AWS Security Group Limits & Workarounds

AWS security group rules and difficulties:

The number of inbound or outbound rules per security groups in Amazon is 60. Reference.

From the inbound perspective, this is not a big issue because if your instances are serving customers on the internet then your security group will be wide open. On the other hand if your want to allow only access from a few internal IPs, then the 60 IP limit is sufficient.

However, outbound or egress traffic is a different discussion. Let’s say you have a production instance that needs updates from updates.ubuntu.com (15 IPs) and a few other repos like github (12 IPs), and perhaps a third-party partner. You can quickly realize that 60 IPs are not enough.

How to overcome AWS security group limits:

Aviatrix solution to this problem is the FQDN Filter Security Feature that allows you to specify filters using Fully Qualified Domain Name of the destinations that your instances are allowed to reach. This simplifies the management as you only have to introduce things like update.ubuntu.com or github.com to allow access to such services and not have to deal with third-party domain name resolution nor any updates to those domain IPs.

An Aviatrix NAT gateway, deployed on your public VPC, is required to support the traffic outbound to the internet. For more information on how to implement check this article on Aviatrix’s documentation page.