Block inbound port 80, 443 traffic except specific IP addresses

First of all:

1. If there is no rule for a port/service/application and the firewall is enabled, all traffic for it is blocked!
2. If there is an enabled allow rule for a port/service/application, matched traffic is allowed.
3. If there is an enabled block rule for a port/service/application, it takes precedence over allow rules and matched traffic is blocked!

You say that inbound traffic on the ports 80 and 443 is allowed from everywhere. That means there is an active rule that allows that traffic. You want to allow traffic to those ports only from certain ip addresses.

You first need to remove the rule that allows the traffic and then create a rule that only allows traffic from certain ip addresses.

To find out what rule causes your ports 80 and 443 to be reachable, get all active rules first:

$active_rules = Get-NetFirewallRule -Enabled True -Direction Inbound -Action Allow

The next step is to search for possible rules that allow inbound traffic on the ports 80 and 443:

$port_filters = $active_rules | Get-NetFirewallPortFilter | Where-Object { $_.LocalPort -in (80, 443) }

Then find the associated firewall rules:

$port_filters | Get-NetFirewallRule

It is probably easier to just sort by the LocalPort column in the graphical user interface of the Advanced Firewall Settings. But those commands might help you track down the rule somehow.

Things to remember: Check the three different profiles. If you don't find a port filter, maybe the web application or the web service has an active allow rule.

When you have located and removed (or disabled) the rule in question, create a new allow rule for the ports and the addresses:

New-NetFirewallRule -DisplayName "Allow TCP:80,443 from certain IPs" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 80,443 -RemoteAddress ("8.8.8.8", "8.8.4.4", "…")