- 최신
- 최다 투표
- 가장 많은 댓글
A prefix list won't help with the arithmetic here, see https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html which states if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules.
The limit of 60 inbound rules for a security group is adjustable, see the link in the second row of the table at https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups
Also bear in mind you can have more than one security group per SFTP Server.
Even if you use the two of these together - bumping up the number of rules in the SG, and using multiple SGs - you're still going to hit the upper limit of 1000 rules eventually. And a ruleset with 1000 discrete entries will become difficult to maintain over time. Is there any way you could reduce this by granting access to entire subnets?
@rwc Thanks for quick reply.
adding entire subnet was our first preferences but that won't work as each of these IP addresses are from different subnets in different aws accounts. Each per customer so that option was not convenient. I think, prefix is as same as adding directly to SGs so it won't help much except grouping IPs based on geography or type of customer may be.