Configure rule groups in AWS Network Firewall to allow inbound traffic only from the hosts with particular DNS


I want to provide access of my EC2 instance to another company. The problem is that their IP addresses change and due to this, I can not harcode the IP addresses in the security groups of EC2 instance. Now my question is that is it possible to configure security rules for inbound traffic on the basis of DNS? I have also tried to check the AWS Network Firewall service. In AWS Network Firewall, we can easily block domains for the outbound traffic but in my case, i only want to allow inbound traffic for the hostname with a specific DNS? It seems like that the AWS Network firewall configurations do not support rules based on DNS lookup? Can anyone guide me in this regard if it's possible in AWS using AWS Network Firewall or some other service?

  • Is this access done publicly? Or via a private connection (VPN for example)?

1 Answer


To address your specific question around if you can key on the domain in Security Groups, they cannot. Security Groups operate at layer3/4 of the OSI model, where DNS operates in the upper layer.

I understand your struggle with the changing IP of the remote client. If you were to allow a CIDR for their Internet Service Provider that could open access and is not advisable.

With this use case, it may be appropriate to use a bastion host so your remote clients can access your EC2 instance. Then use Security Groups to control that access.

A reference doc for intermediate bastion hosts:

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions