Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Network Firewall can it reference an external block list

0

Hello,

I'm trying to research if the AWS Network Firewall and the AWS WAF can reference an external block list? I've found articles that talked about how both applications have endpoints and APIs to reference (HTTP requests) but not one article talking about whether its possible for the AWS Network Firewall and the AWS WAF to reference a external dynamic list where it would block the IPs on that list.

Any help would be appreciated.

Topics
Security, Identity, & ComplianceNetworking & Content DeliveryAWS Well-Architected Framework
Tags
AWS WAFAWS Network FirewallNetwork SecurityNetworking & Content DeliverySecurity
Language
English
asked 2 years ago1K views
2 Answers
1
Accepted Answer

Yes both AWS Network Firewall and AWS WAF offer functionality to reference external block lists of IP addresses for blocking traffic. You can leverage these capabilities to enhance your security posture by blocking known malicious IP addresses and mitigating threats to your applications and network infrastructure. You can refer to this AWS documentation for in depth about this :-https://aws.amazon.com/waf/faqs/

Hope it clarifies and if does I would appreciate answer to be accepted so that community can benefit for clarity, thanks ;)

EXPERT
answered 2 years ago
EXPERT
reviewed 2 years ago
1

Neither AWS Network Firewall nor AWS WAF natively supports consuming an external IP block list directly from a customer-managed source such as an S3 text file. However, both services provide APIs that allow you to programmatically update rule group configurations with the IP addresses you want to allow or block.

A common approach is to automate this with the following pattern:

  1. Amazon EventBridge — A scheduled rule triggers on a defined interval (e.g., every 15 minutes or hourly)
  2. AWS Lambda — The EventBridge rule invokes a Lambda function that:
    • Downloads the current IP list from S3 (or any external source)
    • Transforms the list into the correct format for the target service
    • Calls the appropriate API to apply the updates

For AWS WAF, you can use IP Sets which provide a dedicated resource for managing lists of IP addresses. The Lambda function would call UpdateIPSet to apply the changes. Additionally, AWS provides the AWS WAF Security Automations solution template which includes pre-built automation for IP list management and other common WAF use cases.

For AWS Network Firewall, the IP addresses would be managed through IP Set References in a Suricata-compatible rule group or via rule variables, updated through the UpdateRuleGroup API. Example automation patterns are available in the AWS Network Firewall Automation Examples repository on GitHub.

This pattern gives you full control over the update frequency and transformation logic while keeping the IP list management in your hands.

AWS
answered 13 days ago
AWS
EXPERT
reviewed 10 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content