Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use AWS WAF to allow or block requests from a specific country or geolocation?

3 minute read
2

I want to use AWS WAF to allow or block requests from a specific country or geolocation.

Short description

To block access to your site from specific countries or allow access only to specific countries, use the geographic match rule statement.

Add a geographic match rule statement to allow web requests from the countries that you want to allow. Then, add a second geographic match rule statement for the countries that you want to block.

Note: If you use Amazon CloudFront geographic restrictions to block a country's access to your content, then CloudFront blocks every request from that country. CloudFront doesn't forward the requests to AWS WAF. To use AWS WAF criteria to allow or block requests based on geography, use an AWS WAF geographic match rule statement instead.

Resolution

Complete the following steps:

  1. Open the AWS WAF console.
  2. For Region, choose the AWS region where you created your protection pack.
  3. In the navigation pane, choose Resources & protection packs.
  4. On the right side of protection pack, select the icon next to region name to choose the protection pack.
  5. In your selected protection pack, select Rules.
  6. Select View and edit next to Rules to view or modify the rules associated with your protection pack.
  7. In the right pane for Manage rules choose Add rules.
  8. Select Geo-based rule.
  9. To set up your rule, configure the following values:
    For Action, choose Allow or Block for custom rules.
    Note: If the default action is Block, then set the rule's action to Allow. If the default action is Allow, then set the rule's action to Block and add a NOT statement that specifies countries not to block.
    For Name, enter a name for your rule.
    For Statement, choose Originates from a country name.
  10. Choose the country that you want to allow or block.
  11. (Optional) Choose Rule configuration check Source IP address for origin.
    Choose Source IP address or IP address in header to define the request's country of origin.
    Warning: When a request routes through a content delivery network (CDN) or other proxy network, the source IP address identifies the proxy. In this case, the original IP address is sent in a header. Proxies can inconsistently manage headers and modify them to bypass inspection.
  12. Choose Create Rule.
Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English

Related videos

Watch Kartik Ganesh’s video to learn more (3:51)
Watch Kartik Ganesh’s video to learn more (3:51)
AWS OFFICIALUpdated 7 months ago
3 Comments

Thanks for pointing out the default action of ACL - that was my issue!

replied 3 years ago

I want to block an entire country but allow specific IPs from that country. How do I do that, the scope down statement doesn't seem to be available using this method to allow an IP list?

replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
EXPERT
replied 2 years ago

Relevant content