WAF IP Blocking not working

0

Hello,

I am trying to setup WAF IP blocking but just cannot seem to get it working at all. I have added my own IP and I can still access all our services just fine, from DBs to ECS to EC2 servers, etc.

I have created an IP Set and added various IPs including my own.

On ACL I have added the following rule:

The 1st one is setup as

  • Regular Rule: Inspect "Originates from an IP address in" then I selected my IP. I have tried both "Source IP Address" and "IP address in header", neither work, then action "Block".

No matter what kind of options I select, it seems my IP isn't being blocked. What else should I look for?

asked a month ago490 views
1 Answer
1
Accepted Answer

To troubleshoot the issue with AWS WAF (Web Application Firewall) IP blocking not working, follow these steps:

1. Verify IP Set Configuration Ensure that the IP set you created contains the correct IP addresses and that they are in the correct format (CIDR notation if necessary).

2. Check Web ACL Configuration Verify that your Web ACL is correctly configured and associated with the resources you want to protect (e.g., CloudFront distribution, API Gateway, or ALB).

3. Ensure Web ACL Association Make sure the Web ACL is associated with the correct AWS resource (e.g., CloudFront distribution, API Gateway, or ALB). If the ACL is not associated, the rules will not be applied.

4. Rule Priority Ensure the rule you created has the correct priority. AWS WAF evaluates rules based on their priority, from lowest to highest. If there is an allow rule with a higher priority, it might override your block rule.

5. Rule Action Confirm that the rule action is set to "Block."

6. CloudFront IP Header If you are using CloudFront, ensure you are inspecting the correct header for the client IP address. CloudFront adds the client IP in the X-Forwarded-For header.

7. Logging and Metrics Enable AWS WAF logging and inspect the logs to see if your requests are being matched against the rules. This can help you determine why the requests are not being blocked.

8. Example Configuration IP Set

Resources:
  MyIPSet:
    Type: "AWS::WAFv2::IPSet"
    Properties:
      Name: "BlockedIPs"
      Scope: "REGIONAL"  # Use "CLOUDFRONT" for CloudFront
      IPAddressVersion: "IPV4"
      Addresses:
        - "203.0.113.0/24"  # Replace with your IP addresses

#### Web ACL
```yaml
Resources:
  MyWebACL:
    Type: "AWS::WAFv2::WebACL"
    Properties:
      DefaultAction:
        Allow: {}
      Scope: "REGIONAL"  # Use "CLOUDFRONT" for CloudFront
      Rules:
        - Name: "BlockIPs"
          Priority: 1
          Action:
            Block: {}
          Statement:
            IPSetReferenceStatement:
              Arn: !GetAtt MyIPSet.Arn
          VisibilityConfig:
            SampledRequestsEnabled: true
            CloudWatchMetricsEnabled: true
            MetricName: "BlockIPsMetric"
      VisibilityConfig:
        SampledRequestsEnabled: true
        CloudWatchMetricsEnabled: true
        MetricName: "WebACLMetric"

#### Associate Web ACL with ALB (for example)
```yaml
Resources:
  MyWebACLAssociation:
    Type: "AWS::WAFv2::WebACLAssociation"
    Properties:
      ResourceArn: !Ref MyLoadBalancerArn  # Replace with your ALB ARN
      WebACLArn: !Ref MyWebACL

Troubleshooting Tips:

  1. IP Address Format: Ensure that the IP addresses in your IP set are correctly formatted. For single IPs, use /32 for IPv4 (e.g., 203.0.113.1/32).

  2. Scope: Ensure the scope of your IP set and Web ACL matches the resource. Use REGIONAL for ALB, API Gateway, or AppSync, and CLOUDFRONT for CloudFront distributions.

  3. Check Metrics and Logs: Check AWS WAF logs and CloudWatch metrics to see if the rule is being evaluated and if requests from your IP address are being blocked.

  4. Test with Other IPs: Add other IPs to the IP set and test if they are being blocked. This can help determine if the issue is specific to your IP or a broader configuration issue.

  5. Propagation Time: Allow some time for the WAF configuration changes to propagate, especially if you are testing immediately after making changes.

If you've gone through these steps and the issue persists, consider reaching out to AWS Support for further assistance. They can provide more detailed insights based on your specific configuration and logs.

profile picture
EXPERT
answered a month ago
  • Thank you Oleksii, your comment reminded me why it's always good to recheck everything. Our resource association was missing, we had to re-create the load balancer a long time ago (moving it into terraform) and this broke the link so it was never working on this ALB! Re-adding it solved the issue.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions