Application Security - Geo-Blocking

Geo-blocking policies are implemented on web applications for different reasons, such as to comply with regulations with regards to embargoed countries or to block video streaming in countries where the web application does't have streaming rights.

Geo-blocking can be implemented using CloudFront's native geographic restrictions, using edge functions or using AWS WAF. Each method provide different matching granularity, customizable logic and price level. The methods can also be combined, knowing that CloudFront evaluates first its geographic restrictions rule, then AWS WAF evaluates its geo-matching rules, and finally edge functions are executed to evaluate geo-blocking logic in their code. Note that CloudFront and AWS WAF determines the location of your users by using a third-party database. The accuracy of the mapping between IP addresses and countries varies by Region.

Use CloudFront geographic restrictions to restrict countries at the distribution level, with no additional charges. You can allow or block a specific set of countries, applied to all requests received by your CloudFront distribution. Viewers who are restricted by the configured geographic restrictions will receive a 403 Forbidden response by CloudFront. You can use CloudFront's Custom Error Pages to serve a friendly error page.

Use CloudFront Functions, configured on viewer request event, to implement the advanced geo-blocking logic using javascript. CloudFront Functions can be granularly used with a specific CloudFront cache behavior (e.g. /api/* paths), and the logic can be more granular in the code, and can be combined with other access control logic such as authorization. To implement geo based logic in CloudFront functions, you need to allow list the required CloudFront headers (e.g., CloudFront-Viewer-Country or CloudFront-Viewer-Country-Region) in an origin request policy attached to the same CloudFront cache behavior to which the function is associated.

The below sample CloudFront Function blocks viewers from Donetsk (14) or Luhansk (9) regions of Ukraine.