How to create a wildcard to deny all requests from all ips in AWS WAF

Question

I got a microservice in an ECS instance in AWS behind a WAF, I want to create these rules:

1. Allow specific IPs (done)
2. Allow all connections from inside the VPN (done)
3. Deny all the other requests.

The first two IP set are created, but I can't make the last one to work. I tried creating the IP set with 0.0.0.0/0 and another combinations without success.

This is my code, I removed ipset 1 and 2 (that are working), this is the ipset 3:

resource "aws_wafv2_ip_set" "ipset" {
  name = "${var.app_name}-${var.environment_name}-whitelist-ips"

  scope              = "REGIONAL"
  ip_address_version = "IPV4"

  addresses = ["0.0.0.0/0"]
}

module "alb_wafv2" {
  source = "trussworks/wafv2/aws"
  version = "~> 2.0"

  name = "${var.app_name}-${var.environment_name}"
  scope = "REGIONAL"
  alb_arn = aws_lb.app_lb.arn
  associate_alb = true

  ip_sets_rule = [
    {
      name       = "${var.app_name}-${var.environment_name}-ip-blacklist"
      action     = "deny"
      priority   = 1
      ip_set_arn = aws_wafv2_ip_set.ipset.arn
    }
  ]
}

{
  RespMetadata: {
    StatusCode: 400,
    RequestID: "c98b2d3a-ebd0-44e0-a80a-702bc698598b"
  },
  Field: "IP_ADDRESS",
  Message_: "Error reason: The parameter contains formatting that is not valid., field: IP_ADDRESS, parameter: 0.0.0.0/0",
  Parameter: "0.0.0.0/0",
  Reason: "The parameter contains formatting that is not valid."
}

Tried to create an IP Set from the AWS Console with the same error:

So I got two questions, first, how can I do this? And the second one, is this the best approach?

Thanks in advance

Answer 1

You don't need to block 0.0.0.0/0. After you created two IP rules, look "Default web ACL action for requests that don't match any rules" on WAF console and set Action to Block.