How to Block IP in AWS VPC - by IP or CIDR Range | Devops Junction

Let's suppose your AWS infrastructure is under DDOS attack and your Load balancers and Applications are flooded with requests.

The Immediate action you can take is to block the IP you have identified.

If you have monitoring tools and Log management tools like Datadog, EFK, Splunk etc. they can be used to get the IP address of the spammer or the bot. or Simple NGINX/Apache log can do.

Even the monitoring systems have auto threat detection or anomaly detection to identify this prior.

 

If you are not having such monitoring systems in place. I would recommend enabling WAF your application load balancer which can apply rate limit and block the IP.

But in this article, we are going to show you how you can block a particular IP or list of IPs from accessing your infrastructure.

While talking about infrastructure, It includes all the Application Load Balancers, network load balancers etc. So if you want an IP to be blocked from accessing all your applications this could help you.

 

Steps to Block IP in AWS VPC ( Global Level)

  1. Go to VPC services section and find your VPCblock IP AWS
  2. Click on the VPC go into the Details page and find the primary NACL Network Access Control List of the VPCAWS Block IP
  3. Click on the NACL ID hyperlink and go to the NACL Inbound rules tab
  4. Click on the Edit Inbound Rules button
  5. On the Edit Inbound Rules page. Click on the Add new rule button
  6. Give Rule number lower than the All traffic - Allow the rule which defaults to 100 you can give 1  or lower than 100 and work your way upwards upon every single IP you are blocking
  7. Choose the Type from the drop down. Select All Traffic to block all the traffic from the IP
  8. Enter the Port Range you would like to block. Choose All for all the ports ( If you have chosen All traffic this is not needed)
  9. Enter the Source IP CIDR range if single IP add /32 at the end
  10. Select Deny to deny the requests coming from the IP matching the port tange.
  11. Click on the Sort by rule number to validate that the default rule 100 is staying at the bottom
  12. Save the changes by clicking on Save Changesaws block ip

 

This is how you can block an IP address Global level of your overall infrastructure.

How to block IP at the ALB level or Server Level

If you do not want to block the IP from your entire Infra but to block only to certain application

You have a few options

  • Create rules in Application Load Balancer to Deny the IP
  • Create a WAF policy that matches the Source IP and block
  • EC2 Security group level blocking with help of Security groups
  • Within the EC2 instance (Ubuntu/Linux) use firewallD to block the IP

 

Create rules in Application Load Balancer to Deny the IP

Another famous way to block the traffic at Application Load Balancer is to do it through ALB Rules.

You can create a rule like shown below and return some custom response if the IP matches the IP you want to block.

here is a screenshot of some sample rule for your reference

Block IP AWS

If the Source IP is X or Y you can return a fixed response like HTTP 429  with some custom response body like this Too many requests from this ip etc.

This is one more efficient way of blocking IP at the Elastic Load Balancer Level.

Remember, This can be done only at the Application and network load balancer as Classic Load Balancer does not support the rules for processing.

Hope this article was helpful to you.

let us know in case of any queries or feedback on the comments

Cheers
Sarav AK

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

Loading