Blocking an IP Address
- EC2 directly: NACL deny rule (best option at subnet level) or security group deny (SG is allow-only, so configure to not allow that IP) + optional firewall software on EC2.
- With ALB: NACL on the subnet (ALB connection terminates at ALB, so you need NACL, not EC2 SG). WAF on ALB for sophisticated filtering.
- With NLB: NLB passes through, so EC2 sees real client IP. Use NACL.
- With CloudFront + ALB: Use CloudFront Geo Restriction or WAF (IP filtering) at CloudFront. NACL is less useful (only blocks CloudFront edge IP, not client IP).
