I used All ICMP policy in Security Group to make ping work but not sure why. How does ICMP work with network filtering (aka FW)?


ICMP is at Networking Layer 1 (IP) which does not use port, so Custom ICMP policy with N/A for port range makes sense. But why do we need All ICMP which uses all port ranges in AWS?

I found this weird because of an assignment I was doing so far. When I was using Custom ICMP Security Group policy on an instance in a VPC attached to a Transit Gateway. and 'ping'ed from another instance to this instance, it cannot reach. But when changing its SG policy to use All ICMP (meaning all port ranges), ping works. Why is that so?

asked 2 years ago235 views
1 Answer
Accepted Answer

For ICMP rules, the "protocol" and "port" fields are repurposed to represent the ICMP types and codes. For ping to work, you will need to allow ICMP echo request (in) and echo response (out, if you're filtering outbound traffic).

See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping for example.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions