IP Whitelisting Using AWS WAF

IP Whitelisting using AWS WAF with an example scenario.

IP whitelisting with your VPN address is one of the most important solutions for critical admin pages/panels, internal, testing or development applications. We do not want our admin panels open to the world. We do not want our testing platform publicly accessible. These scenarios can increase attack surfaces for your cloud environment. Attackers love admin pages and default passwords, brute forcing text boxes, and founding exploits in them. So, if you have built applications, you must think “How should access my admin panels privately?”, “How can I protect my testing environments from attackers?”

There are lots of new solutions such as AWS Verified Access for whitelisting you with some different cases and scenarios. But, as you know, IP whitelisting is a traditional solution, and many customers and developers still use it. We don’t leave it suddenly. That’s why I want to explain IP Whitelisting using AWS WAF with an example scenario.

Our scenario:

I have an application with an admin panel. This is my main page:

Main Page (with Nginx)

And this is my admin panel (with /admin URL):

My Admin Panel

We want to IP whitelist our /admin path with our VPN address. Let’s start together!

💡 Speed up your blog creation with DifferAI.

Available for free exclusively on the free and open blogging platform, Differ.

IP Whitelisting Using AWS WAF

Note: I don’t use any domain configuration or SSL settings for this demo. If you’re following this guide to do all security configurations, please ensure that you’re attaching a certificate to your custom domain with AWS ACM and use AWS WAF rules wherever possible.

Note: Please ensure that the correct AWS region is chosen for your AWS WAF settings.

Step 1: Create an IP set for your Corporate VPN Address

Select Create IP set:

Creating IP Set

Add your IP addresses for whitelisting with the correct format.

Creating IP Set

Step 2: Create a Rule Group

Add your rule group details:

Describe Your Rule Group

Add your rules:

Add Rules and Set Capacity

For our rule, we need to select the regular rule type. We do not want any rating control for this case.

AWS WAF Rule Builder

This step is important. We have two conditions here: IP and path for whitelisting. We need to tell the AWS WAF: If the “/admin.html” URL path request is not coming from our VPN, you can block the request.

For the IP side, we need to select the IP set which we’ve created in Step 1.

AWS WAF Rule Setting — Statement 1

For the path side, we can add the “Contains string” match type for admin. You need to think about all possible admin panel paths for your application.

AWS WAF Rule Setting — Statement 2

If the request matches the statements above, block this.

Block Condition for AWS WAF

If you have another rule, you need to set your rule priority.

Setting Your Rule Priority

Step 3: Create a Web ACL

For the last step, we need to create a Web ACL.

Creating AWS WAF Web ACL

We need to associate with your AWS resources. For this scenario, we need to associate AWS ALB.

Associate to AWS Resources

We need to add our rule group to the Web ACL.

Add Your Own Rule Groups to AWS WAF ACL

If the requests do not match any rules, the default action should be allowed.

Not Match Any Rules Action

Step 4: Testing

With VPN, we need to see the admin panel:

Testing the Admin Panel

Without VPN, we should not see the admin panel:

Admin Panel 403 Forbidden Error

Also, you can review your sampled requests in the AWS WAF Web ACL console.

AWS WAF Web ACL Sampled Requests

Thanks for reading! Stay safe in the cloud! 🤞 ⛅️

Enjoyed this article?

Share it with your network to help others discover it

Continue Learning

Discover more articles on similar topics