Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS WAF with ALB: In Geo matching rule how to exclude internal IP's

their is an ALB associated with WAF. This ALB will be called by both public and other internal IPs.

I have enabled GEO Matching rule to allow only ["US"] calls. but the internal private IP don’t get labelled with any country. and it is getting blocked.

how to exclude internal IPs.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Let me update how I have solved it. please note the AWS Console UI doesn't support nested conditions. So I have created a rule as below.

    requirement: Internal IP's wont have geo locations, So allow Internal IP only or allow external IP only from "US" geo location.

    Rule:

    {
  "Name": "Allow_Geo_Match_or_Internal_IP",
  "Priority": 2,
  "Statement": {
    "NotStatement": {
      "Statement": {
        "OrStatement": {
          "Statements": [
            {
              "IPSetReferenceStatement": {
                "ARN": "<<IP-SET-ARN>>"
              }
            },
            {
              "GeoMatchStatement": {
                "CountryCodes": ["US"]
              }
            }
          ]
        }
      }
    }
  },
  "Action": {
    "Block": {}
  }
}

  2. 0

    You could create an IP set for your internal IP addresses and create a rule to allow it:

    1. AWS WAF > IP sets
    2. Click button Create IP set in the upper right corner
    3. IP set name: Allowed internal IPs
    4. Region – choose the region of your WAF
    5. IP addresses – add CIDR range for your internal IP range (for
      example 10.0.0.0/16). If you need more ranges or addresses, just
      separate them by new line
    6. In your Web ACL > Add rule > Add my own rule
    7. If a request matches a statement > Inspect -> Originates from an IP address in -> IP set – select previously created IP set
    8. Action -> Allow
    9. Save
    10. On next window you will be able to set a priority for rules. Put your new rule on priority that’s before the one that’s checking countries
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search