Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

I used All ICMP policy in Security Group to make ping work but not sure why. How does ICMP work with network filtering (aka FW)?

0

ICMP is at Networking Layer 1 (IP) which does not use port, so Custom ICMP policy with N/A for port range makes sense. But why do we need All ICMP which uses all port ranges in AWS?

I found this weird because of an assignment I was doing so far. When I was using Custom ICMP Security Group policy on an instance in a VPC attached to a Transit Gateway. and 'ping'ed from another instance to this instance, it cannot reach. But when changing its SG policy to use All ICMP (meaning all port ranges), ping works. Why is that so?

Topics
Networking & Content Delivery
Tags
Networking & Content Delivery
Language
English
asked 5 years ago2.5K views
1 Answer
1
Accepted Answer

For ICMP rules, the "protocol" and "port" fields are repurposed to represent the ICMP types and codes. For ping to work, you will need to allow ICMP echo request (in) and echo response (out, if you're filtering outbound traffic).

See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping for example.

AWS
EXPERT
answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content