AWS WAF with ALB: In Geo matching rule how to exclude internal IP's

Question

their is an ALB associated with WAF. This ALB will be called by both public and other internal IPs.

I have enabled GEO Matching rule to allow only ["US"] calls. but the internal private IP don't get labelled with any country. and it is getting blocked.

how to exclude internal IPs.

Answer 1

You could create an IP set for your internal IP addresses and create a rule to allow it:

1. AWS WAF > IP sets
2. Click button Create IP set in the upper right corner
3. IP set name: Allowed internal IPs
4. Region - choose the region of your WAF
5. IP addresses - add CIDR range for your internal IP range (for example 10.0.0.0/16). If you need more ranges or addresses, just separate them by new line
6. In your Web ACL > Add rule > Add my own rule
7. If a request matches a statement > Inspect -> Originates from an IP address in -> IP set - select previously created IP set
8. Action -> Allow
9. Save
10. On next window you will be able to set a priority for rules. Put your new rule on priority that's before the one that's checking countries