You can do it in a few places, but I use my network firewall for this I use PFSense at home, but there are many enterprise grade brands).
It's common to use the host's firewall as well (nftables, firewalld, or iptables).
You can do it at the webserver too, with access.conf in nginx. Apache uses mod_authz.
I usually do it at the network though so it uses the least amount of resources (no connection ever gets to the webserver). Though if you only have access to your webserver it's faster to ban it there than to send a request to the network team (depending on your org, some orgs might have this automated).
