We're using Geolocation filtering in a ASM profile to allow only a few countries to an application. Now a part of the web-application is moving to Amazon Cloud. These ip addresses are outside the allowed geolocation range.
My idea is to add (allow but apply WAF ruling) these specific amazon region ip ranges/subnets to the "IP Address Exception in ASM", so I can keep my geolocation filter untouched.
These specific amazone region ip ranges may (will?) change.
Is there a way to automatically alter the IP addresses / subnets when amazon changes the region ip ranges?
if you are not using AFM, this is probably fine. If you are, you might need to move some of that geolocation logic earlier, as it's processed before ASM (see here). But to your specific question on automating this, if amazon has an api where you can get those addresses, you can pull that on a cron frequency, and then use iControl REST to push those to your policies. Example (just put placeholder values on those attributes, you'd need to set appropriately for your environment):
Best wishes for 2022.
We're not using AFM, so that's fine.
The AWS ip ranges and updates on it, can be dowloaded in a Json file.
I'll try to get it working using iControl REST.
Thank you for the reply.