Block access from specific regions using AWS Cloudfront's geo-restriction feature
2016.09.13
0 
table of contents
My name is Teraoka and I am an infrastructure engineer.
I tried to set up
AWS Cloudfront The setting itself is simple, but I thought it was practical, so I'll summarize it here.
Amazon CloudFront CDN (Content Delivery and Streaming) | AWS
■What is Cloudfront?
Cloudfront is AWS's CDN (Content Delivery Network) service, with
servers located
around the world in "edge locations" By using these "edge locations,"
when a user requests a URL, the system determines the user's geographic location from their IP address and
returns a response from the nearest server.
Thanks to this mechanism, simply installing Cloudfront in front of services like EC2 and S3
eliminates the need to access servers in distant locations,
making it easy to speed up your website.
■What is the geographic restriction function?
I'll try using the "geo-restriction feature" mentioned in the title.
Cloudfront's default setting
delivers requested content regardless of the user's location.
This is convenient and appreciated, but
- I want to restrict access because I frequently receive attacks from a specific area
- Access is not permitted in some countries due to copyright reasons
It can be a problem if there are reasons such as:
In such cases, Cloudfront's feature allows you to allow or deny access at the country level.
This is the geo-restriction feature.
Let's actually set it up and try it out.
■Let's try it out
I created a Cloudfront distribution in advance to distribute the S3 content
I tried delivering a static site with AWS S3 | Beyond Co., Ltd.
If you are setting up to distribute content stored in S3,
the Origin item will be the S3 endpoint.
Make a note of the Domain Name item as you will access it later in your browser.
There is a checkbox on the left, so check it and
click Distribution Settings.
This will take you to the distribution settings screen, so
select the Restrictions tab.
The Geo Restriction item should be disabled.
Enabling this will allow you to use the geo-restriction feature.
Check the checkbox on the left and click Edit.
This will take you to the Geo-Restriction settings screen
The Enable Geo-Restriction item should be set to No, so
if you select Yes, two new items should appear.
In Restriction Type, select the type of restriction you want to apply.
To briefly summarize each item:
| Item name | overview | |
|---|---|---|
| Whitelist | "Whitelist" allows you to set the countries you want to allow access to, and only allows users to access content if they are in one of the countries on the list | |
| Blacklist | "Blacklist" allows you to set countries you want to block access from, and if a user is from one of the countries on the list, they will be denied access to the content |
This time, we will use the "Blacklist" to prohibit access from specific regions.
Select Blacklist and select a country in the Countries section.
Let's select Japan to check whether access will be prohibited.
Select JP (Japan) from the list of countries on the left and click the ADD>> button. It
should then be added to the right.
In this state, click Yes, Edit to complete the edit.
Cloudfront will take a while to apply the settings, so
go back to the distribution list and
wait until the status changes from in progress to deployed.
Try accessing the CloudFront endpoint from your browser
Yes, I was blocked by Cloudfront, which I created myself
What do you think?
You can restrict access with just these steps, and
I think it's a feature worth using, so please give it a try.
Until next time, thank you.
0
Loading...0
The person who wrote this article
About the author
