- Newest
- Most votes
- Most comments
Hello.
My question is if I rate limit only the IP address, does it also affect the requests sent from instance A, not just external requests ? For example, if instance A is sending more than 100 requests within 5 minutes, the requests will be blocked.
If no measures are taken, all IP addresses will be subject to inspection, so even if the request is from instance A, if it matches the rules, it will be blocked.
Is the IP address of Instance A a static IP address?
If your EC2 instance uses a static IP address, you should create an IP set in AWS WAF and configure it to allow connections from the EC2 instance's IP address.
https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html
I think the following stackoverflow answers will be helpful.
https://stackoverflow.com/questions/74469658/how-to-exclude-certain-ip-for-aws-waf-rate-limit
Relevant content
- asked 6 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
Hi, Riku. Yes, instance A has a static public IP address. But some instances do not have a static IP. What should I do for those instances?
Another related question is Does rate-based rule work the same for both public and private IPs? If requests coming from a private IP exceeds the threshold, will they get blocked? Thank you.
If you do not have a static IP address, you can make the IP address static by attaching an Elastic IP address or by moving the EC2 instance to a private subnet and communicating via NAT Gateway.
I haven't tried it with a private IP address, but I suspect it might be possible. The source only needs to be a private IP address, so in this case AWS WAF needs to be attached to a private ALB. In other words, I think it can be used when you want to control communication within a VPC or from on-premises with a VPN connection. However, since rate-based rules check based on the source IP address, in the case of AWS WAF attached to a public ALB, the source IP address is always a public IP address, so restrictions using private IP addresses are not possible. https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-rate-based-aggregation-options.html
I set up AWS WAF on a private ALB in my AWS account and tried accessing it from EC2 in the VPC. As a result, we were able to confirm that rate-based rules work even with private IP addresses. However, as explained in the comment above, this setting can only be used in private ALBs. If it is a public ALB, it cannot be controlled using a private IP address.
I see. Thanks a lot for your helpful and insightful answers. :)