CloudFront Geographic Restriction

TOC

CloudFront Geographic Restriction

This page is also one of the AWS SAA’s topics on designing secure applications and architectures.

We will review one of CloudFront’s features, geo-restriction.

If you need to prevent users in specific countries from accessing your content, you can use the CloudFront geographic restrictions feature to do one of the following:

・Allow your users to access your content only if they’re in one of the approved countries on your allow list.

・Prevent your users from accessing your content if they’re in one of the banned countries on your block list.

Restricting the geographic distribution of your content

This time, we will set up a geographic restriction using the whitelist method and check the actual behavior.

Environment

Diagram of CloudFront Geographic Restriction

Create three VPCs.
One is a VPC for the web servers that will be geo-restricted by CloudFront.
The VPC will be created in the Tokyo Region (ap-northeast-1).
The origin server for CloudFront is the latest Amazon Linux 2-based EC2 instance.
Apache is installed and configured to run as a web server and return its own instance ID.

The other two are test VPCs.
We will build exactly the same environment in the Tokyo Region and Virginia Region (us-east-1).
Create an EC2 instance for accessing the web server, and access the web server for verification.

CloudFormation template files

The above configuration is built with CloudFormation.
The CloudFormation template is located at the following URL

https://github.com/awstut-an-r/awstut-saa/tree/main/03/001

Explanation of points in template files

Configure whitelist-style geographic restrictions in CloudFront

This section will focus on confirming settings related to geographic restrictions.
For information on how to set up an EC2 instance as an origin server for CloudFront and how to configure the cache, see the following page.

あわせて読みたい
Improved Origin Server Performance with CloudFront Cache 【Configuration using CloudFront cache to reduce number of requests to origin server】 This is one of the topics covered in AWS SAA, which is about designing...
Resources:
  CloudFront:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          AllowedMethods:
            - GET
            - HEAD
          CachedMethods:
            - GET
            - HEAD
          Compress: true
          ForwardedValues:
            Cookies:
              Forward: none
            QueryString: false
          TargetOriginId: !Ref InstancePublicDnsName
          ViewerProtocolPolicy: allow-all
          DefaultTTL: !Ref CacheTTL
          MaxTTL: !Ref CacheTTL
          MinTTL: !Ref CacheTTL
        Enabled: true
        Origins:
          - CustomOriginConfig:
              OriginProtocolPolicy: http-only
              HTTPPort: !Ref HTTPPort
            DomainName: !Ref InstancePublicDnsName
            Id: !Ref InstancePublicDnsName
        PriceClass: PriceClass_All
        Restrictions:
          GeoRestriction:
            Locations:
              - !Ref GeoRestrictionLocation
            RestrictionType: whitelist
Code language: YAML (yaml)

The key parameter for setting geographic restrictions is the GeoRestriction property within the Restrictions property.
In the RestrictionType property, you can select the restriction method from either the whitelist method or the blacklist method. In this case, we will use the former, so “whitelist” is specified.
Specify the target country in the Locations property. This time, we will use the whitelist method to restrict access, so only access from the specified country will be allowed. This time, using the built-in function Fn::Ref, specify “JP” to allow access only from Japan.

Architecting

Using CloudFormation, we will build this environment and check the actual behavior.

Create CloudFormation stacks and check resources in stacks

Create a CloudFormation stack.
In this case, we will create 3 VPCs and create a stack for each VPC.
The following is a command to create a stack by referencing a template file placed on an S3 bucket.

$ aws cloudformation create-stack \
--stack-name saa-03-001 \
--template-url https://[s3-bucket-url]/saa-03-001.yaml \
--capabilities CAPABILITY_IAM \
--region ap-northeast-1

$ aws cloudformation create-stack \
--stack-name saa-03-001-test \
--template-url https://[s3-bucket-url]/saa-03-001-test.yaml \
--capabilities CAPABILITY_IAM \
--region ap-northeast-1

$ aws cloudformation create-stack \
--stack-name saa-03-001-test \
--template-url https://[s3-bucket-url]/saa-03-001-test.yaml \
--capabilities CAPABILITY_IAM \
--region us-east-1
Code language: Bash (bash)

For information on how to create stacks and check each stack, please refer to the following page

あわせて読みたい
CloudFormation’s nested stack 【How to build an environment with a nested CloudFormation stack】 Examine nested stacks in CloudFormation. CloudFormation allows you to nest stacks. Nested ...

After checking the resources for each stack, the following is the information on the main resources created in this case.

  • Web server instance ID: i-0ad8cf475359b2566
  • Public DNS for the web server: ec2-18-176-173-96.ap-northeast-1.compute.amazonaws.com
  • Instance ID of test client (Tokyo Region): i-05f2bf8cfdcfcf971
  • Instance ID for test client (Virginia Region): i-07fdf65d6a22d9422

The AWS Management Console also checks the status of the created CloudFront.

Domain name of the CloudFront distribution
CloudFront Origin server
CloudFront Geographic Restriction

The CloudFront distribution has been successfully created.
You can see that the domain name of the created distribution is “d1ck6twa84zr1c.cloudfront.net”.
You can see that an EC2 instance has been set as the origin server.
You can see that only access from Japan is allowed as a geographical restriction.

Operation Verification 1: Accessing from region permitted by geographical restriction

Now that we are ready, we will check the actual behavior.
First, access is attempted from the verification environment on the Tokyo Region side.

Access an instance in the same environment using SSM Session Manager.
Please refer to the following page for details on accessing instances using this service.

あわせて読みたい
Accessing Linux instance via SSM Session Manager 【Configure Linux instances to be accessed via SSM Session Manager】 We will check a configuration in which an EC2 instance is accessed via SSM Session Manag...
% aws ssm start-session \
--target i-05f2bf8cfdcfcf971
--region ap-northeast-1

sh-4.2$ 
Code language: Bash (bash)

The site has been accessed successfully.

Continue to access CloudFront for verification.

sh-4.2$ curl https://d1ck6twa84zr1c.cloudfront.net
instance-id: i-0ad8cf475359b2566
Code language: Bash (bash)

Normal access was achieved.
Thus, access from countries specified in the white list was possible as normal.

Operation Verification 2: Accessing from regions not allowed by geographical restrictions

This time, access is attempted from the verification environment on the Virginia region side.

% aws ssm start-session -\
-target i-07fdf65d6a22d9422 \
--region us-east-1

sh-4.2$ 
Code language: Bash (bash)

Successfully accessed.

Access and verify CloudFront as before.

sh-4.2$ curl https://d1ck6twa84zr1c.cloudfront.net
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>ERROR: The request could not be satisfied</TITLE>
</HEAD><BODY>
<H1>403 ERROR</H1>
<H2>The request could not be satisfied.</H2>
<HR noshade size="1px">
The Amazon CloudFront distribution is configured to block access from your country.
We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
<BR clear="all">
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.
<BR clear="all">
<HR noshade size="1px">
<PRE>
Generated by cloudfront (CloudFront)
Request ID: qx0x5Uy6vGqeHrpIyE1pTBV73_twJfRSGOFuZZhKFaK5VzPDzV1LpQ==
</PRE>
<ADDRESS>
</ADDRESS>
</BODY></HTML>sh-4.2$
Code language: Bash (bash)

An error page is displayed and access has failed.
The error message indicates that access from the country where the instance is hosted (the U.S.) is restricted due to CloudFront’s geo-restriction function.
Thus, by using CloudFront’s geo-restriction function, access from a specific country could be restricted.

Summary

We have seen that CloudFront can be used to restrict access to content based on geography.
We confirmed that geographic restrictions can be set using either the whitelist or blacklist method.

TOC