By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Security group inbound rules best practice in VPC

0

Hi,

We have dedicated VPC for AWS Transfer Server with publicly accessible endpoint. We want to allow inbound traffic to Trasnfer server from specific set of IPs which is 500+ in numbers and it is expected to grow in future.

As per document https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html only 60 inbound rules are allowed per security group. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000. We expect our IP to grow beyond 1000 in future.

I understand, managed prefix list can be used here but any recommended best practice to use prefix list or other way?

Thank you in advance.

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Amazon VPCNetworking & Content DeliverySecuritySecurity Group
Language
English
snowcoder_07
asked a year ago523 views
1 Answer
0

A prefix list won't help with the arithmetic here, see https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html which states if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules.

The limit of 60 inbound rules for a security group is adjustable, see the link in the second row of the table at https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups

Also bear in mind you can have more than one security group per SFTP Server.

Even if you use the two of these together - bumping up the number of rules in the SG, and using multiple SGs - you're still going to hit the upper limit of 1000 rules eventually. And a ruleset with 1000 discrete entries will become difficult to maintain over time. Is there any way you could reduce this by granting access to entire subnets?

profile picture
EXPERT
Steve_M
answered a year ago
  • snowcoder_07
    a year ago

    @rwc Thanks for quick reply.

    adding entire subnet was our first preferences but that won't work as each of these IP addresses are from different subnets in different aws accounts. Each per customer so that option was not convenient. I think, prefix is as same as adding directly to SGs so it won't help much except grouping IPs based on geography or type of customer may be.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content