By using AWS re:Post, you agree to the Terms of Use

VPC ACLS - ICMP Rules vs Documentation

0 states:

If the maximum transmission unit (MTU) between hosts in your subnets is different, or your instances communicate with peers over the internet, you must add the following network ACL rule, both inbound and outbound. This ensures that Path MTU Discovery can function correctly and prevent packet loss. Select Custom ICMP Rule for the type and Destination Unreachable, fragmentation required, and DF flag set for the port range (type 3, code 4).

This doesn't fit with what the console offers. I can see only Destination Unreachable as an option and none of the others.

What's the correct setup? Am starting to think the VPC ACL stuff is just broken in terms of web console - encountering bugs in validation & it lacks expected features like copying an existing ACL to new?

asked 2 months ago27 views
2 Answers

It's not written clearly in the documentation. For "Type" select "Destination Unreachable", and for "Port range" select "fragmentation required, and DF flag set".

answered 2 months ago
Accepted Answer

When editing a Security Group you can select Custom ICMP in the Type column. That then allows you to select Destination Unreachable in the Protocol column. From there you can select Fragmentation needed in the Port range column.

The reason this is a little odd is because most other protocols use a port to determine the application that is being allowed. With ICMP it is a Type and a Sub-type so the ICMP sub-types (of which Fragmentation needed but DF bit set) is one.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions