Working around an AWS network ACL rule limit

amazon-web-services access-control-list amazon-vpc

At a maximum, a VPC network ACL can have 40 rules applied.

I have a list of over 50 IP addresses that I need to explicitly block access to in our systems, over any port and any protocol. This is an ideal purpose for an ACL, but the limit is hindering me completing this task.

Of course, I can do this in IPTables on each host, but I want to block any and all traffic to all components in the VPC (to ELB's for example). Furthermore it's far more ideal to manage these rules in one place rather than on each and every host.

I am hoping there is some way I am not understanding doing this at the system/platform level. Security groups are explicit allow, with no deny action, so they won't do the trick.


Here’s a left-field idea.. you could “null-route” the 50 blocked IPs, by adding an “broken” route to the VPC route table for each IP.

This wouldn’t prevent the traffic from the IPs hitting your infrastructure (only the NACLs and the SGs will prevent that), but it’ll prevent the return traffic from every making it “back home”..

Related

Good resources for Linux sysadmin tools, techniques and practices [closed]
Minimal setup for sendmail to send outgoing email only?
In nginx reverse proxy, how to set the secure flag for cookies?
How do a I edit .conf file for a postgres AWS RDS?
CannotPullContainerError on AWS ECS
Enable blowfish-based hash support for crypt
Documenting an outage for a post-mortem review
ulimit for windows
WEP/WPA/WPA2 and wifi sniffing
How to detect in PHP, if it is running on Apache, Nginx or some other webserver? [closed]
Any logs of if/when "at" jobs were executed? [duplicate]
How do you delete a counter in graphite whisper?