Ends in

Cyber Week Sale Extension - Final Call to Grab Discounts for the Year!

Whitelisting Access to Application Load Balancer Through The Use of AWS WAF

Load balancing an application is a common approach to distributing traffic among multiple servers. It has a breadth of benefits that can optimize performance, including availability and responsiveness, as it spreads the workload from one server to another, preventing server overload.

AWS has a wide variety of load balancer types. But one of the most commonly used for web servers is the Application Load Balancer (ALB), as it functions at the application layer, the seventh layer of the Open Systems Interconnection (OSI) model.

After setting up an ALB, it is also essential to consider security as it’s one of the AWS 6 pillars of a well-architected framework. As a rule of thumb, applications in the cloud must not be exposed to the public internet unless intended for public use. Thus, the concept of whitelisting.

Whitelisting is a cybersecurity strategy to define a set of IP addresses that will be allowed to access the applications while denying others. In ALB, restricting access can be done thru a security group. But what if someone accidentally misconfigured the security group and unintentionally opened it to the public internet? Having an extra layer of security can be beneficial and can be done by leveraging the direct integration of ALB to the AWS Web Application Firewall (WAF).

So for this article, we will create a custom AWS WAF rule for an ALB-supported application that blocks access when the IP is not in the list of allowed public IP addresses.


  1. Create an IP set that will hold all allowed public IPs to access the ALB

  2. Tutorials dojo strip
  3. Provision of the WebACL that will contain the custom rule that blocks all IPs outside the IP set

  4. Associate the WebACL to the target ALB thru direct integration

  5. Test if the solution is working




Creating IP Set that will contain all allowed IP Addresses

1. Go to WAF & Shield

2. Click IP sets

3. Choose the region where the ALB is located (i.e., Singapore) > Create IP set.

4. Enter desired IP set name (i.e WhitelistedIPs) > Choose region where ALB is located (i.e. Singapore) > Enter the allowed public IPs > Create IP set



Provisioning the Custom WebACL rule that will only allow IPs contained in the previously created IP Set

1. Still in WAF & Shield > Click Web ACLs

2. Choose the region where the ALB is located (i.e., Singapore) > Create web ACL

3. Enter Name (i.e. WhitelistCustomRule) > Input desired CloudWatch metric name (WhitelistCustomRule) > Choose Regional resources > Click Next

4. Click Add rules > Add my own rules and rule groups.

5. Choose Rule builder > Enter desired Name for the rule (i.e. whitelist-ip-set) > In Type, choose Regular rule > Scroll down

6. Choose If a request doesn’t match the statement (NOT) > Under Inspect, choose Originates from an IP address in > Choose the previously created IP set (i.e., WhitelistedIPs) that contains the allowed public IPs > Source IP address > In Action, choose Block > Add rule.

7. Click Next

8. Under Set rule priority, click Next.

9. Click Next

10. Under Review and create web ACL, scroll down and click Create web ACL

Associating the Custom WebACL rule in the Application Load Balancer

1. Still in WAF & Shield > Web ACLs > Click the previously created WebACL

2. Choose Associated AWS resources > Add AWS resources.

3. Click Application Load Balancer > Choose the target ALB name (make sure that the WebACL and ALB reside in the same region) > Click Add to finish associating the ALB.

Testing if the whitelisting works

1. The traffic is allowed when the IP is within the IP set (i.e., WhitelistedIPs).

2. But the traffic is denied when the IP is not in the IP set (i.e., WhitelistedIPs).

3. Even though the security group is exposed to the public internet, traffic is still being denied since WAF provides extra protection.

Defined in the design principles is to apply security at all layers. With this approach, the target Application Load Balancer (ALB) will have two layers of protection that restricts traffic so that despite one defense mechanism being misconfigured, there is an extra shield.


Tutorials Dojo portal

Win Exciting Freebies!

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

Written by: Amiel Palacol

Amiel Palacol is a bona fide Cloud and DevOps Engineer specializing in CI/CD, release management, cloud migration, and scripting. He has a strong hands-on experience in Amazon Web Services (AWS) mainly in SDLC automation, configuration management, infrastructure as code, monitoring and logging, policies and standards automation, incident and event response, high availability and scalability, fault tolerance and disaster recovery. He has proven competencies gaining 5 AWS certifications and constantly broadening his technical horizons in the cloud. Outside tech, he's just an average joe who likes coffee, games, and music.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?