Open lalau opened 4 years ago
Hi dear, simple request a limit raise at AWS, I just hit the same issue and now changed to 6 x 160 (6 SG per initerface, 160 rules per SG) than script ran normally
Cheers, Daniel
I solved this adding a new tag "EvenOrOdd" allowing to double the number of security groups.
But nevermind: I got CloudFront very slow after pointing ELB to the security groups with the IPs.
Perhaps is better to allow 0.0.0.0/0 and deny access by checking the header (adding a custom header with a key on CloudFront requests).
Anyway I will try to create a pull request here with the updates.
I realized that I was tired and that's why my CloudFront got "very slow" yesterday. I was associating my ELB SG to the 4 CF SG expecting for inheritance. Of course my CF wasn't able to even connect to the origin actually. It was not slow, it was timeout.
Now my ELB is directly associated to the 4 CF groups (with even and odd) and Lambda is updating the IPs automatically after my changes on the script. It's only 4 groups because I using only https protocol.
I sent a pull-request with the improvement. Hope it helps anybody else.
Now I'm stuck with this.
I solved this adding a new tag "EvenOrOdd" allowing to double the number of security groups.
But nevermind: I got CloudFront very slow after pointing ELB to the security groups with the IPs.
Perhaps is better to allow 0.0.0.0/0 and deny access by checking the header (adding a custom header with a key on CloudFront requests).
Anyway I will try to create a pull request here with the updates.
Hey @raivirtual Can you please help me with the changes that you made in code to add this new tag? Would be really helpful if you can share the changed snippet.
I got this problem too.....
Hi, @vivekj11 I solved this problem by create multi security group to save the ip rules, if your security group is not enougth, alert " Groups is not enough, we need x at least!".
You can see the latest code at https://github.com/wangerzi/aws-cloudfront-samples/blob/master/update_security_groups_lambda/update_security_groups.py
execute results:
Another solution is to do this with AWS WAF and IPSets to get around the security group limits. We created this project that does just that.
@wangerzi Thank you, I will definitely give it a try. In the meantime, I requested AWS to increase my SG rules limit and also created two separate SGs specifically for CloudFront, one for HTTP and other for HTTPS rules., So the limit is not a concern for now.
A different and possibly simpler approach (create new SGs on each update and attach to ENIs then throw old away SGs), see here https://github.com/karlskidmore/SAM-AWS-IPs-to-SGs-to-ENIs -- been working in production for a while now with no hiccups. Hope this helps someone.
Looks like the cidr ranges have grown and once again reaches the limit of security group. This is what I get now running the example code: