Geographic Restriction with Amazon CloudFront

My colleague Nihar Bihani sent me a guest post to announce a new and often-requested feature for Amazon CloudFront.

— Jeff;

CloudFront just added a geo-restriction feature to make it easier to restrict access to your content based on the geographic location of your viewers.

In early 2012 we published a tutorial that shows how to add geo-restriction logic to your web application using Amazon CloudFronts private content feature in combination with a third party geo-location product. Were making this process easier for you today by adding a feature that does geo-restriction at the edge locations and doesnt require you to use a third-party geo-location product.

Heres how it works. Lets say that youre an online video publisher and have rights to distribute a video to users in a single country. You therefore need a way to prevent users who arent in that country from accessing your video. You can now do this by using Amazon CloudFronts geo-restriction feature and whitelisting the country where youre allowed to distribute your video file. Then, CloudFront edge locations will first check the location of the viewer (based on their IP address) and only serve the video if the viewers IP address maps to the whitelisted country. CloudFront uses a geo-IP database behind the scene to map IP addresses to countries.

Here is another scenario. Say youre a software company and need to restrict the download of your encrypted software product by users in certain territories because of licensing terms or regulations. In this case, you can configure a blacklist of countries using the Amazon CloudFront Management Console (or our API) so CloudFront edge locations dont serve your content to any requests from one of your blacklisted countries.

Weve added a new tab in the CloudFront Management Console called Restrictions where you can first enable or disable Geo Restriction.

Once you enable the feature, you can select whether you want to configure a whitelist or blacklist of countries for your distribution. Then, you can select one or more countries from the list in the left hand box, and move those countries to the right hand box before you click the Yes, Edit button. Thats it! Once this configuration gets deployed to our worldwide edge locations (which takes a few minutes), the CloudFront edge locations will begin blocking users from certain countries based on your configuration.

For users that are blocked, CloudFront will serve an HTTP response of 403 (Forbidden). Learn more about geo-restriction with CloudFront by reading the CloudFront Developer Guide. You also have the ability to configure a custom error page with CloudFront for the 403 response so that you can serve a friendlier message to your users if you want. Learn more about Custom Error Pages.

— Nihar Bihani, Senior Product Manager

PS – In order to help you to understand and use this new feature, we will be hosting a webinar on February 4, 2014. Please sign up to attend Using Amazon CloudFront to Protect Your Content Delivery via Geo-Restriction, Private Content, and Custom SSL Certificates.