Hi. Our experience from last month was quite similar to what others have already described. Based on our tests all the allocations associated with our ASN were added to "HostingProviderIPList". At first we tried to reach the AWS by e-mail, but received no response. Once we opened a ticket(we are both the AWS customer and a Direct Connect Delivery partner) and explained that our address space is not solely used for hosting services, then all our networks were whitelisted within few days. We even had a call with AWS support team and they seemed to be well aware about false positives in the "HostingProviderIPList". In other words, we were clearly not a first ISP complaining. Final update to our ticket from the AWS Support Engineering department was following: "I would like to inform you that as per the update I got from our internal team, the IP Data which we use for our rules is provided by a third party and changes frequently. Moving ahead I would like to request you to kindly check your setup and see if you can separate the network ranges reserved for any hosting type services in your ASN and provide that to us so that we can check if we can allow the range which is not used for hosting type services." It's unfortunate that Amazon continues to offer this service despite their underlying IP address data having a low level of granularity, and they are well aware of the problems it causes for address owners. AWS Web Application Firewall for testing purposes can be build for example like this: 1) created a VPC("VPC only") with "IPv4 CIDR" 10.0.0.0/24 2) created a subnet 10.0.0.0/28 in one availability zone(for example "eu-north-1a") and a subnet 10.0.0.16/28 in another availability zone(for example "eu-north-1b") 3) launched an Ubuntu EC2 instance("t3.micro", free tier eligible). Auto-assigned the public IP. Allowed SSH and HTTP traffic from anywhere. 4) created an "Internet gateway" and attached it to VPC 5) added a default route to route table and pointed it to Internet gateway 6) installed(sudo apt update && sudo apt install apache2 -y) a web server in Ubuntu VM 7) tested with "curl http://51.20.94.186" where 51.20.94.186 is the public IP address automatically assigned to EC2 instance 8) created a "Target group" for "Instances" type target which is associated with VPC created earlier. Protocol:Port configuration has to be HTTP:80. 9) created an Internet-facing "Application Load balancer" and mapped it with two subnets created previously in two different availability zones. Load balancer has to forward to target group created in the previous step. 10) created a WAF and associate it with Application Load Balancer 11) used an AWS managed rule group named "Anonymous IP list" in WAF. This includes the notorious "HostingProviderIPList" with a default rule action of "Block". 12) "curl http://test-213161342.eu-north-1.elb.amazonaws.com" returns "HTTP/1.1 403" from the networks included in the "HostingProviderIPList". DNS name is seen on the load balancer details page. P.S. Previous thread on AWS WAF was https://mailman.nanog.org/pipermail/nanog/2024-February/224931.html Martin