[spydum]

I think you may be mistaken. Security Groups are stateful: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Securit...

As suggested, it's very likely they hit the connection tracking limitation: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-ne...

I've personally witnessed teams hit this specifically for DNS (usually for internal, where you have explicitly permitted src/dst).

[john37386]

Yep I mistaken Security groups with Network Acl. Thanks. It's in the best practices to not track dns for big systems.

From powerdns https://doc.powerdns.com/recursor/performance.html

[gstaro]

Thx for the clarification. Had the same misconception