NACL are the wall of defense before your security groups, they are created at the subnet level. Security groups are what is known as “stateful” this means any inbound traffic that is allowed in will automatically allow a return response even if the outbound rules don’t specify the port as being allowed. For example, if the SG has allowed inbound traffic on port 443, https, and the client connects through the server on port 443 the return response will be allowed out since SGs are stateful. The same is true for traffic coming into the SG, if the connection was allowed out the response will be allowed in. SGs also have an implicit deny on any traffic not explicitly allowed.
It is important to note that rules on an NACL are categorized by numbers, the lower the number the higher the priority and there is not implicit deny. If a rule of a lower number allows all traffic, but a rule further down denies all traffic then the traffic will be allowed and vice versa. It’s best to define rules in increments of 100 so you are able to easily go in and add rules in between that may need to have priority between the two increments.
Now for comparison a NACL is stateless, so if we allow https traffic in that does not necessarily mean the client will get a response, the outbound rules have to also specify that the outbound traffic is allowed. For example, you have inbound traffic allowed to port 443, the return response may not necessarily come through. So just because traffic can come in, doesn’t necessarily mean it will receive a response back.
When using a NACL do you just explicitly allow port 443 out? Well that’s the destination for the client, but not for the server. This client won’t have port 443 open, it’s not a web server. This is where we get into ephemeral ports. Ephemeral, meaning temporary, ports are opened by the server during the time of the connection to allow traffic in. The ephemeral port range varies on whether you are using windows or linux. So to ensure the client receives a return response from the server you will need to at least allow the ephemeral port range as a destination for outbound traffic.
So in short, port 443 is allowed in it passes the NACL and reaches the instance supporting the webpage. The instance is then able to respond to the destination ephemeral port as the outbound rules allow outbound traffic to that ephemeral port range. It’s important to note this port is randomly assigned during the connection and is closed when the connection is over which is why you need to allow the entire range.