How do I use AWS WAF to create IP set rules to restrict IPv4 and IPv6 access?

3 minute read
1

I set up AWS WAF and I need to allow access for specific IPv4 and IPv6 addresses and block other IP addresses.

Resolution

AWS WAF can inspect the source IP address of a web request against a set of IP addresses and address ranges. You can create a rule that blocks requests from all IP addresses except the specific IP addresses in an IP set.

Create an IP set rule to restrict IPv4 and IPv6 access

Complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, choose IP sets, and then choose Create IP set.
  3. For IP set name, enter a name, for example MyTrustedIPs.
    Note: You can't change the IP set name after you create the IP set.
  4. (Optional) For Description, enter a description for the IP set.
  5. For Region, choose the AWS Region where you want to store the IP set.
    Note: To use an IP set in web access control lists (web ACLs) that protect Amazon CloudFront distributions, you must use Global (CloudFront).
  6. For IP version, choose the version that you want to use.
  7. For IP addresses, enter one IP address or an IP address range per line that you want to allow in the CIDR notation.
    Note: AWS WAF supports all IPv4 and IPv6 CIDR ranges except for /0.
    Examples:
    To specify the IPv4 address 10.20.0.5, enter 10.20.0.5/32.
    To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, enter 0:0:0:0:0:ffff:c000:22c/128.
    To specify the range of IPv4 addresses from 10.20.0.0 to 10.20.0.255, enter 10.20.0.0/24.
    To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter 2620:0:2d0:200::/64.
  8. Review the settings for the IP set, and then choose Create IP set.

Create an IP match rule

Complete the following steps:

  1. In the navigation pane, under AWS WAF, choose Web ACLs.
  2. For Region, select the Region where you created your web ACL.
    Note: If your web ACL is set up for CloudFront, then select Global.
  3. Select your web ACL.
  4. Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
  5. For Name, enter a name to identify this rule, for example Block-Other-IPs.
  6. For Type, choose Regular rule.
  7. For If a request, choose doesn't match the statement (NOT).
  8. On Statement, for Inspect, choose Originates from IP address in.
  9. For IP Set, choose your IP set, for example MyTrustedIPs.
  10. For IP address to use as the originating address, choose Source IP address.
    Note: If your traffic routes through a content delivery network (CDN) or other proxy network, then use an IP address in the header. For more information, see Forwarded IP address.
  11. For Action, choose Block.
  12. Choose Add rule.
  13. Choose Save.

The IP match rule blocks any IP address that's not added to the IP set. For IP addresses that you added to an IP set, the request is evaluated by other rules below the rule. If there isn't a match, then the web ACL default action is applied.

For more information, see Processing order of rules and rule groups in a web ACL.

Related information

How do I use AWS WAF to block HTTP requests that don't contain a user agent header?

AWS OFFICIAL
AWS OFFICIALUpdated a year ago