diff --git a/waf/main.tf b/waf/main.tf
index 721943f..b6cfa93 100644
--- a/waf/main.tf
+++ b/waf/main.tf
@@ -6,6 +6,15 @@ resource "aws_wafv2_ip_set" "trusted" {
   scope              = "REGIONAL"
 }
 
+resource "aws_wafv2_ip_set" "blocked_ips" {
+  name               = "${var.project}-${var.function}-${var.environment}-blockedIps"
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+  addresses          = length(var.blocked_ips) > 0 ? split(",", var.blocked_ips) : []
+  description        = "IP set for blocking malicious IPs"
+}
+
+
 resource "aws_wafv2_rule_group" "rule_group" {
   capacity = 12
   name     = "waf-rule-group"
@@ -81,10 +90,31 @@ resource "aws_wafv2_web_acl" "acl" {
   default_action {
     block {}
   }
-  rule {
 
+  dynamic "rule" {
+    for_each = var.blocked_ips == "" ? [] : [1]
+    content {
+      name     = "BlockIPsRule"
+      priority = 0
+      action {
+        block {}
+      }
+      statement {
+        ip_set_reference_statement {
+          arn = aws_wafv2_ip_set.blocked_ips.arn
+        }
+      }
+      visibility_config {
+        cloudwatch_metrics_enabled = true
+        metric_name                = "BlockIPsRule"
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
+  rule {
     name     = "rate-based-rule"
-    priority = 0
+    priority = 1
     action {
       block {}
     }
@@ -110,7 +140,7 @@ resource "aws_wafv2_web_acl" "acl" {
   }
   rule {
     name     = "acl-rule"
-    priority = 1
+    priority = 2
     override_action {
       none {}
     }
diff --git a/waf/outputs.tf b/waf/outputs.tf
index 80d4e6c..dd7c625 100644
--- a/waf/outputs.tf
+++ b/waf/outputs.tf
@@ -5,3 +5,7 @@ output "ip_set_arn" {
 output "rule_group_arn" {
   value = aws_wafv2_rule_group.rule_group.arn
 }
+
+output "blocked_ip_set_arn" {
+  value = var.blocked_ips == "" ? "" : aws_wafv2_ip_set.blocked_ips.arn
+}
diff --git a/waf/variables.tf b/waf/variables.tf
index 2df3490..d66e707 100644
--- a/waf/variables.tf
+++ b/waf/variables.tf
@@ -23,8 +23,13 @@ variable "trusted_ips" {
   default     = ""
 }
 
+variable "blocked_ips" {
+  description = "blocked IP addresses"
+  default     = ""
+}
+
 variable "restricted_uri" {
-  description = "Resricted URI"
+  description = "Restricted URI"
   default     = ""
 }
 
@@ -49,11 +54,11 @@ variable "aws_managed_rules" {
     metric_name                              = string
   }))
   default = [
-    { name = "AWS-AWSManagedRulesAmazonIpReputationList", priority = 2, managed_rule_group_statement_name = "AWSManagedRulesAmazonIpReputationList", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesAmazonIpReputationList" },
-    { name = "AWS-AWSManagedRulesCommonRuleSet", priority = 3, managed_rule_group_statement_name = "AWSManagedRulesCommonRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesCommonRuleSet" },
-    { name = "AWS-AWSManagedRulesKnownBadInputsRuleSet", priority = 4, managed_rule_group_statement_name = "AWSManagedRulesKnownBadInputsRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" },
-    { name = "AWS-AWSManagedRulesLinuxRuleSet", priority = 5, managed_rule_group_statement_name = "AWSManagedRulesLinuxRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesLinuxRuleSet" },
-    { name = "AWS-AWSManagedRulesUnixRuleSet", priority = 6, managed_rule_group_statement_name = "AWSManagedRulesUnixRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesUnixRuleSet" },
-    { name = "AWS-AWSManagedRulesSQLiRuleSet", priority = 7, managed_rule_group_statement_name = "AWSManagedRulesSQLiRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesSQLiRuleSet" }
+    { name = "AWS-AWSManagedRulesAmazonIpReputationList", priority = 3, managed_rule_group_statement_name = "AWSManagedRulesAmazonIpReputationList", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesAmazonIpReputationList" },
+    { name = "AWS-AWSManagedRulesCommonRuleSet", priority = 4, managed_rule_group_statement_name = "AWSManagedRulesCommonRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesCommonRuleSet" },
+    { name = "AWS-AWSManagedRulesKnownBadInputsRuleSet", priority = 5, managed_rule_group_statement_name = "AWSManagedRulesKnownBadInputsRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" },
+    { name = "AWS-AWSManagedRulesLinuxRuleSet", priority = 6, managed_rule_group_statement_name = "AWSManagedRulesLinuxRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesLinuxRuleSet" },
+    { name = "AWS-AWSManagedRulesUnixRuleSet", priority = 7, managed_rule_group_statement_name = "AWSManagedRulesUnixRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesUnixRuleSet" },
+    { name = "AWS-AWSManagedRulesSQLiRuleSet", priority = 8, managed_rule_group_statement_name = "AWSManagedRulesSQLiRuleSet", managed_rule_group_statement_vendor_name = "AWS", metric_name = "AWS-AWSManagedRulesSQLiRuleSet" }
   ]
 }