AWS News Blog

Guest Post: Geo-Blocking Content With Amazon CloudFront

Today’s guest blogger is Nihar Bihani, a Product Manager on the Amazon CloudFront team.

— Jeff;


After we launched Amazon CloudFront in November 2008, customers began asking for a way to block access to their content being delivered. We heard a variety of reasons why customers wanted to have detailed control over who is able to download their files from Amazon CloudFront. Some of the more common use cases we heard included customers wanting the ability to block content delivered by Amazon CloudFront so they could sell digital goods only to paying customers on their website, deliver training materials only to their employees and offer secure video streaming for their pay-per-view or subscription access model. We listened to their feedback and we launched Amazon CloudFronts private content feature in late 2009 for download content and in early 2010 for streaming content. These features help customers protect their content by restricting access based on date ranges, IP addresses, and IP address ranges.

More recently, we heard Amazon CloudFront customers ask for another method of blocking access to their content based on the geographic location of their viewers. One use case is a video publisher who may only have rights to distribute video to users in a single country and needs a way to prevent users who arent in that country from accessing their video. Another is a software delivery company that needs to limit the downloading of their content to certain territories because of licensing terms that prevent users in certain countries from downloading their software. Well refer to blocking access to certain countries or territories as geo-restriction.

As a result of this customer feedback, we recently published a tutorial that shows how to add geo-restriction logic to your web application using Amazon CloudFronts private content feature in combination with a third party geo-location product. The geo-location product translates your end user’s client IP address into an estimation of the end-users location. The tutorial shows you how to consume this location data and issue an Amazon CloudFront private content URL based on the results. Weve included sample code in Java, .Net, and PHP that work with two different geo-location products.

Here’s how it works:

  1. End user requests a webpage on your site.
  2. Your web server sends the end users IP address to a geo-location service.
  3. Geo-location service returns the geographic location for the end user.
  4. Your web server determines if the end user should have access to your content on Amazon CloudFront. If so, your webserver generates an Amazon CloudFront signed URL.
  5. End user browser requests the content from Amazon CloudFront using the signed URL.

Using Amazon CloudFront and a third-party geo-location service to restrict access to your content from your application also provides you with control over your end user’s experience if they are restricted from access. For end users whose access is blocked, your application can display a meaningful message instead of returning an error code. You can also customize the error message you display for your end users according to their location.

You can find the tutorial here. Please take a look at let us know what you think.

Nihar Bihani
Product Manager – Amazon CloudFront

Jeff Barr

Jeff Barr

Jeff Barr is Chief Evangelist for AWS. He started this blog in 2004 and has been writing posts just about non-stop ever since.