How do I allow or block requests from a specific country or geolocation using AWS WAF?

Last updated: 2022-07-07

How do I allow or block requests from a specific country or geolocation using AWS WAF?

Short description

Use the Geographic match rule statement to block access to your site from specific countries or to allow access only from specific countries.

To allow some web requests based on country of origin, add a geographic match rule statement for the countries that you want to allow. Then, add a second geographic match rule statement for the countries that you want to block.

Note: If you use CloudFront geo restriction to block a country from accessing your content, any request from that country is blocked and isn't forwarded to AWS WAF. If you want to allow or block requests based on geography with other AWS WAF criteria, use an AWS WAF geographic match rule statement instead.

Resolution

To allow or block requests from a specific country or geolocation using AWS WAF, do the following:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
  6. For Rule Builder, enter a name for your rule.
    Note: The name must have one to 128 valid characters, such as A to Z, a to z, 0 to 9, - (hyphen), and _ (underscore).
  7. For If a request, choose matches the statement.
  8. For Choose an inspection option, choose Originates from a country.
  9. For Choose country codes, choose the country that you want requests to be inspected for.
  10. (Optional) Choose Source IP address or IP address in header for use in determining the country of origin.
    Warning: When a request routes through a CDN or other proxy network, the source IP address identifies the proxy. Then, the original IP address is sent in a header. Use caution when using IP address in header, as headers can be handled inconsistently by proxies, and they can be modified to bypass inspection.
  11. For Action, choose either Allow to allow requests or Block to block requests from the country chosen in step 9.
  12. Choose Add Rule.
  13. (Optional) For Set Rule Priority, select your rule and move its priority. The rules are processed in the order that they appear. For more information, see Processing order of rules and rule groups in a web ACL.
  14. Choose Save.

Did this article help?


Do you need billing or technical support?