How do I increase my security group rule quota in my Amazon VPC?

Short description

The number of elastic network interfaces in your Amazon Elastic Compute Cloud (Amazon EC2) instance defines the maximum number of rules for each security group. Network interfaces have a maximum quota of 1,000 rules and five security groups. Each security group allows 60 inbound and 60 outbound rules (120 total). By default, you can have a maximum of 300 inbound rules and 300 outbound rules in each network interface.

Resolution

Use the following best practices to optimize your configuration:

• Combine rules where possible.
• Use broader CIDR blocks or smaller security groups.
• Reduce the number of security groups that you use in each network interface.
• Use flow logs and network access control lists (network ACLs) to filter traffic without security groups.

If you still must increase the number of rules in each security group beyond the default maximum, then request a quota increase.

Important: When you increase the number of rules in each security group, you must still stay within the 1,000-rule quota for network interfaces. You might need to reduce the number of security groups in each network interface.

For example, when you increase the number of rules in each security group to 250, you can only have four security groups. Otherwise, you exceed the 1,000-rule quota.

To minimize disruption, it's a best practice to review and test your application when you make security group changes.

Related information

Amazon VPC quotas

Security group rules