Support

You can do so directly with Apache (.htaccess), see the Require not host .example.com notation from mod_authz_host.

There are three major reasons for which we did not implement this as an Admin Tools feature. From least to most important:

1. This is not a common enough need to warrant its own feature. Think about getting one question for this every four to five years.
2. It will make your site be perceived as slow because at least the first request will need to wait for the DNS system to complete the whole reverse DNS look-up before deciding whether to process the request. A reverse DNS lookup can take anywhere from 100 to 2000 msec.
3. Using a very heavy hand when blocking hosts like that may be counter-productive. You may think "AWS should never need to access my site directly" and go ahead and block it... thereby blocking search engines from indexing your site, or payments solution providers from letting you know if a transaction went through, and so on and so forth.

Now that you know the risks you can take a fully informed decision on whether to proceed.

Yes, the performance impact is very much a deal-breaker for this kind of thing.

I had not mentioned another option previously. Please keep in mind that this option can be a dangerous overkill for your use case.

You could use CloudFlare in front of your site and have it block entire ASNs (example). CloudFlare can do that as they are a network provider themselves, therefore they get the BGP tables. This allows them to correlate IPs to ASNs virtually instantaneously. That's a deeper level of insight that anyone below the level of an ISP simply does not have access to, period. This is an oversimplifications of what is going on, but it works well enough for the purposes of explaining this feature.

Be very careful if you decide to go the ASN filtering route. I only recommend it when you are under heavy, sustained attack (DoS, DDoS), and only as a temporary measure while the attack is in progress – that's the only context I ever use that feature. I would not recommend this as a general purpose blocking method. It's the networking equivalent of being granted genie wishes: you always get exactly what you asked, never what you actually meant.