How do I allow or block requests from a specific country or geolocation using AWS WAF?
Use the Geographic match rule statement to block access to your site from specific countries or to allow access only from specific countries.
To allow some web requests based on country of origin, add a geographic match rule statement for the countries that you want to allow. Then, add a second geographic match rule statement for the countries that you want to block.
Note: If you use CloudFront geographic restriction to block a country from accessing your content, then any request from that country is blocked and isn't forwarded to AWS WAF. If you want to allow or block requests based on geography with other AWS WAF criteria, use an AWS WAF geographic match rule statement instead.
To allow or block requests from a specific country or geolocation using AWS WAF, do the following:
1. Open the AWS WAF console.
2. In the navigation pane, under AWS WAF, choose Web ACLs.
3. For Region, select the AWS Region where you created your web ACL.
Note: Select Global if your web ACL is set up for Amazon CloudFront.
4. Select your web ACL.
5. Choose Rules, and then choose Add Rules, Add my own rules and rule groups.
6. For Rule Builder, enter a name for your rule.
Note: The name must have one to 128 valid characters, such as A to Z, a to z, 0 to 9, - (hyphen), and _ (underscore).
7. For If a request, choose matches the statement.
8. For Choose an inspection option, choose Originates from a country.
9. For Choose country codes, choose the country that you want requests to be inspected for.
10. (Optional) Choose Source IP address or IP address in header for use in determining the country of origin.
Warning: When a request routes through a CDN or other proxy network, the source IP address identifies the proxy. Then, the original IP address is sent in a
header. Use caution when using IP address in header, as headers can be handled inconsistently by proxies, and they can be modified to bypass inspection.
11. For Action, choose either Allow to allow requests or Block to block requests from the country chosen in step 9.
Note: When choosing to block or allow requests, consider the default action set for the web ACL. If the default action is Block, then requests that come from all countries are blocked, except for countries that are explicitly allowed in this step. This is the simplest configuration to manage the geographical requests that are allowed, but this configuration doesn't provide an opportunity to inspect the requests' content.
If the default action is Allow, then you can create a negate (NOT) rule to specify the countries that must not be blocked. The action on this rule must be block. This creates a rule that doesn't block requests from the countries that you want to allow, but also doesn't explicitly allow them. Requests must wait to pass other user-defined rules, such as inspections for malicious content, before being allowed by the default action. This is a more robust configuration.
12. Choose Add Rule.
13. (Optional) For Set Rule Priority, select your rule, and then move its priority. The rules are processed in the order that they appear.
For more information, see Processing order of rules and rule groups in a web ACL.
14. Choose Save.