By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I allow or block specific IP addresses on my EC2 instance?

2 minute read
0

I want to allow access for specific IP addresses to my Amazon Elastic Compute Cloud (Amazon EC2) instance and block other IP addresses.

Resolution

To allow or block specific IP addresses for your EC2 instances, use a network access control list (network ACL). Or, use security group rules in Amazon Virtual Private Cloud (Amazon VPC). If you use a network ACL, then the rules must explicitly allow return traffic. Security group rules automatically allow return traffic regardless of the rules that you create.

Note: Because network ACLs function at the subnet level, rules apply to all instances in associated subnets.

Use a network ACL to allow or block a specific IP address

Complete the following steps:

  1. Create the network ACL.
  2. Add rules to the network ACL to block or allow the IP address.
  3. Associate a subnet to the network ACL.

Use a security group to allow or block a specific IP address

Note: By default, security groups rules act as a firewall for the associated instances and block all inbound traffic. To allow traffic, you must explicitly allow the IP address or IP address ranges in the security group rules.

Complete the following steps:

  1. Create a security group in your VPC.
  2. Add rules to the security group to block or allow the IP addresses.
  3. Add the security group to the instance.

Related information

Ensure internetwork traffic privacy in Amazon VPC

Control subnet traffic with network access control lists

Control traffic to your AWS resources using security groups

AWS OFFICIAL
AWS OFFICIALUpdated 24 days ago
2 Comments

I was under the impression that a VPC security group could only allow IP addresses (or CIDR ranges of IP addresses), not actually block specific IP addresses. Granted, you could get creative with multiple CIDR ranges, but... this seems unwieldy at best. So the official advice given here (about VPC security groups, specifically) seems misleading.

But I'm prepared to be proven wrong.

profile picture
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 9 months ago