Deny traffic from a Set of IP Addresses

Learn how to specific IP addresses with the Vercel WAF API.
Last updated on December 3, 2024
Security

In the following example, we send a Patch request to the Update Firewall Configuration endpoint of the Vercel REST API security group. This request creates a new rule in your project's WAF configuration.

Both the conditionGroup and action body parameters are required fields

This strategy can help you enhance security and manage traffic across all your project domains at once in the following possible cases:

  • You identified that a specific IP network is associated with DDoS attacks or automated bot traffic.
  • Certain sanctions or data protection laws require that you block traffic from certain IP networks.

To enable this across all your project domains, create an IP Blocking rule using the following code:

app/api/firewall/route.ts
export async function PATCH() {
  let baseUrl = 'https://api.vercel.com/v1/security/firewall/config';
  let teamId = 'team_a5j...';
  let projectId = 'QmTrK...';
 
  const body = JSON.stringify({
    action: 'ip.insert',
    id: null,
    value: {
      action: 'deny',
      hostname: '*',
      ip: '12.34.56.0/24',
      notes: 'deny traffic from 12.34.56.0/24',
    },
  });
 
  let res = await fetch(`${baseUrl}?projectId=${projectId}&teamId=${teamId}`, {
    method: 'PATCH',
    headers: {
      Authorization: `Bearer ${process.env.VERCEL_TOKEN}`,
      'Content-Type': 'application/json',
    },
    body,
  });
 
  if (!res.ok) {
    return Response.json(
      { status: 'Failed to update Firewall' },
      { status: res.status },
    );
  }
 
  return Response.json({ status: 'New rule added to Firewall' });
}