Block access from specific regions using AWS Cloudfront's geo-restriction feature
My name is Teraoka and I am an infrastructure engineer.
I tried setting up to block access from a specific region
using AWS Cloudfront The setup itself is simple, but I thought it was practical, so I'll summarize it here.
Amazon CloudFront CDN (content delivery and streaming) | AWS
■What is Cloudfront?
Cloudfront is an AWS CDN (Contents Delivery Network) service that
called "edge locations"
installed around the world to deliver content.
By using this "edge location",
when a user requests a URL, regional information is determined from the IP address and
a response is returned from the server located in the closest location.
you can easily speed up your website by simply installing Cloudfront in front of services such as EC2 or S3,
as there is no need to access a server in a remote location
■What is the geo-restriction function?
I will try using the "geographical restriction function" mentioned in the title.
Cloudfront's default configuration
delivers requested content regardless of the user's location.
I'm glad this is convenient.
- I want to restrict access because I am frequently attacked from a specific area.
- Access is not allowed in some countries for copyright reasons.
It becomes a problem when there are reasons such as this.
In such cases, you can use Cloudfront's functionality to allow or prohibit access at the country level.
This is the region restriction feature.
Let's actually set it up and use it.
■Let's try it out
I created a Cloudfront distribution in advance to distribute S3 content
I tried delivering a static site with AWS S3 | Beyond Co., Ltd.
If you are setting up to distribute content installed in S3,
the item "Origin" is the S3 endpoint.
Make a note of the Domain Name item as you will access it later with a browser.
There is a checkbox on the left, so check it and
click Distribution Settings.
The distribution settings screen will appear, so
select the Restrictions tab.
The item Geo Restriction should be disabled.
By enabling this, you will be able to use the geo-restriction feature.
Check the checkbox on the left and click Edit.
The Geo-Restriction setting screen will appear.
The Enable Geo-Restriction item should be No, so
if you select Yes, two new items should be added.
For Restriction Type, select the type of restriction.
A brief summary of each...
Item name | overview | |
---|---|---|
Whitelist | A "whitelist" allows you to set the countries you want to allow access to, and only allows users to access your content if they are in one of the countries included in the list. | |
Blacklist | A "blacklist" sets the countries you want to block access to, and prohibits users from accessing content if they are from any of the countries included in the list. |
This time, I want to prohibit access from a specific area, so I will use a "blacklist."
Select Blacklist and select a country in the Countries field.
Let's select Japan to see if access will be banned.
Select JP (Japan) from the country list on the left and click the ADD>> button.
It should then be added to the right.
In this state, click Yes, Edit to complete editing.
Cloudfront will take some time for the settings to take effect.
Return to the list of distributions and
wait until the status changes from in progress to deployed.
Try accessing the cloudfront endpoint from your browser.
Yes, I was successfully blocked by Cloudfront, which I created myself.
What did you think?
You can restrict access with just these steps, and
I think it's worth using, so please give it a try.
Thank you again for this opportunity.