There should be different rules for inbound and outbound. For inbound, it should be enough to add only allow rule for customer IPs. All the rest should be blocked by default. For outbound, you need to create 2 rules. One to block all IPs for a specific protocol, and one for allowing specific IPs for it. It is also possible to have only one block rule with specified ip ranges which will not include required IPs.