'AWS Cloudformation configure ICMP protocol for the security group

How do I use CloudFormation to create a security group to allow "ALL ICMP"

Type: All ICMP

Protocol: All

Port range: N/A

Source: 0.0.0.0/0

I tried the following but it gives "echo reply". What is the correct syntax for "ICMP all"? "CidrIp": "0.0.0.0/0", "FromPort": "0", "IpProtocol": "icmp", "ToPort": "-1"



Solution 1:[1]

AWS::EC2::SecurityGroupIngress has a code sample to Allow ICMP Ping:

"SGPing" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "DependsOn": "VPC",
  "Properties" : {
    "GroupDescription" : "SG to test ping",
    "VpcId" : {"Ref" : "VPC"},
    "SecurityGroupIngress" : [ 
      { "IpProtocol" : "icmp", "FromPort" : "8", "ToPort" : "-1", "CidrIp" : "10.0.0.0/24" }
    ]
  }
}

Strangely, the page also suggests using -1 for the FromPort.

Solution 2:[2]

In Cloudformation (CFN) this will allow all ICMP traffic:

"IpProtocol" : "icmp", "FromPort" : "-1", "ToPort" : "-1", "CidrIp" : "10.0.0.0/8"

enter image description here

Solution 3:[3]

Could you please try following syntax ?

Type: All ICMP Protocol: TCP Port range: 0 - 65535 Source: Anywhere - 0.0.0.0/0

Solution 4:[4]

In AWS::EC2::SecurityGroupIngress Cloudformation resources, the fromPort and toPort attribute take on different functionality when the ICMP protocol is selected because ICMP does not have ports like TCP or UDP does.

When ICMP is selected as the protocol, the fromPort attribute becomes the icmp type number and the toPort attribute becomes the icmp code. When -1 is used for these values it represents all codes or all types. With that in mind, your cloudformation template would look like

"SGPing" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "Properties" : {
    "GroupDescription" : "SG to allow all ICMP",
    "VpcId" : {"Ref" : "VPC"},
    "SecurityGroupIngress" : [ 
      { 
        "IpProtocol" : "icmp", 
        "FromPort" : "-1", 
        "ToPort" : "-1", 
        "CidrIp" : "10.0.0.0/24"
      }
    ]
  }
}

Here's a list of all ICMP types and codes https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 John Rotenstein
Solution 2 Shahar Hamuzim Rajuan
Solution 3 Ali sahin
Solution 4

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function