2

In my control panel I see a security group which has a count of 250 rules, but I only see two rules in the list:

security group UI screenshot

What do I miss?

grreeenn
  • 2,287
  • 1
  • 20
  • 27
  • Looks line an API glitch. Have you tried refreshing the EC2 console? – baduker May 20 '22 at 14:27
  • hundred times. Moreover, I'm hitting the limit of max security rules per group (`RulesPerSecurityGroupLimitExceeded` error) when adding a new k8s service.... – grreeenn May 20 '22 at 14:28
  • 2
    Have previously asked for SG quota increase? If not, this is really weird and I'd raise a support request with AWS to clarify this. – baduker May 20 '22 at 14:32
  • 2
    That's weird. I suggest opening a support ticket. – jellycsc May 20 '22 at 14:34
  • Ok, so I'm not crazy or something, thanks for reassurance. Just opened a support request – grreeenn May 20 '22 at 14:40

2 Answers2

5

Ok, so it's not a glitch. After talking to AWS support, turns out that the number of permission entries in this case is calculated from (hold tight) sum of maximum possible entries of each Source (see the sources column on screenshot). In this case, sources were Managed Prefix Lists, and the maximum number of entries was 150 for one of them and 100 for another - and this how the limit got hit.

Interestingly, the actual number of records didn't matter - only the limit (see screenshot with Manage Prefix List screen). I've passed it on to devops, and they dealt with it - sorry for no solution, but maybe it'd help you to locate the root of your issue :)

enter image description here

grreeenn
  • 2,287
  • 1
  • 20
  • 27
  • 1
    @grreenn - you just saved me probably days worth of headache... Thank you so much! – Kevin Foster Oct 11 '22 at 01:15
  • 1
    @KevinFoster that's why we are all here :) did you solve it though? The community will be very grateful to have the final solution ;) – grreeenn Oct 11 '22 at 16:58
  • 1
    You said this wasn't a "solution" but it was for me. I re-sized all of my Manage Prefix Lists to have a max of only what I was presently using, and that solved my issue. I had one list that had ~30, but I had a max set to 200 - I'm new to the prefix lists, so when it said "this can't be resized", I saw no immediate drawback to a high max, and padded it significantly to account for growth. If you click "actions" there's an option to resize, and I just set it to my present count. This doesn't solve if you ACTUALLY need more than 60 rules, but helped me in the moment with my list of ~30. – Kevin Foster Oct 11 '22 at 19:40
0

You can refer to https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-size to understand how the number of security group rules are created.

It's also worth noting that ipv4 and ipv6 are counted separately as mentioned here - https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups (see 'Inbound or outbound rules per security group')

Kumar Utkarsh
  • 1
  • 2