Hi folks - how do I setup a SecurityGroupRule to a...
# aws
e
Hi folks - how do I setup a SecurityGroupRule to allow all ICMP IPv4 traffic from a specific prefix list?
l
protocol: "icmp", cidrBlocks: prefixList
. Afaik you shouldn't need fromPort and toPort for "all" ICMP traffic, only certain ICMP traffic cares about those.
e
Yeah Docs say if protocol is "icmp" I need to provide ICMP type number in
from_port
and ICMP code in the
to_port
, both of which are required... but that doesn't make sense as ICMP codes are error type indicators.
l
Hmm.. I'll see if I can find the code...
e
Thanks @little-cartoon-10569 - unfortunately pulumi throws errors if I don't specify from and to ports
(using python)
l
Looks like all types are in the range 0 to 254.. try those?
e
Nope, that results in the following:
Copy code
Type				Protocol	Port range
Custom ICMP - IPv4	Echo Reply	254
I'm looking for :
Copy code
Type			Protocol	Port range
All ICMP - IPv4	ICMP		All
l
-1? Though as far as I know, "All" is used only when protocol = -1, and that means "all protocols and ports".
But the protocol should definitely read ICMP, not Echo Reply...
e
So... -1 in
from_port
?
Well type 0 is echo reply
l
I'd try -1 in both ports... I can't find AWS docs on this though, I'm just guessing.
For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
e
Yup, that's got it.
Pulumi doesn't use CF tho right? Be boto I imagine.
ToPort [...] A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.
Thanks for your help @little-cartoon-10569.
l
Yep, doesn't use CF, but they both use the same server-side API, so the values for properties should be identical, unless the client libraries do extra things to the values.
Doesn't use boto either. Uses the API that boto uses though 🙂
e
Gotcha... so this one :)
l
Yep, looks good. Didn't know about that site, of course it had to exist, didn't it? Bookmarked now..
1