How to block an IP address
Written by
Updated at December 17, 2025
Case description
You need to block external IP addresses or subnets so that they cannot access a specific Yandex Cloud resource, e.g., an MDB cluster or a single VM.
Solution
You cannot block a single specific IP address from the Yandex Cloud side. Security groups operate based on the what is not explicitly allowed is forbidden principle. This happens because the list of security group rules always implicitly ends with the prohibit all rule.
You can allow trusted IP addresses, others will be considered untrusted. For more details about the security group structure, see this article.
Tip
Alternatively, you can block an unwanted IP address using the UFW firewall or iptables inside your VM.