AWS Security Groups are tricky!
Recently I was configuring a security group for a service that uses TCP and UDP ports for ingress connectivity.
Security Groups are an Amazon Web Services feature for Amazon VPC (virtual private cloud) to set up a stateful firewall.
I used Terraform (Terragrunt actually, but that's a detail) to configure the security group's ingress rules.
I wanted to be a smart guy, so I have set the protocol to -1
which means "all protocols", so I didn't need to specify separate rules for TCP and UDP for the same port.
Here comes my surprise, according to the AWS documentation:
Use
-1
to specify all protocols. If you specify-1
or a protocol other thantcp
,udp
, oricmp
, traffic on all ports is allowed, regardless of any ports you specify.
I was not aware of that and you might not be aware too!
Honestly, I would expect the AWS API to return an error, or at least a warning, when trying to set a configuration that is impossible to set - it either didn't happen or was silenced in the Terraform provider for AWS (I didn't verify, I suspect the AWS API doesn't give any feedback about that).
It was caught by my workmate who eventually made separate entries for TCP and UDP to get the configuration right - shortcuts, although tempting, are not always good solutions.