Introduction
While studying for AWS SAA (Solutions Architect Associate) certification, I encountered the question "What are ephemeral ports?" So I decided to research and summarize this topic!
What are Ephemeral Ports?
Definition
Ephemeral ports are dynamically allocated port numbers temporarily used by client-side applications. As you know,The word "ephemeral" means "temporary" or "transient," and true to its name, these are short-lived ports that exist only during the duration of a communication session.
While server applications typically listen on fixed well-known ports (port 80 for HTTP, port 443 for HTTPS, etc.), client-side applications need different port numbers for each connection. This is where the operating system automatically selects and assigns unused port numbers - this mechanism is what ephemeral ports are all about.
Port Number Classifications and Ranges
- Well-Known Ports: 0-1023
Ports for well-known services like HTTP (80), HTTPS (443), SSH (22), etc.
- Registered Ports: 1024-49151
Used by specific applications and services that have registered them
- Ephemeral Ports: 49152-65535
Dynamic ports temporarily used by clients
Actual Ranges by Operating System
The actual ephemeral port ranges vary by operating system:
| OS | Ephemeral Port Range |
|---|---|
| Linux | 32768-61000 (typical) |
| Windows Vista/7/Server 2008 and later | 49152-65535 |
| Windows XP and earlier | 1025-5000 |
Ephemeral Port Operation Mechanism
Basic Communication Flow
Connection Initiation: Client requests connection to server
Port Assignment: OS dynamically assigns an ephemeral port to the client
Communication Execution: Client uses the assigned temporary port to communicate with server
Resource Release: After communication ends, the ephemeral port is released and becomes available for reuse
Concrete Example: Web Browsing Case
Note: Diagram created with AI assistance
Importance of Ephemeral Ports in AWS
Network ACL Considerations
AWS Network ACLs are stateless in nature, requiring explicit traffic permission for both inbound and outbound directions.
Specific Problem Example
Scenario Setup
- You're trying to SSH from your home PC (Windows) to an AWS EC2 instance
- EC2 is placed in a private subnet
- Network ACL is configured
What's happening?
1. Connection Initiation (Success)
Your PC:52341 → EC2:22 (SSH connection request)
- Inbound rule: "Allow connections to port 22" → ✅ Passes through
2. EC2 Response (Failure)
EC2:22 → Your PC:52341 (SSH response)
- Outbound rule: "Allow response to port 52341?" → ❌ Not configured
The Problem
- Port 22 (SSH) is allowed, but...
- Response to the client's ephemeral port (52341 in this example) is not allowed
- Result: Connection timeout
Solution
Add the following to outbound rules:
| Rule# | Type | Protocol | Port Range | Destination | Allow/Deny |
|-------|------|----------|------------|-------------|------------|
| 100 | Custom TCP | TCP | 1024-65535 | 0.0.0.0/0 | ALLOW |
💡 "Ephemeral ports not allowed" = "Return traffic to temporary port numbers used by clients is being blocked by Network ACL outbound rules"
Conclusion
I learned that ephemeral ports are "temporary ports" assigned to clients. I believe this kind of knowledge is essential for quickly identifying the root cause of infrastructure issues!
Top comments (0)