Hacker News new | ask | show | jobs
by greglindahl 2800 days ago
I wonder if this is related to connection tracking?
1 comments
john37386 2800 days ago
By default, Amazon uses stateless firewall. It means that by default it's not tracking connections.
link
spydum 2799 days ago
I think you may be mistaken. Security Groups are stateful: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Securit...

As suggested, it's very likely they hit the connection tracking limitation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-ne...

I've personally witnessed teams hit this specifically for DNS (usually for internal, where you have explicitly permitted src/dst).

link
john37386 2799 days ago
Yep I mistaken Security groups with Network Acl. Thanks. It's in the best practices to not track dns for big systems.

From powerdns https://doc.powerdns.com/recursor/performance.html

link
gstaro 2799 days ago
Thx for the clarification. Had the same misconception
link