How can I allow or block specific IPs on my EC2 instance?

5 minute read

I want to allow specific IP addresses access to my Amazon Elastic Compute Cloud (Amazon EC2) instance and block other IP addresses. How do I do this?

Short description

To allow or block specific IP addresses for your EC2 instances, use a network Access Control List (ACL) or security group rules in your Virtual Private Cloud (VPC). Network ACLs and security group rules act as firewalls allowing or blocking IP addresses from accessing your resources. Network ACLs control inbound and outbound traffic at the subnet level. Because network ACLs function at the subnet level, rules apply to all instances in associated subnets. Security group rules act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level.

Keep in mind that network ACLs are stateless, meaning that rules must explicitly allow return traffic. Security group rules automatically allow return traffic regardless of any rules.


Use a network ACL to allow or block specific IP addresses

Note: The following instructions provide a high-level overview of how to work with network ACLs. For more detailed instructions, see Work with network ACLs.

Create a network ACL

  1. Open the Amazon VPC console.

  2. Select Network ACLs.

  3. Select Create Network ACL.

  4. In the Create Network ACL dialog box, optionally name your network ACL, and then select the ID of your VPC from the VPC list.

  5. Select Yes, Create.

Add rules to a network ACL

  1. Open the Amazon VPC console.

  2. Select Network ACLs.

  3. In the details pane, choose either the Inbound Rules or Outbound Rules tab, depending on the type of rule that you need to add. Then choose Edit.

  4. In Rule #, enter a rule number (for example, 100). The rule number must not already be in use in the network ACL. Rules are processed in order, starting with the lowest number.

    Note: It's a best practice to leave gaps between rule numbers (such as 100, 200, 300), rather than using sequential numbers (101, 102, 103). This makes it easier to add a new rule without having to renumber the existing rules.

  5. Select a rule from the Type list. For example, to add a rule for HTTP, choose HTTP. To add a rule to allow all TCP traffic, choose All TCP. For some of these options (for example, HTTP), the port is added for you. To use a protocol that's not listed, choose Custom Protocol Rule.

  6. (Optional) If you're creating a custom protocol rule, select the protocol's number and name from the Protocol list. For more information, see IANA List of Protocol Numbers.

  7. (Optional) If the protocol you selected requires a port number, enter the port number or port range separated by a hyphen (for example, 49152-65535).

  8. In the Source or Destination field (depending on whether this is an inbound or outbound rule), enter the CIDR range that the rule applies to.

  9. From the Allow/Deny list, select ALLOW to allow the specified traffic or DENY to deny the specified traffic.

  10. (Optional) To add another rule, choose Add another rule, and repeat steps 4 to 9 as required.

  11. When you are done, choose Save.

Associate a subnet with a network ACL

  1. Open the Amazon VPC console.

  2. Select Network ACLs, and then choose the network ACL.

  3. In the details pane, on the Subnet Associations tab, choose Edit. Select the Associate check box for the subnet to associate with the network ACL, and then choose Save.

Use a security group allow or block specific IP addresses

Note: The following instructions provide a high-level overview of how to work with security groups. For detailed information on how to modify the default security group, create a new group, add rules, and then associate your security group to one or more instances in your subnet, see Work with security groups.

  1. Open the Amazon VPC console.

  2. Choose Security groups.

  3. Choose Create security group.

  4. Enter a name and description for the security group. You cannot change the name and description of a security group after it is created.

  5. From VPC, choose the VPC.

  6. You can add security group rules now, or you can add them later. For more information, see Add rules to a security group.

  7. You can add tags now, or you can add them later. To add a tag, choose Add new tag and enter the tag key and value.

  8. Choose Create security group.

After you create a security group, you can assign it to an EC2 instance when you launch the instance or change the security group currently assigned to an instance. For more information, see Launch an instance using defined parameters or Change an instance's security group.

Related information

Internetwork traffic privacy in Amazon VPC

Control traffic to subnets using Network ACLs

Control traffic to resources using security groups

AWS OFFICIALUpdated 3 years ago

I was under the impression that a VPC security group could only allow IP addresses (or CIDR ranges of IP addresses), not actually block specific IP addresses. Granted, you could get creative with multiple CIDR ranges, but... this seems unwieldy at best. So the official advice given here (about VPC security groups, specifically) seems misleading.

But I'm prepared to be proven wrong.

profile picture
replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied 3 months ago