At a maximum, a VPC network ACL can have 40 rules applied.

I have a list of over 50 IP addresses that I need to explicitly block access to in our systems, over any port and any protocol. This is an ideal purpose for an ACL, but the limit is hindering me completing this task.

Of course, I can do this in IPTables on each host, but I want to block any and all traffic to all components in the VPC (to ELB’s for example). Furthermore it’s far more ideal to manage these rules in one place rather than on each and every host.

I am hoping there is some way I am not understanding doing this at the system/platform level. Security groups are explicit allow, with no deny action, so they won’t do the trick.

Here’s a left-field idea.. you could “null-route” the 50 blocked IPs, by adding an “broken” route to the VPC route table for each IP.

This wouldn’t prevent the traffic from the IPs hitting your infrastructure (only the NACLs and the SGs will prevent that), but it’ll prevent the return traffic from every making it “back home”..

There’s no way to increase the limit on NACLs, and a high number of NACL rules impacts network performance.

You may have an architectural issue above all.

  1. Do your instances have to be in public subnets?
  2. Have you set up NAT gateways to limit inbound traffic?
  3. For those instances that must be in public subnets do you have minimal inbound security group rules?
  4. Are you using AWS WAF IP match conditions to block unwanted traffic to CloudFront and your load Balancers?

If you’re hitting the NACL rule limit it’s most likely because you’re not taking the AWS recommended approach to VPC architecture and use of services like WAF (and Shield for DDoS) to block unwanted traffic and overt attacks.

If your concern is DDoS attacks: How to Help Protect Dynamic Web Applications Against DDoS Attacks by Using Amazon CloudFront and Amazon Route 53

This isn’t exactly what you asked for, but may do the job well enough.

Set up CloudFront in front of your infrastructure. Use IP Match Conditions to effectively block traffic. CloudFront works with both static and dynamic content, and can accelerate dynamic content as it uses the AWS backbone rather than the public internet. Here’s what the docs say

If you want to allow some web requests and block others based on the
IP addresses that the requests originate from, create an IP match
condition for the IP addresses that you want to allow and another IP
match condition for the IP addresses that you want to block.

When using CloudFront you should block direct access to any public resources using security groups. The AWS Update Security Groups lambda will keep your security groups up to date to allow CloudFront traffic in but reject other traffic. If you redirect http to https using CloudFront you can tweak the scripts a bit to prevent http hitting your infrastructure. You can also whitelist any IPs that need direct admin access.

Alternately, you could use a third party CDN such as CloudFlare. CloudFlare have an effective firewall, but for the number of rules you want it’s $200 per month. That may well be cheaper than CloudFront, AWS bandwidth is fairly expensive. The free plan only gives you 5 firewall rules.