diff --git a/packages/@aws-cdk/aws-ec2/lib/port.ts b/packages/@aws-cdk/aws-ec2/lib/port.ts
index df8d671271b85..314c8d615b0dd 100644
--- a/packages/@aws-cdk/aws-ec2/lib/port.ts
+++ b/packages/@aws-cdk/aws-ec2/lib/port.ts
@@ -9,6 +9,8 @@ export enum Protocol {
   UDP = 'udp',
   ICMP = 'icmp',
   ICMPV6 = '58',
+  ESP = 'esp',
+  AH = 'ah',
 }
 
 /**
@@ -171,6 +173,30 @@ export class Port {
     });
   }
 
+  /**
+   * A single ESP port
+   */
+  public static esp(): Port {
+    return new Port({
+      protocol: Protocol.ESP,
+      fromPort: 50,
+      toPort: 50,
+      stringRepresentation: 'ESP 50',
+    });
+  }
+
+  /**
+   * A single AH port
+   */
+  public static ah(): Port {
+    return new Port({
+      protocol: Protocol.AH,
+      fromPort: 51,
+      toPort: 51,
+      stringRepresentation: 'AH 51',
+    });
+  }
+
   /**
    * Whether the rule containing this port range can be inlined into a securitygroup or not.
    */
diff --git a/packages/@aws-cdk/aws-ec2/package.json b/packages/@aws-cdk/aws-ec2/package.json
index 801040d4c7385..fb14ba55bd21b 100644
--- a/packages/@aws-cdk/aws-ec2/package.json
+++ b/packages/@aws-cdk/aws-ec2/package.json
@@ -315,6 +315,8 @@
       "docs-public-apis:@aws-cdk/aws-ec2.Protocol.UDP",
       "docs-public-apis:@aws-cdk/aws-ec2.Protocol.ICMP",
       "docs-public-apis:@aws-cdk/aws-ec2.Protocol.ICMPV6",
+      "docs-public-apis:@aws-cdk/aws-ec2.Protocol.ESP",
+      "docs-public-apis:@aws-cdk/aws-ec2.Protocol.AH",
       "docs-public-apis:@aws-cdk/aws-ec2.WindowsVersion.WINDOWS_SERVER_2008_SP2_ENGLISH_64BIT_SQL_2008_SP4_EXPRESS",
       "docs-public-apis:@aws-cdk/aws-ec2.WindowsVersion.WINDOWS_SERVER_2012_R2_RTM_CHINESE_SIMPLIFIED_64BIT_BASE",
       "docs-public-apis:@aws-cdk/aws-ec2.WindowsVersion.WINDOWS_SERVER_2012_R2_RTM_CHINESE_TRADITIONAL_64BIT_BASE",
diff --git a/packages/@aws-cdk/aws-ec2/test/integ.vpc.expected.json b/packages/@aws-cdk/aws-ec2/test/integ.vpc.expected.json
index 1586cc8bff5e7..641b97b4ddbd5 100644
--- a/packages/@aws-cdk/aws-ec2/test/integ.vpc.expected.json
+++ b/packages/@aws-cdk/aws-ec2/test/integ.vpc.expected.json
@@ -567,6 +567,20 @@
             "FromPort": 800,
             "IpProtocol": "udp",
             "ToPort": 801
+          },
+          {
+            "CidrIp": "0.0.0.0/0",
+            "Description": "from 0.0.0.0/0:ESP 50",
+            "FromPort": 50,
+            "IpProtocol": "esp",
+            "ToPort": 50
+          },
+          {
+            "CidrIp": "0.0.0.0/0",
+            "Description": "from 0.0.0.0/0:AH 51",
+            "FromPort": 51,
+            "IpProtocol": "ah",
+            "ToPort": 51
           }
         ],
         "VpcId": {
@@ -575,4 +589,4 @@
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/packages/@aws-cdk/aws-ec2/test/integ.vpc.ts b/packages/@aws-cdk/aws-ec2/test/integ.vpc.ts
index 2ffd5653e33f4..88e4dacf9839a 100644
--- a/packages/@aws-cdk/aws-ec2/test/integ.vpc.ts
+++ b/packages/@aws-cdk/aws-ec2/test/integ.vpc.ts
@@ -16,6 +16,8 @@ const rules = [
   ec2.Port.allUdp(),
   ec2.Port.udp(123),
   ec2.Port.udpRange(800, 801),
+  ec2.Port.esp(),
+  ec2.Port.ah(),
 ];
 
 for (const rule of rules) {