their denying ability. Security groups can't explicitly deny traffic, thus NACLs are helpful in cases where you want to explicitly deny some IPs. But in your case, you are allow only traffic. Thus I think the use of default NACLs would be sufficient and could be considered.