Error: The maximum number of rules per security group has been reached

How to deal with the error: “The maximum number of rules per security group has been reached.”

Normally the error is easy to diagnose, just count the rules and see if they are over the limit (Which by default is 60 rules in each direction). The complication comes when referencing prefix lists in the security group rules.

When you create a prefix list, you must set a maximum number of entries.

This value is then used for the quota calculation for “Inbound or outbound rules per security group”. which by default is 60.

For example if you have 1 IP in the a prefix list, but you set the maximum entries as 20, When you reference a prefix list in a security group rule, the maximum number of entries for the prefix lists counts against the quota for the number of entries for the resource.

For example, if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules.

If you create 3 rules for example, one rule for port 443, another for port 22 and another for port 6392 which each reference the prefix list that will come to 20 * 3 = 60 rules. If you try and add one more rule it will fail with “The maximum number of rules per security group has been reached”. Although when inspecting the rule in the console it looks like you only have 3 rules!

This problem can happen especially when you are using CloudFormation or CDK because of CloudFormation behavior during certain resource updates for certain resource creation happen before deletion which can create a temporary double up on resources or rules whilst the update runs. When this happens you need to do a deploy with only removals of rules and then add your rules as a separate deploy.

Also worth mentioning the MaxEntries value can be modified however caution must be used when selecting the initial value, as if you ever need to increase the value, and that new value causes any of the security groups which reference the prefix list to reach a limit the modification will fail and you will need to first de-reference the prefix list of the security groups causing the issue which will likely cause you a headache.


comments powered by Disqus