diff --git a/pkg/apis/awsprovider/v1alpha1/types.go b/pkg/apis/awsprovider/v1alpha1/types.go
index db4513a663..dbd985e1aa 100644
--- a/pkg/apis/awsprovider/v1alpha1/types.go
+++ b/pkg/apis/awsprovider/v1alpha1/types.go
@@ -266,6 +266,9 @@ var (
 	// SecurityGroupProtocolAll is a wildcard for all IP protocols
 	SecurityGroupProtocolAll = SecurityGroupProtocol("-1")
 
+	// SecurityGroupProtocolIPinIP represents the IP in IP protocol in ingress rules
+	SecurityGroupProtocolIPinIP = SecurityGroupProtocol("4")
+
 	// SecurityGroupProtocolTCP represents the TCP protocol in ingress rules
 	SecurityGroupProtocolTCP = SecurityGroupProtocol("tcp")
 
diff --git a/pkg/cloud/aws/services/ec2/securitygroups.go b/pkg/cloud/aws/services/ec2/securitygroups.go
index 599cf68a90..3f1bc7880b 100644
--- a/pkg/cloud/aws/services/ec2/securitygroups.go
+++ b/pkg/cloud/aws/services/ec2/securitygroups.go
@@ -289,6 +289,16 @@ func (s *Service) getSecurityGroupIngressRules(role v1alpha1.SecurityGroupRole)
 					s.scope.SecurityGroups()[v1alpha1.SecurityGroupNode].ID,
 				},
 			},
+			{
+				Description: "IP-in-IP (calico)",
+				Protocol:    v1alpha1.SecurityGroupProtocolIPinIP,
+				FromPort:    -1,
+				ToPort:      65535,
+				SourceSecurityGroupIDs: []string{
+					s.scope.SecurityGroups()[v1alpha1.SecurityGroupControlPlane].ID,
+					s.scope.SecurityGroups()[v1alpha1.SecurityGroupNode].ID,
+				},
+			},
 		}, nil
 
 	case v1alpha1.SecurityGroupNode:
@@ -318,6 +328,16 @@ func (s *Service) getSecurityGroupIngressRules(role v1alpha1.SecurityGroupRole)
 					s.scope.SecurityGroups()[v1alpha1.SecurityGroupNode].ID,
 				},
 			},
+			{
+				Description: "IP-in-IP (calico)",
+				Protocol:    v1alpha1.SecurityGroupProtocolIPinIP,
+				FromPort:    -1,
+				ToPort:      65535,
+				SourceSecurityGroupIDs: []string{
+					s.scope.SecurityGroups()[v1alpha1.SecurityGroupNode].ID,
+					s.scope.SecurityGroups()[v1alpha1.SecurityGroupControlPlane].ID,
+				},
+			},
 		}, nil
 	}