their is an ALB associated with WAF. This ALB will be called by both public and other internal IPs.
I have enabled GEO Matching rule to allow only ["US"] calls. but the internal private IP don't get labelled with any country. and it is getting blocked.
how to exclude internal IPs.
Let me update how I have solved it. please note the AWS Console UI doesn't support nested conditions. So I have created a rule as below.
requirement: Internal IP's wont have geo locations, So allow Internal IP only or allow external IP only from "US" geo location.
Rule:
{
"Name": "Allow_Geo_Match_or_Internal_IP",
"Priority": 2,
"Statement": {
"NotStatement": {
"Statement": {
"OrStatement": {
"Statements": [
{
"IPSetReferenceStatement": {
"ARN": "<<IP-SET-ARN>>"
}
},
{
"GeoMatchStatement": {
"CountryCodes": ["US"]
}
}
]
}
}
}
},
"Action": {
"Block": {}
}
}