VPC ACLS - ICMP Rules vs Documentation

Question

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html states:

If the maximum transmission unit (MTU) between hosts in your subnets is different, or your instances communicate with peers over the internet, you must add the following network ACL rule, both inbound and outbound. This ensures that Path MTU Discovery can function correctly and prevent packet loss. Select Custom ICMP Rule for the type and Destination Unreachable, fragmentation required, and DF flag set for the port range (type 3, code 4).

This doesn't fit with what the console offers. I can see only Destination Unreachable as an option and none of the others.

What's the correct setup? Am starting to think the VPC ACL stuff is just broken in terms of web console - encountering bugs in validation & it lacks expected features like copying an existing ACL to new?

Accepted Answer

When editing a Security Group you can select `Custom ICMP` in the `Type` column. That then allows you to select `Destination Unreachable` in the `Protocol` column. From there you can select `Fragmentation needed` in the `Port range` column.

The reason this is a little odd is because most other protocols use a port to determine the application that is being allowed. With ICMP it is a `Type` and a `Sub-type` so the ICMP sub-types (of which `Fragmentation needed but DF bit set`) is one.

Answer

It's not written clearly in the documentation.  For "Type" select "Destination Unreachable", and for "Port range" select "fragmentation required, and DF flag set".

VPC ACLS - ICMP Rules vs Documentation

Relevant content