🚫 Blocking an IP Address from Accessing an AWS VPC - Deep Dive.
Scope:
- Intro,
- Understanding Entry Points Into a VPC,
- Blocking IPs at Each Network Layer,
- Layer 1: AWS Network ACLs + Network Load Balancer (NACLs + NLB),
- Layer 2: Security Groups,
- Layer 3: AWS WAF (Recommended for most applications),
- Layer 4: Load Balancer Listener Rules + Web Application Firewall (ALB + AWS WAF),
- Layer 5: VPC Route Tables (Advanced Pattern)
- Layer 6: Blocking via Transit Gateway (TGW)
- Layer 7: AWS Network Firewall (Enterprise-level solution),
- Layer 8: EC2 Host Firewall (iptables / Windows Firewall),
- Recommended Blocking Architecture (Best Practice),
- Summary Table for Blocking IPs (Layer, Service, Blocked Action, when to Use).
Intro:
All Layers of Control.
- Blocking traffic in AWS can happen at several places.
- VPC
networking,
- Load
balancers,
- API Gateway,
- WAF,
- EC2/ENI
level.
NB:
- The
appropriate method depends on where
the traffic enters AWS and what service is being protected.
Understanding Entry Points into a VPC
- Traffic reaches a VPC through one of the following:
A. Internet Gateway (IGW) → Public Subnets → EC2/ALB/NLB
- Inbound public traffic to public IPs.
B. NAT Gateway → Private Subnets
- Outbound traffic but can be indirectly relevant.
C. VPC Endpoints (Interface or
Gateway)
- Traffic to S3, DynamoDB, or private APIs.
D. AWS Load Balancers (ALB/NLB)
- Front-door for most internet-facing apps.
E. AWS API Gateway (Public or
Private)
- For API workloads.
NB:
- Blocking IPs may require action at different layers depending on the entry path.
Blocking IPs at Each Network Layer
Below is the full breakdown.
Layer
1: AWS Network ACLs + Network Load Balancer (NACLs + NLB)
- Best for:
- Subnet-level
blocking
- Direction:
- Stateless (must block inbound + outbound)
- NACLs apply to entire subnets, not individual resources.
- Sample:
- Block 203.0.113.15
- Subnet-level blocking
- Stateless (must block inbound + outbound)
- NACLs apply to entire subnets, not individual resources.
- Block 203.0.113.15
Inbound rule:
- Rule: 100
- Source:
203.0.113.15/32 - Action: DENY
- Protocol: ALL or required port
- Ports: ALL
Outbound
rule:
- Rule: 100
- Destination:
203.0.113.15/32 - Action: DENY
Pros
✔ Very effective, enforced earliest
✔ Protects entire subnets
✔ Good for brute-force mitigations
Cons
❌ Coarse-grained
❌ Hard to manage large deny lists
❌ No logging unless using VPC Flow Logs
Layer
2: Security Groups
- Best for:
- Instance/ENI-level filtering
- BUT:
- Security groups cannot explicitly block traffic.
- Security groups are allow-lists, not deny-lists.
So:
- ❌ twtech CANNOT use SGs to block an IP
- ✔ But twtech can avoid allowing a Particular IP deemed (considered) dangerous.
Layer
3: AWS WAF + ALB (Recommended for most
applications)
Best for:
- ALB
- API
Gateway
- CloudFront
NB:
- AWS WAF is the most scalable & maintainable way to block IPs.
How to block:
Create a Web ACL → Rule → IP Set with these actions:
- Rule type: IP match
- Condition:
203.0.113.15/32 - Action: Block
Attach
to:
- ALB
- API
Gateway
- AppSync
- CloudFront
Pros
✔ Scales globally
✔ Dynamic lists via IP sets
✔ Can block entire CIDR ranges
✔ Logging + automation (Lambda, Systems Manager)
Cons
❌ Not available for NLB
❌ Only blocks HTTP/S, not raw TCP
Layer
4: Load Balancer Listener Rules (ALB
only)
- twtech can block by returning HTTP 403 via ALB rules.
Sample Rule:
- IF Source
IP =
203.0.113.15/32 - THEN
Return fixed response:
403 Forbidden
Pros
✔ Very fast and works at L7
✔ No cost
Cons
❌ Only works for HTTP/HTTPS
❌ Limited rule complexity compared to WAF
Layer
5: VPC Route Tables (Advanced Pattern)
NB:
- twtech cannot “block” traffic with route tables directly.
- But it can blackhole routes by pointing them to null targets.
Rarely used for IP blocking, only for:
- Inter-VPC
- Hybrid
connectivity
- VPN/Direct
Connect IP isolation
Layer
6: Blocking via Transit Gateway (TGW)
- Best for multi-VPC or multi-account architectures.
twtech
can use:
- TGW Route Tables → Blackhole routes
- Security Group Policies (SGPs) across VPCs
- Network Firewall (ideal)
Layer
7: AWS Network Firewall (Enterprise-level solution)
Works
for:
- Stateful
filtering
- Threat
intelligence feeds
- Domain/IP
blocking
- Deep
packet inspection
Sample:
- Add an IPS rule to deny
203.0.113.15/32.
Pros
✔ Supports large IP deny lists
✔ Stateful firewall
✔ Centralized for many VPCs
Cons
- ❌ More expensive
- ❌ More complex setup
Layer 8: EC2
Host Firewall (iptables / Windows Firewall)
- Use only
if twtech must block at OS level.
Linux
iptables:
iptables -A INPUT -s 203.0.113.15 -j DROPRecommended Blocking Architecture (Best Practice For Web Applications)
CloudFront → WAF → ALB/NLB → VPC Subnets
Block IPs
in:
- AWS WAF (primary)
- Optionally NACLs for additional enforcement
For Private APIs
Use:
- VPC Endpoint Policy
- Security Groups
- Private API Gateway + WAF
For Multi-Account Enterprise
Use:
- AWS Network Firewall in centralized Security VPC
- Transit Gateway routing control
Summary Table for Blocking IPs (Layer, Service, Blocking Action, when to Use)
|
Layer |
Service |
Block Action |
When to Use |
|
NACL |
Subnet-level |
✔ |
Block at VPC perimeter |
|
Security Group |
ENI-level |
❌ (no deny rules) |
Allow-list only |
|
AWS WAF |
ALB/API Gateway |
✔✔✔ |
Best for HTTP/S apps |
|
ALB Listener |
ALB |
✔ |
Small IP blocks |
|
NLB |
TCP/UDP |
❌ |
Use NACL instead |
|
VPC Route Tables |
Routing |
❌ (not for IP
blocking) |
Hybrid networks |
|
Network Firewall |
Stateful firewall |
✔✔ |
Enterprise-scale blocking |
|
Host Firewall |
Instance-level |
✔ |
Last-resort security |
No comments:
Post a Comment