diff --git a/terraform/20-app/waf.cms.tf b/terraform/20-app/waf.cms.tf
index 2054cea5..62f097a9 100644
--- a/terraform/20-app/waf.cms.tf
+++ b/terraform/20-app/waf.cms.tf
@@ -3,40 +3,42 @@ resource "aws_wafv2_web_acl" "cms_admin" {
   description = "Web ACL for CMS application"
   scope       = "REGIONAL"
 
-  default_action {
-    allow {}
+  lifecycle {
+    create_before_destroy = true
   }
 
-  dynamic "rule" {
-    for_each = local.waf_cms_admin.rules
-
-    content {
-      name     = rule.value.name
-      priority = rule.value.priority
-
-      override_action {
-        none {}
+  default_action {
+    dynamic "block" {
+      for_each = [""]
+      content {
       }
-
-      statement {
-        managed_rule_group_statement {
-          name        = rule.value.name
-          vendor_name = "AWS"
-        }
+    }
+    dynamic "allow" {
+      for_each = []
+      content {
       }
+    }
+  }
 
-      visibility_config {
-        metric_name                = rule.value.name
-        cloudwatch_metrics_enabled = true
-        sampled_requests_enabled   = true
+  rule {
+    name     = "ip-allowlist"
+    priority = 0
+
+    action {
+      allow {}
+    }
+
+    statement {
+      ip_set_reference_statement {
+        arn = aws_wafv2_ip_set.ip_allow_list_regional.arn
       }
     }
-  }
 
-  visibility_config {
-    metric_name                = "${local.prefix}-cms"
-    cloudwatch_metrics_enabled = true
-    sampled_requests_enabled   = true
+    visibility_config {
+      cloudwatch_metrics_enabled = true
+      metric_name                = "IPAllowListRule"
+      sampled_requests_enabled   = true
+    }
   }
 
   rule {
@@ -87,6 +89,38 @@ resource "aws_wafv2_web_acl" "cms_admin" {
       sampled_requests_enabled   = true
     }
   }
+
+  dynamic "rule" {
+    for_each = local.waf_cms_admin.rules
+
+    content {
+      name     = rule.value.name
+      priority = rule.value.priority
+
+      override_action {
+        none {}
+      }
+
+      statement {
+        managed_rule_group_statement {
+          name        = rule.value.name
+          vendor_name = "AWS"
+        }
+      }
+
+      visibility_config {
+        metric_name                = rule.value.name
+        cloudwatch_metrics_enabled = true
+        sampled_requests_enabled   = true
+      }
+    }
+  }
+
+  visibility_config {
+    metric_name                = "${local.prefix}-cms"
+    cloudwatch_metrics_enabled = true
+    sampled_requests_enabled   = true
+  }
 }
 
 resource "aws_wafv2_web_acl_association" "cms_admin" {
diff --git a/terraform/20-app/waf.ip-allow-set.tf b/terraform/20-app/waf.ip-allow-set.tf
index d743f30f..788613d1 100644
--- a/terraform/20-app/waf.ip-allow-set.tf
+++ b/terraform/20-app/waf.ip-allow-set.tf
@@ -8,3 +8,13 @@ resource "aws_wafv2_ip_set" "ip_allow_list" {
         formatlist("%s/32", module.vpc.nat_public_ips)
     )
 }
+
+resource "aws_wafv2_ip_set" "ip_allow_list_regional" {
+  name               = "${local.prefix}-ip-allow-list-regional"
+  scope              = "REGIONAL"
+  ip_address_version = "IPV4"
+  addresses          = concat(
+    local.complete_ip_allow_list,
+    formatlist("%s/32", module.vpc.nat_public_ips)
+  )
+}