How do I resolve the limit exceeded errors that I receive when I refer my prefix list ID in the security group in Amazon VPC?

2 minute read

I want to resolve the limit exceeded errors that I receive in Amazon Virtual Private Cloud (Amazon VPC) when I refer my prefix list ID.

Short description

Security group rules that refer to a prefix list simplify the configuration rules with multiple CIDR ranges. When you refer a prefix list to a security group that reached its entry limit, the following errors appear:

"Client.RulesPerSecurityGroupLimitExceeded and the maximum number of rules per security group has been reached on console."
"errorCode": "Client.RulesPerSecurityGroupLimitExceeded", "errorMessage": "The maximum number of rules per security group has been reached."

When you reference a prefix list in a resource, the number of entries for the prefix list count toward the quota for the resource. For example, if you reference a prefix list with 20 maximum entries in a security group rule, then the 20 entries count toward the rule.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

To modify the max entries value for your prefix list, use either the AWS CLI or the AWS Management Console.

Use the AWS CLI

Note: In the following commands, replace the example values with your values.

1. Run the describe-managed-prefix-lists command:

$ aws ec2 describe-managed-prefix-lists --filters --prefix-list-ids (example-prefix-list-ID)

2. To modify the max entries value in the prefix list, run the modify-managed-prefix-list command:

$ aws ec2 modify-managed-prefix-list --prefix-list-id (example-prefix-list-ID)--region <example-region> --max-entries <example-value>

Use the AWS Management Console

To use the AWS Management Console to modify the max entries value for a prefix list, see Resize a prefix list. To increase the number of rules per security group, request a quota increase. After the quota for your security group rules is increased, refer your prefix list in the security group.

Note: The default quota for inbound or outbound rules per security group is 60, and the default quota for security groups per network interface is five. These two quotas multiplied can't exceed 1,000. For more information, see Security groups.

Related information

Amazon VPC quotas

AWS-managed prefix list weight

Topics

Networking & Content Delivery

Relevant content

How do I make a "security group" firewall reference the dynamic address of a client site
AWS-User-4644975
asked 5 months ago
Anything on the roadmap for this limitation "You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC."
elbigbadmo
asked 2 years ago
Security group inbound rules best practice in VPC
snowcoder_07
asked a year ago
Error Loading Security Group Prefix List
Yoga
asked 2 years ago
Why can't I access when I refer to a security group in a security group?
joker
asked a year ago
How can I resolve the errors that I received for the failing CloudWatch canary I created in my VPC?
AWS OFFICIALUpdated a year ago
How do I increase my security group rule quota in my Amazon VPC?
AWS OFFICIALUpdated 6 months ago
How do I resolve errors that I receive when I create Amazon VPC interface endpoints?
AWS OFFICIALUpdated 7 months ago
Why can't I delete a security group that's attached to my Amazon VPC?
AWS OFFICIALUpdated 7 months ago
Allow Listing in AWS Security Groups
EXPERT
Rob_H
published 2 years ago