Menu
AWS WAF and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Working with IP Match Conditions

If you want to allow or block web requests based on the IP addresses that the requests originate from, create one or more IP match conditions. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those IP addresses.

Creating an IP Match Condition

If you want to allow some web requests and block others based on the IP addresses that the requests originate from, create an IP match condition for the IP addresses that you want to allow and another IP match condition for the IP addresses that you want to block.

Note

When you add an IP match condition to a rule, you also can configure AWS WAF to allow or block web requests that do not originate from the IP addresses that you specify in the condition.

To create an IP match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose IP addresses.

  3. Choose Create condition.

  4. Type a name in the Name field.

    The name can contain only the characters A-Z, a-z, and 0-9. You can't change the name of a condition after you create it.

  5. Select the correct IP version and specify an IP address or range of IP addresses by using CIDR notation. Here are some examples:

    • To specify the IPv4 address 192.0.2.44, type 192.0.2.44/32.

    • To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, type 0:0:0:0:0:ffff:c000:22c/128.

    • To specify the range of IPv4 addresses from 192.0.2.0 to 192.0.2.255, type 192.0.2.0/24.

    • To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, type 2620:0:2d0:200::/64.

    AWS WAF supports /8, /16, /24, and /32 IPv4 address ranges and /16, /24, /32, /48, /56, /64, and /128 IPv6 address ranges. For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

  6. Choose Add another IP address or range.

  7. If you want to add another IP address or range, repeat steps 5 and 6.

  8. When you're finished adding values, choose Create IP match condition.

Editing IP Match Conditions

You can add an IP address range to an IP match condition or delete a range. To change a range, add a new one and delete the old one.

To edit an IP match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose IP addresses.

  3. In the IP match conditions pane, choose the IP match condition that you want to edit.

  4. To add an IP address range:

    1. In the right pane, choose Add IP address or range.

    2. Select the correct IP version and type an IP address range by using CIDR notation. Here are some examples:

      • To specify the IPv4 address 192.0.2.44, type 192.0.2.44/32.

      • To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, type 0:0:0:0:0:ffff:c000:22c/128.

      • To specify the range of IPv4 addresses from 192.0.2.0 to 192.0.2.255, type 192.0.2.0/24.

      • To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, type 2620:0:2d0:200::/64.

      AWS WAF supports /8, /16, /24, and /32 IPv4 address ranges and /16, /24, /32, /56, /64, and /128 IPv6 address ranges. For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    3. To add more IP addresses, choose Add another IP address and type the value.

    4. Choose Add.

  5. To delete an IP address or range:

    1. In the right pane, select the values that you want to delete.

    2. Choose Delete IP address or range.

Deleting IP Match Conditions

If you want to delete an IP match condition, you must first delete all IP addresses and ranges in the condition and remove the condition from all the rules that are using it, as described in the following procedure.

To delete an IP match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose IP addresses.

  3. In the IP match conditions pane, choose the IP match condition that you want to delete.

  4. In the right pane, choose the Rules tab.

    If the list of rules using this IP match condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.

  5. To remove the IP match condition from the rules that are using it, perform the following steps:

    1. In the navigation pane, choose Rules.

    2. Choose the name of a rule that is using the IP match condition that you want to delete.

    3. In the right pane, select the IP match condition that you want to remove from the rule, and choose Remove selected condition.

    4. Repeat steps b and c for all the remaining rules that are using the IP match condition that you want to delete.

    5. In the navigation pane, choose IP match conditions.

    6. In the IP match conditions pane, choose the IP match condition that you want to delete.

  6. Choose Delete to delete the selected condition.