How do I restrict traffic to and from Amazon VPC resources?

Short description

To restrict inbound and outbound traffic from Amazon VPC resources, use one of the following methods:

• Use security groups to restrict traffic at the instance or network interface level.
• Use network access control lists (network ACLs) to restrict traffic to subnets.
• Use AWS WAF to restrict incoming Layer 7 HTTP(S) traffic.
• Use AWS Network Firewall to restrict traffic to Amazon VPC resources.
• Use Amazon Route 53 DNS Firewall to filter DNS traffic from your Amazon VPC resources.
• Use VPC endpoint policies to restrict access to Amazon VPC endpoints.

Resolution

Use security groups to restrict traffic at the instance or network interface level

Security groups permit only the specified traffic that you configure in the security group rules. For more information, see Work with security groups.

Use network ACLs to restrict traffic to subnets

Network ACL rules can restrict traffic based on protocol, source and destination IP addresses, and source and destination ports. Each rule in a Network ACL is configured with a rule number. These rules are evaluated in order, starting from the lowest numbered rule. For more information, see Work with network ACLs.

Use AWS WAF to restrict incoming Layer 7 HTTPS traffic

When you configure AWS WAF with an IP set match rule statement, AWS WAF inspects the IP address of a web request against the set of IP addresses. This statement permits access to known IP addresses or blocks malicious IP addresses to mitigate DDoS attacks.

You can also add AWS Managed Rules rule groups to AWS WAF to protect your application from vulnerabilities. For more information, see How to customize behavior of AWS Managed Rules for AWS WAF.

For information on web ACLs, see Working with web ACLs.

Use Network Firewall to restrict traffic to Amazon VPC resources

Network Firewall can filter traffic within an Amazon VPC and between Amazon VPCs, including incoming and outgoing traffic. For more information, see Step 3: Create a firewall.

To allow or block access to specific domains, use a stateful domain list rule group. You can also deploy Network Firewall in individual Amazon VPCs to inspect traffic to and from Amazon VPC resources. For more information, see Deployment models for AWS Network Firewall.

For information on the Network Firewall flexible rules engine, see the following AWS Blogs:

• Hands-on walkthrough of the AWS Network Firewall flexible rules engine - Part 1
• Hands-on walkthrough of the AWS Network Firewall flexible rules engine - Part 2

Use Route 53 DNS Firewall to filter DNS traffic from your Amazon VPC resources

To filter DNS traffic from your Amazon VPC resource to the resolver, create a Route 53 DNS Firewall rule group. Make sure that you associate the rule group with the Amazon VPC. For more information, see Getting started with Route 53 Resolver DNS Firewall.

Use VPC endpoint policies to restrict access to Amazon VPC endpoints

You can use an endpoint policy to define which AWS principals have access to the associated service through the Amazon VPC endpoint. Endpoint policies also define what actions the AWS principals are allowed to perform. The default endpoint policy grants full access to the endpoint.

Related information

How can I allow or block specific IPs on my EC2 instance?

How to get started with Amazon Route 53 Resolver DNS Firewall

Secure your Amazon VPC DNS resolution with Amazon Route 53 Resolver DNS Firewall