How to configure AWS ELB to block certain IP addresses? (known spammers)

Litmus picture Litmus · Nov 21, 2013 · Viewed 37.4k times · Source

I am looking for a way to drop connections from known spam ip addresses on an Amazon's Elastic Load Balancer (ELB)?

I am currently doing this at the web server level (multiple instances, running behind the ELB), but wondering if there is a way to do it at the ELB. This way, I can avoid configuring each web server instance for this.

I typically pull the Drop List from Spamhause.org every day and update my web server configuration

Answer

Evgeny Goldin picture Evgeny Goldin · Nov 21, 2013

I would try using VPC ACLs for that. First of all, ELBs inside VPC can use Security Groups but they only specify a traffic you allow in and out of an ELB. To actually block a traffic coming from a certain IP - an ACL would be the best.

For that to work - a pair of a public (internet-facing) and internal ELBs need to be used with internal ELB protected by subnet ACL DENY rules.