apache 2.4 config to allow ELB health check

I have an EC2 instance behind an AWS Application Load Balancer, running apache 2.4

The health check is configured to do a GET on /health/

I have virtual hosts configured, and two vhost entries - one with the servername, and one to handle incoming requests directly to the IP address. aaa_first should be loaded first, and therefore be the default.

However, when I go directly to the public IP of the instance, I get the default apache welcome page, and the health check gets a 403:

"GET /health/ HTTP/1.1" 403 199 "-" "ELB-HealthChecker/2.0"

aaa_first.conf contains:

<VirtualHost *:80>
  ServerName aaa

  <Location /var/www/html>
     Require all denied
  </Location>

  <Location /var/www/html/health>
     Require ip 10.151.0.0/20
     Require all denied
  </Location>
  CustomLog logs/0000_access.log combined-elb-host
</VirtualHost>

default.conf contains:

<VirtualHost *:80>
  ServerName host.example.com

  DocumentRoot /var/www/html
  DirectoryIndex index.html

  ErrorLog logs/error.log
  CustomLog logs/access.log combined-elb-host

  <Directory "/var/www/html">
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

What do I need to ensure that requests to the IP are blocked, except for the health checks coming from the ELB?

Change <Location /var/www/html/health> to <Location /health>. Location matches against URL not filesystem paths. From the docs:

The directive limits the scope of the enclosed directives by URL ... sections operate completely outside the filesystem. This has several consequences. Most importantly, directives should not be used to control access to filesystem locations.