- 最新
- 最多得票
- 最多評論
You can either use WAF Geo Blocking or Cloudfront Geo Blocking if you are using a CDN . In case you dont want to use either of these you can configure your NACLs to block IP address ranges. There is an additional solution using AWS Network Firewall.
(a) If you are taking the Cloudfront approach then please do note CloudFront determines the location of your users by using a third-party database. The accuracy of the mapping between IP addresses and countries varies by Region. Based on recent tests, the overall accuracy is 99.8%. If CloudFront can’t determine a user’s location, CloudFront serves the content that the user has requested. There are no charges for Cloudfronts Geo-Blocking.
(b) If you are using the WAF solution you will need to consider a whitelisting approach as mentioned in the knowledge based article "https://repost.aws/knowledge-center/waf-allow-block-country-geolocation"
(c) In case of NACLs you will need to customize your solution and will need some effort to aggregate different subnet ranges. Please also note the NACL limitations while designing a NACL based solution https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-nacls .
(d) You can consider AWS Network Firewall with Amazon GuardDuty to implement Geo-Blocking as well https://aws.amazon.com/blogs/security/automatically-block-suspicious-traffic-with-aws-network-firewall-and-amazon-guardduty/
The below blogs and articles should be of additional help
https://aws.amazon.com/blogs/security/how-to-use-granular-geographic-match-rules-with-aws-waf/
https://aws.amazon.com/developer/application-security-performance/articles/geo-blocking/
I hope the below URL will help you.
How do I allow or block requests from a specific country or geolocation using AWS WAF? https://repost.aws/knowledge-center/waf-allow-block-country-geolocation
