[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Osaka/Yokohama/Tokushima] Looking for infrastructure/server side engineers!

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Deployed by over 500 companies] AWS construction, operation, maintenance, and monitoring services

[Successor to CentOS] AlmaLinux OS server construction/migration service

[Successor to CentOS] AlmaLinux OS server construction/migration service

[For WordPress only] Cloud server “Web Speed”

[For WordPress only] Cloud server “Web Speed”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Cheap] Website security automatic diagnosis “Quick Scanner”

[Reservation system development] EDISONE customization development service

[Reservation system development] EDISONE customization development service

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Registration of 100 URLs is 0 yen] Website monitoring service “Appmill”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[Compatible with over 200 countries] Global eSIM “Beyond SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[If you are traveling, business trip, or stationed in China] Chinese SIM service “Choco SIM”

[Global exclusive service] Beyond's MSP in North America and China

[Global exclusive service] Beyond's MSP in North America and China

[YouTube] Beyond official channel “Biyomaru Channel”

[YouTube] Beyond official channel “Biyomaru Channel”

Block access from specific regions using AWS Cloudfront's geo-restriction feature

My name is Teraoka and I am an infrastructure engineer.


I tried setting up to block access from a specific region
using AWS Cloudfront The setup itself is simple, but I thought it was practical, so I'll summarize it here.

Amazon CloudFront CDN (content delivery and streaming) | AWS

■What is Cloudfront?

Cloudfront is an AWS CDN (Contents Delivery Network) service that
called "edge locations"
installed around the world to deliver content.
By using this "edge location",
when a user requests a URL, regional information is determined from the IP address and
a response is returned from the server located in the closest location.

you can easily speed up your website by simply installing Cloudfront in front of services such as EC2 or S3,
as there is no need to access a server in a remote location

■What is the geo-restriction function?

I will try using the "geographical restriction function" mentioned in the title.
Cloudfront's default configuration
delivers requested content regardless of the user's location.
I'm glad this is convenient.

  • I want to restrict access because I am frequently attacked from a specific area.
  • Access is not allowed in some countries for copyright reasons.

It becomes a problem when there are reasons such as this.

In such cases, you can use Cloudfront's functionality to allow or prohibit access at the country level.
This is the region restriction feature.
Let's actually set it up and use it.

■Let's try it out


I created a Cloudfront distribution in advance to distribute S3 content

I tried delivering a static site with AWS S3 | Beyond Co., Ltd.

If you are setting up to distribute content installed in S3,
the item "Origin" is the S3 endpoint.
Make a note of the Domain Name item as you will access it later with a browser.
There is a checkbox on the left, so check it and
click Distribution Settings.

2016-09-10_03h06_58

The distribution settings screen will appear, so
select the Restrictions tab.
The item Geo Restriction should be disabled.
By enabling this, you will be able to use the geo-restriction feature.
Check the checkbox on the left and click Edit.

2016-09-10_01h42_05

The Geo-Restriction setting screen will appear.

2016-09-10_03h15_41

The Enable Geo-Restriction item should be No, so
if you select Yes, two new items should be added.
For Restriction Type, select the type of restriction.
A brief summary of each...

Item name overview
Whitelist A "whitelist" allows you to set the countries you want to allow access to, and only allows users to access your content if they are in one of the countries included in the list.
Blacklist A "blacklist" sets the countries you want to block access to, and prohibits users from accessing content if they are from any of the countries included in the list.

This time, I want to prohibit access from a specific area, so I will use a "blacklist."
Select Blacklist and select a country in the Countries field.
Let's select Japan to see if access will be banned.
Select JP (Japan) from the country list on the left and click the ADD>> button.
It should then be added to the right.
In this state, click Yes, Edit to complete editing.

2016-09-10_03h38_59

Cloudfront will take some time for the settings to take effect.
Return to the list of distributions and
wait until the status changes from in progress to deployed.

2016-09-10_03h36_56

Try accessing the cloudfront endpoint from your browser.

2016-09-10_03h40_42

Yes, I was successfully blocked by Cloudfront, which I created myself.

What did you think?
You can restrict access with just these steps, and
I think it's worth using, so please give it a try.
Thank you again for this opportunity.

If you found this article helpful , please give it a like!
0
Loading...
0 votes, average: 0.00 / 10
2,691
X facebook Hatena Bookmark pocket
[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

[2025.6.30 Amazon Linux 2 support ended] Amazon Linux server migration solution

The person who wrote this article

About the author

Yuki Teraoka

Joined Beyond in 2016 and is currently in his 6th year as an Infrastructure Engineer
MSP, where he troubleshoots failures while
also designing and building infrastructure using public clouds such as AWS.
Recently, I
have been working with Hashicorp tools such as Terraform and Packer as part of building container infrastructure such as Docker and Kubernetes and automating operations, and I
also play the role of an evangelist who speaks at external study groups and seminars.

・GitHub
https://github.com/nezumisannn

・Presentation history
https://github.com/nezumisannn/my-profile

・Presentation materials (SpeakerDeck)
https://speakerdeck.com/nezumisannn

・Certification:
AWS Certified Solutions Architect - Associate
Google Cloud Professional Cloud Architect