Behnaz shows you how to
mitigate DDoS using
CloudFront geo restriction


How do I use Amazon CloudFront geo restriction to whitelist or blacklist a country to restrict or allow users in specific locations from accessing web content?

You can use the geo restriction feature, also known as geoblocking, to prevent users in specific geographic locations from accessing content that you're distributing through a CloudFront web distribution.

When a user requests your content, CloudFront typically serves the requested content regardless of where the user is located. If you want to prevent users in specific countries from accessing your content, you can use the CloudFront geo restriction feature to do one of the following:

  • Allow users to access your content only if they're in one of the countries on a whitelist of approved countries.
  • Prevent users from accessing your content if they're in one of the countries on a blacklist of banned countries.

Note: Because CloudFront uses GeoIP, the accuracy may vary. For additional information, see Restricting the Geographic Distribution of Your Content.

To whitelist or blacklist a country using CloudFront geo restriction:

  1. From the CloudFront console, choose the distribution that you want to apply a country restriction to.
  2. Choose the Restriction tab, and then choose Edit.
  3. From Enable-Restriction, choose Yes, and then choose Yes, Edit.
  4. For Restriction Type, choose Whitelist or Blacklist, select your countries, choose Add, and then choose Yes, Edit.

Note: Make sure that any AWS security groups on your CloudFront Origin have restricted HTTP/HTTPS access to the CloudFront IP ranges to prevent access to them from outside of CloudFront.

You can use AWS WAF to monitor and restrict HTTP and HTTPS requests, and to control access to your content. You can also use CloudFront to create custom error messages when a user from a blacklisted country tries to access content. For more information, see Customizing Error Responses.

For information on DDoS protection and on using AWS Shield, see How AWS Shield Works.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-01-27

Updated: 2018-03-06