How do I allow my IP address while blocking other IP addresses using AWS WAF?

3 minute read

I've set up AWS WAF and I need to allow my IP address while blocking other IP addresses using AWS WAF. How can I do this?


AWS WAF can inspect the source IP address of a web request against a set of IP addresses and address ranges. You can create a rule that blocks requests from all IPs except the specific IPs in an IP set.

First, create an IP set

  1. Open the AWS WAF console.
  2. In the navigation pane, choose IP sets, and then choose Create IP set.
  3. Enter an IP set name and Description - optional for the IP set. For example: MyTrustedIPs.
    Note: You can't change the IP set name after you create the IP set.
  4. For Region, choose the AWS Region where you want to store the IP set. To use an IP set in web ACLs that protect Amazon CloudFront distributions, you must use Global (CloudFront).
  5. For IP version, choose the version that you want to use.
  6. For IP addresses, enter one IP address or an IP address range per line that you want to allow in CIDR notation.
    Note: AWS WAF supports all IPv4 and IPv6 CIDR ranges except for /0.
    To specify the IPv4 address, enter
    To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, enter 0:0:0:0:0:ffff:c000:22c/128.
    To specify the range of IPv4 addresses from to, enter
    To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter 2620:0:2d0:200::/64.
  7. Review the settings for the IP set. If the IP set matches your specifications, choose Create IP set.

Then, create an IP match rule

  1. In the navigation pane, under AWS WAF, choose Web ACLs.
  2. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  3. Select your web ACL.
  4. Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
  5. For Name, enter a name to identify this rule. For example: Block-Other-IPs.
  6. For Type, choose Regular rule.
  7. For If a request, choose doesn't match the statement (NOT).
  8. On Statement, for Inspect, choose Originates from IP address in.
  9. For IP Set, choose the IP Set you created earlier. For example: MyTrustedIPs.
  10. For IP address to use as the originating address, choose Source IP address.
  11. For Action, choose Block.
  12. Choose Add rule.
  13. Choose Save.

The IP match rule blocks any IP not added to the IP set. For IPs added to an IP set, the request is evaluated by other rules below the rule. If there isn't a match, the web ACL default action is applied. For more information, see Processing order of rules and rule groups in a web ACL.

Related information

How do I use AWS WAF to block HTTP requests that don't contain a User-Agent header?

AWS OFFICIALUpdated 2 years ago