Deny IP address on AWS ELB
I've, more or less, following configuration on AWS:
Elastic load balancer with 3 machines o 3 different availability zones. My security group allows 0.0.0.0/0:80 as it's my rails application (nginx, unicorn).
I was wondering if there's any way to deny access to my app to an specific public ip address? I've been reading AWS documentation, but as SG's are "deny all" there's no way to deny just one specific IP address.
Any ideas? iptables on the 3 machines behind load balancer?
Thanks!
A straight forward solution is to use a VPC Network ACL Inbound Rule. This only works if your ELB is in a VPC, but if you've created it in the last few years it should be in the default one.
To ban 1.2.3.4 for example, do the following:
- Login to AWS.
- Navigate to
VPC. - Choose
Network ACLsfrom the left hand menu. - Choose the ACL associated with the VPC your ELB is in.
- Choose the
Inbound Rulestab. - Choose
Editand add a new rule with the following attributes:- Rule #: 50 (any number as long as it's less than the rule that ALLOWs from ALL)
- Type: ALL Traffic
- Protocol: ALL
- Port Range: ALL
- Source: 1.2.3.4/32
- Allow / Deny: DENY
There's a bunch more information about Network ACLs here: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
If you only need to blacklist a few IPs you could probably use nginx_http_access_module on your web server.