How do I use AWS WAF to allow or block requests from a specific country or geolocation?

3 minute read
2

I want to use AWS WAF to allow or block requests from a specific country or geolocation.

Short description

To block access to your site from specific countries or allow access only to specific countries, use the Geographic match rule statement.

First, add a geographic match rule statement to allow web requests from the countries that you want to allow. Then, add a second geographic match rule statement for the countries that you want to block.

Note: If you use Amazon CloudFront geographic restriction to block a country's access to your content, then any request from that country is blocked. The requests aren't forwarded to AWS WAF. To use AWS WAF criteria to allow or block requests based on geography, use an AWS WAF geographic match rule statement instead.

Resolution

To use AWS WAF to allow or block requests from a specific country or geolocation, complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web access control list (web ACL).
    Note: If your web ACL is set up for CloudFront, then select Global.
  4. Select your web ACL.
  5. Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
  6. For Rule Builder, enter a name for your rule.
  7. For If a request, choose matches the statement.
  8. For Choose an inspection option, choose Originates from a country.
  9. For Choose country codes, choose the country that you want to allow or block.
  10. (Optional) Choose Source IP address or IP address in header to define the request's country of origin.
    Warning: When a request routes through a content delivery network (CDN) or other proxy network, the source IP address identifies the proxy. In this case, the original IP address is sent in a header. Proxies can inconsistently manage headers and modify them to bypass inspection.
  11. For Action, choose either Allow or Block.
    Note: If the default action is Block, then set the rule's action to Allow. Note that this configuration doesn't allow AWS WAF to inspect requests. If the default action is Allow, then set the rule's action to Block and add a NOT statement that specifies countries not to block.
  12. Choose Add Rule.
  13. (Optional) For Set Rule Priority, select your rule, and then set its priority. For more information, see Processing order of rules and rule groups in a web ACL.
  14. Choose Save.
AWS OFFICIAL
AWS OFFICIALUpdated 2 days ago
3 Comments

Thanks for pointing out the default action of ACL - that was my issue!

replied a year ago

I want to block an entire country but allow specific IPs from that country. How do I do that, the scope down statement doesn't seem to be available using this method to allow an IP list?

Jason
replied 23 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 22 days ago