- Newest
- Most votes
- Most comments
To troubleshoot the issue with AWS WAF (Web Application Firewall) IP blocking not working, follow these steps:
1. Verify IP Set Configuration Ensure that the IP set you created contains the correct IP addresses and that they are in the correct format (CIDR notation if necessary).
2. Check Web ACL Configuration Verify that your Web ACL is correctly configured and associated with the resources you want to protect (e.g., CloudFront distribution, API Gateway, or ALB).
3. Ensure Web ACL Association Make sure the Web ACL is associated with the correct AWS resource (e.g., CloudFront distribution, API Gateway, or ALB). If the ACL is not associated, the rules will not be applied.
4. Rule Priority Ensure the rule you created has the correct priority. AWS WAF evaluates rules based on their priority, from lowest to highest. If there is an allow rule with a higher priority, it might override your block rule.
5. Rule Action Confirm that the rule action is set to "Block."
6. CloudFront IP Header If you are using CloudFront, ensure you are inspecting the correct header for the client IP address. CloudFront adds the client IP in the X-Forwarded-For header.
7. Logging and Metrics Enable AWS WAF logging and inspect the logs to see if your requests are being matched against the rules. This can help you determine why the requests are not being blocked.
8. Example Configuration IP Set
Resources:
MyIPSet:
Type: "AWS::WAFv2::IPSet"
Properties:
Name: "BlockedIPs"
Scope: "REGIONAL" # Use "CLOUDFRONT" for CloudFront
IPAddressVersion: "IPV4"
Addresses:
- "203.0.113.0/24" # Replace with your IP addresses
#### Web ACL
```yaml
Resources:
MyWebACL:
Type: "AWS::WAFv2::WebACL"
Properties:
DefaultAction:
Allow: {}
Scope: "REGIONAL" # Use "CLOUDFRONT" for CloudFront
Rules:
- Name: "BlockIPs"
Priority: 1
Action:
Block: {}
Statement:
IPSetReferenceStatement:
Arn: !GetAtt MyIPSet.Arn
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: "BlockIPsMetric"
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: "WebACLMetric"
#### Associate Web ACL with ALB (for example)
```yaml
Resources:
MyWebACLAssociation:
Type: "AWS::WAFv2::WebACLAssociation"
Properties:
ResourceArn: !Ref MyLoadBalancerArn # Replace with your ALB ARN
WebACLArn: !Ref MyWebACL
Troubleshooting Tips:
-
IP Address Format: Ensure that the IP addresses in your IP set are correctly formatted. For single IPs, use
/32
for IPv4 (e.g.,203.0.113.1/32
). -
Scope: Ensure the scope of your IP set and Web ACL matches the resource. Use
REGIONAL
for ALB, API Gateway, or AppSync, andCLOUDFRONT
for CloudFront distributions. -
Check Metrics and Logs: Check AWS WAF logs and CloudWatch metrics to see if the rule is being evaluated and if requests from your IP address are being blocked.
-
Test with Other IPs: Add other IPs to the IP set and test if they are being blocked. This can help determine if the issue is specific to your IP or a broader configuration issue.
-
Propagation Time: Allow some time for the WAF configuration changes to propagate, especially if you are testing immediately after making changes.
If you've gone through these steps and the issue persists, consider reaching out to AWS Support for further assistance. They can provide more detailed insights based on your specific configuration and logs.
Relevant content
- asked 8 months ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 12 days ago
Thank you Oleksii, your comment reminded me why it's always good to recheck everything. Our resource association was missing, we had to re-create the load balancer a long time ago (moving it into terraform) and this broke the link so it was never working on this ALB! Re-adding it solved the issue.