# AWS Security Groups are tricky!

Recently I was configuring a security group for a service that uses TCP and UDP ports for ingress connectivity.

[Security Groups](https://docs.aws.amazon.com/vpc/latest/userguide/security-groups.html) are an Amazon Web Services feature for [Amazon VPC (virtual private cloud)](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html) to set up a stateful firewall.

I used Terraform (Terragrunt actually, but that's a detail) to configure the security group's ingress rules.

I wanted to be a smart guy, so I have set the protocol to `-1` which means "all protocols", so I didn't need to specify separate rules for TCP and UDP for the same port.

Here comes my surprise, according to the [AWS documentation](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_AuthorizeSecurityGroupIngress.html):

> Use `-1` to specify all protocols. If you specify `-1` or a protocol other than `tcp`, `udp`, or `icmp`, traffic on all ports is allowed, regardless of any ports you specify.

I was not aware of that and you might not be aware too!

Honestly, I would expect the AWS API to return an error, or at least a warning, when trying to set a configuration that is impossible to set - it either didn't happen or was silenced in the Terraform provider for AWS (I didn't verify, I suspect the AWS API doesn't give any feedback about that).

It was caught by my workmate who eventually made separate entries for TCP and UDP to get the configuration right - shortcuts, although tempting, are not always good solutions.