How do I restrict traffic to and from Amazon VPC resources?

Resolution

Use security groups to restrict traffic at the EC2 instance or network interface level

You can use security groups to restrict traffic at the Amazon Elastic Compute Cloud (Amazon EC2) instance or network interface level. Configure your Amazon VPC’s security group rules to permit only required traffic.

Use network ACLs to restrict traffic at subnets level

Create a network access control list (network ACL) to restrict traffic based on protocol, source and destination IP addresses, and source and destination ports.

Note: Each rule in a network ACL contains a rule number. Amazon VPC evaluates your rules in order from the lowest numbered rule.

Use AWS WAF to restrict incoming traffic

You can use AWS WAF to restrict incoming layer 7 HTTP and HTTPS traffic. Configure AWS WAF with an IP set match rule statement to restrict incoming HTTP and HTTPS traffic.

Note: When you configure an IP set match rule statement, AWS WAF checks the IP address of web requests against the IP addresses specified in the statement. The statement permits access to only known IP addresses and blocks malicious IP addresses to mitigate distributed denial of service (DDoS) attacks.

Use AWS Managed Rules for AWS WAF or custom rules to protect your application. For more information, see How to customize behavior of AWS Managed Rules for AWS WAF. For information on web ACLs, see Working with web ACLs.

Use Network Firewall to restrict traffic to Amazon VPC resources

Create an AWS Network Firewall that restricts unnecessary traffic to your Amazon VPC Resources.

Use a stateful domain list rule group to allow or block access to specific domains. You can also deploy Network Firewall in an individual VPC to inspect traffic to and from AWS resources. For more information, see Deployment models for AWS Network Firewall.

For information on the Network Firewall flexible rules engine, see Hands-on walkthrough of the AWS Network Firewall flexible rules engine.

Use Route 53 DNS Firewall to filter DNS traffic from your Amazon VPC resources

Create a Route 53 DNS Firewall rule group that filters DNS traffic from your Amazon VPC resource to the resolver. Make sure that you associate the rule group with the Amazon VPC. For more information, see Getting started with Route 53 Resolver DNS Firewall.

Use VPC endpoint policies to restrict access to Amazon VPC endpoints

Update your Amazon VPC’s endpoint policy to define which users can access the service that’s associated with the policy through the Amazon VPC endpoint. Endpoint policies also define the actions users can perform.

Note: The default endpoint policy grants full access to the endpoint.

Use VPC BPA to restrict public internet access to VPCs and subnets

To prevent public internet access to VPC resources across an entire AWS account, configure the following VPC Block Public Access (BPA) features:

• Activate bidirectional mode to block all traffic to and from internet gateways and egress-only internet gateways in your AWS Region except for VPCs and subnets that you exclude.
• Activate ingress-only mode to block all internet traffic to the Amazon VPCs in your region except for VPCs and subnets that you exclude.
• Create exclusions that exempt individual VPCs or subnets from VPC BPA.

For more information, see Work with BPA.

Related information

How can I allow or block specific IPs on my EC2 instance?

How to get started with Amazon Route 53 Resolver DNS Firewall

Secure your Amazon VPC DNS resolution with Amazon Route 53 Resolver DNS Firewall