VISI

Blocking an IP Address

  • EC2 directly: NACL deny rule (best option at subnet level) or security group deny (SG is allow-only, so configure to not allow that IP) + optional firewall software on EC2.
  • With ALB: NACL on the subnet (ALB connection terminates at ALB, so you need NACL, not EC2 SG). WAF on ALB for sophisticated filtering.
  • With NLB: NLB passes through, so EC2 sees real client IP. Use NACL.
  • With CloudFront + ALB: Use CloudFront Geo Restriction or WAF (IP filtering) at CloudFront. NACL is less useful (only blocks CloudFront edge IP, not client IP).

References

Study tools

Mark this unit complete when you finish it.