1. Answers
  2. Blocking IP addresses using AWS WAF IP sets

How do I block IP addresses using AWS WAF IP sets?

To block specific IP addresses using AWS WAF’s IP set functionality, you will need to create an IP set containing the IP addresses you wish to block, create a WebACL with a rule referencing this IP set, and then associate this WebACL with the relevant AWS resources such as CloudFront distributions or API Gateway stages.

Below is an example of how to configure this:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Define the IP Set with a list of IPs to block
const blockedIps = new aws.wafv2.IpSet("blocked_ips", {
    name: "blocked-ips",
    scope: "REGIONAL",
    description: "IP Set to block specific IP addresses",
    ipAddressVersion: "IPV4",
    addresses: [
        "192.0.2.0/24",
        "203.0.113.5/32",
    ],
});
// Define a WebACL with a rule to block IPs in the IP Set
const webAcl = new aws.wafv2.WebAcl("web_acl", {
    name: "blocked-ips-web-acl",
    scope: "REGIONAL",
    description: "Web ACL to block specific IP addresses",
    defaultAction: {
        allow: {},
    },
    rules: [{
        name: "block-ips-rule",
        priority: 1,
        action: {
            block: {},
        },
        statement: {
            ipSetReferenceStatement: {
                arn: blockedIps.arn,
            },
        },
        visibilityConfig: {
            sampledRequestsEnabled: true,
            cloudwatchMetricsEnabled: true,
            metricName: "block-ips-rule",
        },
    }],
    visibilityConfig: {
        cloudwatchMetricsEnabled: true,
        metricName: "blocked-ips-web-acl",
        sampledRequestsEnabled: true,
    },
});
export const webAclArn = webAcl.arn;

In summary, we’ve defined an IP set containing the IP addresses to block, created a WebACL with a rule that references this IP set, and exported the WebACL ARN for easy association with your AWS resources. This ensures that requests from the specified IP addresses are blocked at the web application firewall level.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up