Skip to content

AWS EC2 Security Group Rules — Maximum Exceeded Fix

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about AWS EC2 Security Group Rules. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

You add a rule to a security group and get RulesPerSecurityGroupLimitExceeded — you have reached the maximum number of rules per security group (default 60 inbound + 60 outbound).

Step-by-Step Fix

1. Count current rules

aws ec2 describe-security-groups --group-ids sg-12345678 --query 'SecurityGroups[].{In:IpPermissions,Out:IpPermissionsEgress}'

Expected output:

{
    "In": [
        {"FromPort": 22, "ToPort": 22, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "10.0.0.0/8"}]},
        {"FromPort": 443, "ToPort": 443, "IpProtocol": "tcp", "IpRanges": [{"CidrIp": "10.0.0.0/8"}]}
    ]
}

2. Consolidate multiple CIDR ranges into fewer rules

# Wrong: one rule per IP range (wastes rule slots)
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.1.0/24
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.2.0/24
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.3.0/24

# Right: consolidate into fewer CIDRs
aws ec2 authorize-security-group-ingress --group-id sg-123 --protocol tcp --port 443 --cidr 10.0.0.0/16

3. Use managed prefix lists

# Create a prefix list with all allowed CIDRs
aws ec2 create-managed-prefix-list \
  --prefix-list-name "vpc-endpoints" \
  --entries Cidr=10.0.0.0/16,Description="VPC CIDR" Cidr=172.16.0.0/12,Description="Peered VPC" \
  --max-entries 10 \
  --address-family IPv4

# Reference the prefix list in a single rule instead of multiple CIDR rules
aws ec2 authorize-security-group-ingress \
  --group-id sg-123 \
  --protocol tcp \
  --port 443 \
  --prefix-list pl-01234567

4. Split into multiple security groups

# Create separate security groups for different services
aws ec2 create-security-group --group-name web-sg --description "Web tier rules" --vpc-id vpc-123
aws ec2 create-security-group --group-name app-sg --description "App tier rules" --vpc-id vpc-123
aws ec2 create-security-group --group-name db-sg --description "Database tier rules" --vpc-id vpc-123

# Reference security groups instead of CIDRs
aws ec2 authorize-security-group-ingress \
  --group-id db-sg \
  --protocol tcp \
  --port 5432 \
  --source-group app-sg

5. Request a limit increase

aws support create-case \
  --subject "Security Group Rules Limit Increase" \
  --service-code amazon-ec2 \
  --category-code limit-increase \
  --communication-body "Request increase of security group rules from 60 to 100 for VPC vpc-123" \
  --severity-code low

Prevention

  • Consolidate CIDR ranges into larger blocks whenever possible.
  • Use prefix lists for reusable IP sets across security groups.
  • Use security group references instead of CIDR rules for inter-service communication.
  • Split environments into multiple security groups by tier (web, app, db).
  • Monitor security group rule count with AWS Config rules.

Common Mistakes with ec2 sg rules

  1. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  2. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  3. Using return to exit a function early instead of wrapping a pure value in the monad

These mistakes appear frequently in real-world AWS code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is the default maximum number of rules per security group?

The default is 60 inbound rules and 60 outbound rules per security group. This limit can be increased up to 1,000 by requesting a service limit increase. |||Does a security group reference count as one rule? Yes, a single security group reference counts as one rule even if the referenced group has many members. This is more efficient than listing individual CIDRs. |||What happens if I hit the rule limit? You will get a RulesPerSecurityGroupLimitExceeded error when trying to add more rules. You must consolidate rules, use prefix lists, or request a limit increase.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro