AWS EC2 Security Group Rules — Maximum Exceeded Fix
In this tutorial, you'll learn about AWS EC2 Security Group Rules. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
You add a rule to a security group and get RulesPerSecurityGroupLimitExceeded — you have reached the maximum number of rules per security group (default 60 inbound + 60 outbound).
Step-by-Step Fix
1. Count current rules
aws ec2 describe-security-groups --group-ids sg-12345678 --query 'SecurityGroups[].{In:IpPermissions,Out:IpPermissionsEgress}'
Expected output:
{
"In": [
{"FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "10.0.0.0/8"}]},
{"FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "10.0.0.0/8"}]}
]
}
2. Consolidate multiple CIDR ranges into fewer rules
# Wrong: one rule per IP range (wastes rule slots)
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.1.0/24
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.2.0/24
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.3.0/24
# Right: consolidate into fewer CIDRs
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.0.0/16
3. Use managed prefix lists
# Create a prefix list with all allowed CIDRs
aws ec2 create-managed-prefix-list \
--prefix-list-name "vpc-endpoints" \
--entries Cidr=10.0.0.0/16,Description="VPC CIDR" Cidr=172.16.0.0/12,Description="Peered VPC" \
--max-entries 10 \
--address-family IPv4
# Reference the prefix list in a single rule instead of multiple CIDR rules
aws ec2 authorize-security-group-ingress \
--group-id sg-123 \
--protocol tcp \
--port 443 \
--prefix-list pl-01234567
4. Split into multiple security groups
# Create separate security groups for different services
aws ec2 create-security-group --group-name web-sg --description "Web tier rules" --vpc-id vpc-123
aws ec2 create-security-group --group-name app-sg --description "App tier rules" --vpc-id vpc-123
aws ec2 create-security-group --group-name db-sg --description "Database tier rules" --vpc-id vpc-123
# Reference security groups instead of CIDRs
aws ec2 authorize-security-group-ingress \
--group-id db-sg \
--protocol tcp \
--port 5432 \
--source-group app-sg
5. Request a limit increase
aws support create-case \
--subject "Security Group Rules Limit Increase" \
--service-code amazon-ec2 \
--category-code limit-increase \
--communication-body "Request increase of security group rules from 60 to 100 for VPC vpc-123" \
--severity-code low
Prevention
- Consolidate CIDR ranges into larger blocks whenever possible.
- Use prefix lists for reusable IP sets across security groups.
- Use security group references instead of CIDR rules for inter-service communication.
- Split environments into multiple security groups by tier (web, app, db).
- Monitor security group rule count with AWS Config rules.
Common Mistakes with ec2 sg rules
- Using
headandtailinstead of pattern matching, causing runtime errors on empty lists - Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
- Using
returnto exit a function early instead of wrapping a pure value in the monad
These mistakes appear frequently in real-world AWS code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro