The deny all and allow some approach

In this approach, all the incoming traffic is denied by default. Only a certain set of IPs are then added to the allow list. This is the most preferred approach and the AWS security groups also follow this approach.

This is an example of the rule that is configured in the AWS security groups:

• In this case, all IPs are denied by default
• Any connection made from anywhere to port 80 is allowed
• Only connection from 172.18.10.0/24 subnet is allowed on port 22