top of page
download.png

CloudMates Blog

How to block traffic to a specific destination prefix in AWS VPC using security groups and allow the

You may have different type of AWS VPC environment where you would want to allow all type of traffic and deny the traffic to specific destinations either for security or compliance reasons.Using the native available solutions you could use either of the following methods.

Network ACL : Network ACLs give you an option to give both allow and deny rule .So if you want to block traffic to a specific destination you can have a deny rule for that destination and then add a rule to allow traffic to the rest of the internet by using a default 0.0.0.0/0 as destination and action as allow.

Route Table:You can put a route to the destination for which you want to drop the traffic by adding a blackhole route .This can be by using the target for the specific subnet/prefix as a network interface or a resource which is deleted and it will show up as a blackhole route.

The above are the native VPC solution ,however we could possible also use a hack to divide the entire internet as a destination and seggregating it into multiple chunks of small subnets .For example if you want to allow traffic to the internet which is 0.0.0.0/0 just drop the traffic destination to 192.168.1.0/24 then you could divide the internet subnet into the multiple small subnets like below.Please see it does not contain the 192.168.1.0/24 for which I want to deny the traffic.

0.0.0.0/1  0.0.0.0-127.255.255.255
128.0.0.0/2 128.0.0.0-191.255.255.255
192.0.0.0/9 192.0.0.1 - 192.127.255.255 
192.128.0.0/11 192.128.0.1 - 192.159.255.254
192.160.0.0/13 192.160.0.0 - 192.167.255.255
192.168.0.0/24 192.168.0.0 - 192.168.255.255
192.168.2.0/23 192.168.2.0 - 192.168.3.255
192.168.4.0/22 192.168.4.0 - 192.168.7.255
192.168.8.0/21 192.168.8.0 - 192.168.15.255
192.168.16.0/20 192.168.16.0 - 92.168.31.255
192.168.32.0/19 192.168.32.0 - 192.168.63.255
192.168.64.0/18 192.168.64.0 - 192.168.127.255
192.168.128.0/17 192.168.128.0-192.168.255.255
192.169.0.0/16
192.170.0.0/15 192.170.0.0 - 192.172.255.255
192.172.0.0/14 192.172.0.0 - 192.175.255.255
192.176.0.0/12 192.176.0.0 - 192.191.255.255
192.192.0.0/10 192.192.0.0 - 192.255.255.255
193.0.0.0/8
194.0.0.0/7 194.0.0.1 - 195.255.255.255
196.0.0.0/6 196.0.0.1 - 199.255.255.255
200.0.0.0/5 200.0.0.0 - 207.255.255.255
208.0.0.0/4 208.0.0.0 - 223.255.255.255
224.0.0.0/3 224.0.0.0 - 225.255.255.255
 

The end result will be a security group which looks something like this

Deny traffic to specific subnet/prefix using security group

0 comments

Recent Posts

See All

Comments


bottom of page