I used All ICMP policy in Security Group to make ping work but not sure why. How does ICMP work with network filtering (aka FW)?

Question

ICMP is at Networking Layer 1 (IP) which does not use port, so Custom ICMP policy with N/A for port range makes sense. But why do we need All ICMP which uses all port ranges in AWS?

I found this weird because of an assignment I was doing so far. When I was using Custom ICMP Security Group policy on an instance in a VPC attached to a Transit Gateway. and 'ping'ed from another instance to this instance, it cannot reach. But when changing its SG policy to use All ICMP (meaning all port ranges), ping works. Why is that so?

Accepted Answer

For ICMP rules, the "protocol" and "port" fields are repurposed to represent the ICMP types and codes. For ping to work, you will need to allow ICMP echo request (in) and echo response (out, if you're filtering outbound traffic).

See https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping for example.

[1]: https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#Control_messages

I used All ICMP policy in Security Group to make ping work but not sure why. How does ICMP work with network filtering (aka FW)?

相關內容