No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Just started getting a perplexing error. Creating a standard security group, just like I have with Pulumi a dozen times before, and started getting this error:

```Error authorizing security group ingress rules: InvalidPermission.Malformed: Unsupported IP protocol "-1"  - supported: [tcp, udp, icmp]```

Very strange, because “-1” is clearly supported in the docs and hasn’t given me any problems up until now.

Is this AWS or GCP or some other provider? Do you know what changed? Did you upgrade the Pulumi CLI or provider package?

AWS. Yes, I updated Pulumi to 2.3.0. Last time I’m sure it worked was probably 2.10

What version of pulumi/aws are you using?

```        "@pulumi/pulumi": "^2.0.0",
        "@pulumi/aws": "^2.0.0",
        "@pulumi/awsx": "^0.20.0",```

same results with pulumi/pulumi=2.3.0, pulumi/aws=2.6.0, &amp; pulumi/awsx=0.20.0

And this is specifically on a `SecurityGroup` or `SecurityGroupRule` resource?

it’s an `aws.ec2.SecurityGroup` resource

Can you share your `aws.ec2.SecurityGroup` code?

certainly, one moment (going to unwrap some convenience functions I was using, for clarity)

<@UDEJ1F5SQ> ok, well, in the process of cleaning up my example, I found the problem. The VPC ID was ending up undefined due to an error unwinding a Pulumi output variable. It worked when I hardcoded the VPC ID.

That was a super misleading error message, though. Didn’t even suspect the VPC wasn’t making it in.

Thanks for your help and patience!

So I'm guessing the SG was getting created in "classic" EC2?

my account is that old, but I thought I had created a new-style VPC to work in.

If the VPC ID is undefined, the SG will end up in "classic" in that case.