The maximum number of rules per security group has been reached
See original GitHub issueLooks like the cidr ranges have grown and once again reaches the limit of security group. This is what I get now running the example code:
Response:
{
"errorMessage": "An error occurred (RulesPerSecurityGroupLimitExceeded) when calling the AuthorizeSecurityGroupIngress operation: The maximum number of rules per security group has been reached.",
"errorType": "ClientError",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 42, in lambda_handler\n result = update_security_groups(ip_ranges)\n",
" File \"/var/task/lambda_function.py\", line 94, in update_security_groups\n if update_security_group(client, group, new_ranges[\"GLOBAL\"], INGRESS_PORTS['Https']):\n",
" File \"/var/task/lambda_function.py\", line 136, in update_security_group\n added += add_permissions(client, group, permission, to_add)\n",
" File \"/var/task/lambda_function.py\", line 170, in add_permissions\n client.authorize_security_group_ingress(GroupId=group['GroupId'], IpPermissions=[add_params])\n",
" File \"/var/runtime/botocore/client.py\", line 316, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 626, in _make_api_call\n raise error_class(parsed_response, operation_name)\n"
]
}
Request ID:
"4d2b63d4-4f60-4ea7-93aa-bf835a7ef1d4"
Function Logs:
nge: 52.66.194.128/26
Found CLOUDFRONT region: ap-southeast-1 range: 13.228.69.0/24
Found CLOUDFRONT region: us-east-2 range: 18.216.170.128/25
Found CLOUDFRONT region: us-east-1 range: 3.231.2.0/25
Found CLOUDFRONT region: ap-southeast-1 range: 52.220.191.0/26
Found CLOUDFRONT region: us-east-1 range: 34.232.163.208/29
Found CLOUDFRONT region: us-west-2 range: 35.162.63.192/26
Found CLOUDFRONT region: us-west-2 range: 34.223.80.192/26
Found CLOUDFRONT region: us-east-1 range: 34.226.14.0/24
Found CLOUDFRONT region: ap-northeast-1 range: 13.113.203.0/24
Found CLOUDFRONT region: ca-central-1 range: 99.79.168.0/23
Found CLOUDFRONT region: us-east-1 range: 34.195.252.0/24
Found CLOUDFRONT region: us-west-1 range: 52.52.191.128/26
Found CLOUDFRONT region: eu-west-2 range: 52.56.127.0/25
Found CLOUDFRONT region: us-west-2 range: 34.216.51.0/25
Found CLOUDFRONT region: ap-northeast-1 range: 52.199.127.192/26
Found CLOUDFRONT region: eu-west-1 range: 52.212.248.0/26
Found CLOUDFRONT region: ap-southeast-2 range: 13.210.67.128/26
Found CLOUDFRONT region: eu-central-1 range: 35.158.136.0/24
Found CLOUDFRONT region: eu-central-1 range: 52.57.254.0/24
Found CLOUDFRONT region: ap-northeast-2 range: 52.78.247.128/26
Found CLOUDFRONT region: eu-west-3 range: 52.47.139.0/24
Found 0 CloudFront_g HttpSecurityGroups to update
Found 1 CloudFront_g HttpsSecurityGroups to update
Found 0 CloudFront_r HttpSecurityGroups to update
Found 1 CloudFront_r HttpsSecurityGroups to update
sg-08c92bbebac0b0caf: Adding 120.52.22.96/27:443
sg-08c92bbebac0b0caf: Adding 180.163.57.128/26:443
sg-08c92bbebac0b0caf: Adding 120.253.240.192/26:443
sg-08c92bbebac0b0caf: Adding 116.129.226.128/26:443
sg-08c92bbebac0b0caf: Adding 223.71.71.128/25:443
sg-08c92bbebac0b0caf: Adding 120.253.245.128/26:443
sg-08c92bbebac0b0caf: Adding 210.51.40.0/24:443
sg-08c92bbebac0b0caf: Adding 58.254.138.0/25:443
sg-08c92bbebac0b0caf: Adding 116.129.226.0/25:443
sg-08c92bbebac0b0caf: Adding 120.52.39.128/27:443
sg-08c92bbebac0b0caf: Adding 118.193.97.64/26:443
sg-08c92bbebac0b0caf: Adding 223.71.71.96/27:443
sg-08c92bbebac0b0caf: Adding 180.163.57.0/25:443
sg-08c92bbebac0b0caf: Adding 223.71.11.0/27:443
sg-08c92bbebac0b0caf: Adding 36.103.232.128/26:443
sg-08c92bbebac0b0caf: Adding 111.51.66.0/24:443
sg-08c92bbebac0b0caf: Adding 120.52.153.192/26:443
sg-08c92bbebac0b0caf: Adding 119.147.182.0/25:443
sg-08c92bbebac0b0caf: Adding 120.232.236.0/25:443
sg-08c92bbebac0b0caf: Adding 58.254.138.128/26:443
sg-08c92bbebac0b0caf: Adding 120.253.245.192/27:443
sg-08c92bbebac0b0caf: Adding 120.52.12.64/26:443
sg-08c92bbebac0b0caf: Adding 36.103.232.0/25:443
sg-08c92bbebac0b0caf: Adding 119.147.182.128/26:443
sg-08c92bbebac0b0caf: Adding 118.193.97.128/25:443
sg-08c92bbebac0b0caf: Adding 120.232.236.128/26:443
sg-08c92bbebac0b0caf: Adding 120.253.241.160/27:443
[ERROR] ClientError: An error occurred (RulesPerSecurityGroupLimitExceeded) when calling the AuthorizeSecurityGroupIngress operation: The maximum number of rules per security group has been reached.
Traceback (most recent call last):
File "/var/task/lambda_function.py", line 42, in lambda_handler
result = update_security_groups(ip_ranges)
File "/var/task/lambda_function.py", line 94, in update_security_groups
if update_security_group(client, group, new_ranges["GLOBAL"], INGRESS_PORTS['Https']):
File "/var/task/lambda_function.py", line 136, in update_security_group
added += add_permissions(client, group, permission, to_add)
File "/var/task/lambda_function.py", line 170, in add_permissions
client.authorize_security_group_ingress(GroupId=group['GroupId'], IpPermissions=[add_params])
File "/var/runtime/botocore/client.py", line 316, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 626, in _make_api_call
raise error_class(parsed_response, operation_name)
END RequestId: 4d2b63d4-4f60-4ea7-93aa-bf835a7ef1d4
REPORT RequestId: 4d2b63d4-4f60-4ea7-93aa-bf835a7ef1d4 Duration: 909.64 ms Billed Duration: 1000 ms Memory Size: 128 MB Max Memory Used: 83 MB
Issue Analytics
- State:
- Created 3 years ago
- Reactions:13
- Comments:10
Top Results From Across the Web
Increase security group rule quota in Amazon VPC
The quota for "Security groups per network interface" multiplied by the quota for "Rules per security group" can't exceed 1,000. You can modify ......
Read more >The maximum number of rules per security group has ... - Reddit
The limit for number of rules in a security group is 60 (recently upped from 50). This is a hard limit and cannot...
Read more >AWS Security Group Limits & Workarounds - Aviatrix
The number of inbound or outbound rules per security groups in amazon is 60. Reference. From the inbound perspective this is not a...
Read more >What is the maximum amount of security group rules you can ...
By default, an individual security group can have 60 inbound rules and 60 outbound rules making it to 120 rules in total. And...
Read more >What You Need To Know About VPC Security Groups
Another limit that you will need to be aware of is that of the number of rules you can have per security group....
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Hi dear, simple request a limit raise at AWS, I just hit the same issue and now changed to 6 x 160 (6 SG per initerface, 160 rules per SG) than script ran normally
Cheers, Daniel
I realized that I was tired and that’s why my CloudFront got “very slow” yesterday. I was associating my ELB SG to the 4 CF SG expecting for inheritance. Of course my CF wasn’t able to even connect to the origin actually. It was not slow, it was timeout.
Now my ELB is directly associated to the 4 CF groups (with even and odd) and Lambda is updating the IPs automatically after my changes on the script. It’s only 4 groups because I using only https protocol.
I sent a pull-request with the improvement. Hope it helps anybody else.