diff --git a/README.md b/README.md
index d9e0aa8..239cd63 100644
--- a/README.md
+++ b/README.md
@@ -104,7 +104,7 @@ efs-csi-controller    0         5m
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.96.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.100.0 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.4 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
@@ -127,6 +127,9 @@ efs-csi-controller    0         5m
 | [aws_security_group.all_worker_mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.extra_cluster_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_sidecar_injection](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_vpc_security_group_egress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.additional](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.additional_ingress_rules_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [null_resource.git_version](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [terraform_data.subnet_validation](https://registry.terraform.io/providers/hashicorp/terraform/latest/docs/resources/data) | resource |
 | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
diff --git a/security_groups.tf b/security_groups.tf
index c37cec7..9712bda 100644
--- a/security_groups.tf
+++ b/security_groups.tf
@@ -44,6 +44,7 @@ resource "aws_security_group" "additional_eks_cluster_sg" {
   }
 }
 
+# once setup, you cannot change any ports here
 resource "aws_security_group" "all_worker_mgmt" {
   name = local.all_worker_mgmt_name
 
@@ -73,6 +74,8 @@ resource "aws_security_group" "all_worker_mgmt" {
   }
 }
 
+# once setup, you cannot change any ports here
+# attach to cluster create, nodegroups
 resource "aws_security_group" "extra_cluster_sg" {
   name        = format("%v%v-extra", local.prefixes["eks-security-group"], var.cluster_name)
   description = format("Security group for additional access for EKS cluster %v", var.cluster_name)
diff --git a/securitygroup.ports.tf b/securitygroup.ports.tf
new file mode 100644
index 0000000..4c58b3d
--- /dev/null
+++ b/securitygroup.ports.tf
@@ -0,0 +1,166 @@
+# See
+# https://stackoverflow.com/questions/71902887/transport-error-while-dialing-dial-tcp-xx-xx-xx-xx15012-i-o-timeout-with-aws-e
+# Ports needed to correctly install Istio for the error message: transport: Error while dialing dial tcp xx.xx.xx.xx15012: i/o timeout
+# other ports here as needed
+locals {
+  sg_additional_ports = [
+    {
+      component   = "istio"
+      description = "Envoy admin port / outbound"
+      from_port   = 15000
+      to_port     = 15001
+    },
+    {
+      component   = "istio"
+      description = "Debug port"
+      from_port   = 15004
+      to_port     = 15004
+    },
+    {
+      component   = "istio"
+      description = "Envoy inbound"
+      from_port   = 15006
+      to_port     = 15006
+    },
+    {
+      component   = "istio"
+      description = "HBONE mTLS tunnel port / secure networks XDS and CA services (Plaintext)"
+      from_port   = 15008
+      to_port     = 15010
+    },
+    {
+      component   = "istio"
+      description = "XDS and CA services (TLS and mTLS)"
+      from_port   = 15012
+      to_port     = 15012
+    },
+    {
+      component   = "istio"
+      description = "Control plane monitoring"
+      from_port   = 15014
+      to_port     = 15014
+    },
+    {
+      component   = "istio"
+      description = "Webhook container port, forwarded from 443"
+      from_port   = 15017
+      to_port     = 15017
+    },
+    {
+      component   = "istio"
+      description = "Merged Prometheus telemetry from Istio agent, Envoy, and application, Health checks"
+      from_port   = 15020
+      to_port     = 15021
+    },
+    {
+      component   = "istio"
+      description = "DNS port"
+      from_port   = 15053
+      to_port     = 15053
+    },
+    {
+      component   = "istio"
+      description = "Envoy Prometheus telemetry"
+      from_port   = 15090
+      to_port     = 15090
+    },
+    {
+      component   = "istio"
+      description = "aws-load-balancer-controller"
+      from_port   = 9443
+      to_port     = 9443
+    },
+    {
+      component   = "cert-manager"
+      description = "cert-manager-webhook"
+      from_port   = 10250
+      to_port     = 10250
+    }
+  ]
+
+  sg_additional_ports_2 = [
+    {
+      component   = "istio"
+      description = "XDS and CA services (TLS and mTLS)"
+      from_port   = 15012
+      to_port     = 15012
+    },
+    {
+      component   = "istio"
+      description = "Webhook container port, forwarded from 443"
+      from_port   = 15017
+      to_port     = 15017
+    }
+  ]
+
+  sg_additional_ingress_rules = {
+    for ikey, ivalue in local.sg_additional_ports :
+    "${ikey}_ingress" => {
+      description = ivalue.description
+      protocol    = "tcp"
+      from_port   = ivalue.from_port
+      to_port     = ivalue.to_port
+      type        = "ingress"
+      self        = true
+    }
+  }
+
+  sg_additional_egress_rules = {
+    for ekey, evalue in local.sg_additional_ports :
+    "${ekey}_egress" => {
+      description = evalue.description
+      protocol    = "tcp"
+      from_port   = evalue.from_port
+      to_port     = evalue.to_port
+      type        = "egress"
+      self        = true
+    }
+  }
+
+  sg_additional_ingress_rules_2 = {
+    for ikey, ivalue in local.sg_additional_ports_2 :
+    "${ikey}_ingress" => {
+      description = ivalue.description
+      protocol    = "tcp"
+      from_port   = ivalue.from_port
+      to_port     = ivalue.to_port
+      type        = "ingress"
+      self        = true
+    }
+  }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "additional" {
+  for_each          = { for k, v in local.sg_additional_ingress_rules : v.from_port => v }
+  security_group_id = aws_security_group.additional_eks_cluster_sg.id
+
+  description                  = each.value.description
+  from_port                    = each.value.from_port
+  to_port                      = each.value.to_port
+  ip_protocol                  = each.value.protocol
+  referenced_security_group_id = each.value.self ? aws_security_group.additional_eks_cluster_sg.id : null
+  #  referenced_security_group_id = aws_security_group.all_worker_mgmt.id
+}
+
+resource "aws_vpc_security_group_egress_rule" "additional" {
+  for_each          = { for k, v in local.sg_additional_egress_rules : v.from_port => v }
+  security_group_id = aws_security_group.additional_eks_cluster_sg.id
+
+  description                  = each.value.description
+  from_port                    = each.value.from_port
+  to_port                      = each.value.to_port
+  ip_protocol                  = each.value.protocol
+  referenced_security_group_id = each.value.self ? aws_security_group.additional_eks_cluster_sg.id : null
+  #  referenced_security_group_id = aws_security_group.all_worker_mgmt.id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "additional_ingress_rules_2" {
+  for_each          = { for k, v in local.sg_additional_ingress_rules_2 : v.from_port => v }
+  security_group_id = aws_security_group.extra_cluster_sg.id
+
+  description                  = each.value.description
+  from_port                    = each.value.from_port
+  to_port                      = each.value.to_port
+  ip_protocol                  = each.value.protocol
+  referenced_security_group_id = aws_security_group.additional_eks_cluster_sg.id
+}