diff --git a/pkg/model/awsmodel/firewall.go b/pkg/model/awsmodel/firewall.go
index f8f4eac1d8e8d..6d31ec06ce60c 100644
--- a/pkg/model/awsmodel/firewall.go
+++ b/pkg/model/awsmodel/firewall.go
@@ -31,6 +31,7 @@ type Protocol int
 
 const (
 	ProtocolIPIP Protocol = 4
+	ProtocolICMP Protocol = 1
 )
 
 // FirewallModelBuilder configures firewall network objects
@@ -135,9 +136,11 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.Cloudup
 	udpRanges := []portRange{{From: 1, To: 65535}}
 	protocols := []Protocol{}
 
-	if b.Cluster.Spec.Networking.Cilium != nil && b.Cluster.Spec.Networking.Cilium.EtcdManaged {
-		// Block the etcd peer port
-		tcpBlocked[2382] = true
+	if b.Cluster.Spec.Networking.Cilium != nil {
+		protocols = append(protocols, ProtocolICMP)
+		if b.Cluster.Spec.Networking.Cilium.EtcdManaged {
+			tcpBlocked[2382] = true
+		}
 	}
 
 	if b.Cluster.Spec.Networking.Calico != nil {
@@ -196,6 +199,8 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.Cloudup
 				switch protocol {
 				case ProtocolIPIP:
 					name = "ipip"
+				case ProtocolICMP:
+					name = "icmp"
 				default:
 					klog.Warningf("unknown protocol %q - naming by number", awsName)
 				}