-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The maximum number of rules per security group has been reached #39
Comments
Hi dear, simple request a limit raise at AWS, I just hit the same issue and now changed to 6 x 160 (6 SG per initerface, 160 rules per SG) than script ran normally Cheers, |
I solved this adding a new tag "EvenOrOdd" allowing to double the number of security groups. But nevermind: I got CloudFront very slow after pointing ELB to the security groups with the IPs. Perhaps is better to allow 0.0.0.0/0 and deny access by checking the header (adding a custom header with a key on CloudFront requests). Anyway I will try to create a pull request here with the updates. |
I realized that I was tired and that's why my CloudFront got "very slow" yesterday. I was associating my ELB SG to the 4 CF SG expecting for inheritance. Of course my CF wasn't able to even connect to the origin actually. It was not slow, it was timeout. Now my ELB is directly associated to the 4 CF groups (with even and odd) and Lambda is updating the IPs automatically after my changes on the script. It's only 4 groups because I using only https protocol. I sent a pull-request with the improvement. Hope it helps anybody else. |
Now I'm stuck with this. |
Hey @raivirtual Can you please help me with the changes that you made in code to add this new tag? Would be really helpful if you can share the changed snippet. |
I got this problem too..... |
Hi, @vivekj11 You can see the latest code at https://github.com/wangerzi/aws-cloudfront-samples/blob/master/update_security_groups_lambda/update_security_groups.py |
Another solution is to do this with AWS WAF and IPSets to get around the security group limits. We created this project that does just that. |
@wangerzi Thank you, I will definitely give it a try. |
A different and possibly simpler approach (create new SGs on each update and attach to ENIs then throw old away SGs), see here https://github.com/karlskidmore/SAM-AWS-IPs-to-SGs-to-ENIs -- been working in production for a while now with no hiccups. Hope this helps someone. |
Looks like the cidr ranges have grown and once again reaches the limit of security group. This is what I get now running the example code:
The text was updated successfully, but these errors were encountered: