I am looking for a way to drop connections from known spam ip addresses on an Amazon's Elastic Load Balancer (ELB)?
I am currently doing this at the web server level (multiple instances, running behind the ELB), but wondering if there is a way to do it at the ELB. This way, I can avoid configuring each web server instance for this.
I typically pull the Drop List from Spamhause.org every day and update my web server configuration
I would try using VPC ACLs for that. First of all, ELBs inside VPC can use Security Groups but they only specify a traffic you allow in and out of an ELB. To actually block a traffic coming from a certain IP - an ACL would be the best.
For that to work - a pair of a public (internet-facing) and internal ELBs need to be used with internal ELB protected by subnet ACL DENY rules.
You can't do this from an ELB that is not instantiated inside a VPC (at the date of this answer). If inside a VPC, check out the other answers. If not, you can switch to something more controlable, such as HAProxy or place CloudFlare (https://www.cloudflare.com/) in front of your ELB, which is probably a better option.
来源:https://stackoverflow.com/questions/20123308/how-to-configure-aws-elb-to-block-certain-ip-addresses-known-spammers