AWS, Cloud Computing

4 Mins Read

Restricting access to a Web Application based on Geolocation using AWS WAF

Voiced by Amazon Polly

Introduction

Securing web applications against unauthorized access is paramount in today’s digital landscape. One effective method to enhance security is restricting access based on geographic location.

This can help organizations comply with regional regulations, protect against malicious traffic from specific areas, and optimize performance by serving content closer to the end-users.

In this blog post, we will explore how to leverage AWS Web Application Firewall (WAF) and Application Load Balancer (ALB) to implement geolocation-based access control for your web application. Whether you aim to block traffic from certain countries or only allow access from specific regions, AWS provides robust tools to enforce these policies seamlessly. Let’s dive into the step-by-step process to secure your application and ensure it operates within the desired geographic boundaries.

Pre-requisite

Before diving into the configuration steps, ensure that you have the following prerequisites in place:

  1. AWS Account: You need an active AWS account with the necessary permissions to create and manage AWS WAF, ALB, and related resources.
  2. Web Application: Your web application should already be deployed and running and accessible through an Application Load Balancer (ALB).
  3. Basic Understanding of AWS Services:
    • AWS WAF: Familiarity with AWS Web Application Firewall (WAF) and its core concepts.
    • ALB: Understanding of Application Load Balancer (ALB) and its configuration.
    • AWS IAM: Basic knowledge of AWS Identity and Access Management (IAM) to manage permissions.

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started

Step-by-Step Guide

Step 1: Access the AWS WAF and Shield Console

  1. Sign in to the AWS Management Console.
  2. In the navigation bar, choose the region where your resources are located.
  3. Navigate to the AWS WAF & Shield console by typing “WAF” in the search bar and selecting “AWS WAF & Shield”.

Step 2: Create a WebACL

  1. In the AWS WAF & Shield console, select “Web ACLs” from the left-hand menu.
  2. Click on the “Create web ACL” button.

step2

Step 3: Configure Basic Settings

  1. Name: Enter a descriptive name for your WebACL.
  2. Amazon CloudWatch metric name: Enter a name for the Amazon CloudWatch metric that AWS WAF will create.
  3. Region: Select the region where you want to create the WebACL.
  • Resource type: Select “Regional (for resources in one AWS region)”.

step3

Step 4: Add Rules and Rule Groups

  1. Click on “Next”.
  2. In the “Add rules and rule groups” section, click “Add my own rules and rule groups”.
  3. Click “Add rule” and select “Add my own rule and rule group”.

Step 5: Configure the Geolocation Rule

  1. Rule type: Select “Rule builder”.
  2. Rule name: Enter a name for your rule (e.g., “AllowOnlyUS”).
  3. Conditions: Click “Add condition” and select “Geographic match”.
  4. Countries: Choose the countries or regions you want to allow or block.
  5. For example, select “United States” if you only want to allow traffic from the US.
  6. Action: Choose the action to perform when a request matches the rule.
  7. Select “Allow” if you want to allow traffic from the selected regions.
  8. Select “Block” if you want to block traffic from the selected regions.
  9. Click “Save rule”.

step5

step5b

Step 6: Set Default Action

  1. In the “Default web ACL action” section, choose the default action for requests that don’t match any rules.
  2. Select “Block” to block all requests by default.
  3. Select “Allow” to allow all requests by default.
  4. Click on “Next”.

step6

Step 7: Review and Create WebACL

  1. Review your WebACL configuration.
  • Click on “Create web ACL” to finalize the creation of the WebACL.

step7

Your WebACL has been created, and you can associate it with your Application Load Balancer (ALB) to enforce geolocation-based access control.

Step 8: Associate it to ALB

  1. Go inside the web ACL and associated AWS resources tab and click on “Add AWS Resouce”

step8

2. Choose the ALB which is serving the web application.

step8b

Benefits

  • Enhanced Security: Reduces the attack surface by blocking traffic from regions known for malicious activities.
  • Regulatory Compliance: Helps adhere to data sovereignty and privacy laws by restricting access to specific geographic regions.
  • Improved Performance and Latency: Optimizes performance by prioritizing traffic from regions closer to your data centers.
  • Cost Efficiency: Lowers bandwidth and resource usage costs by reducing unnecessary traffic.
  • Customizable and Scalable: Easily update and modify geolocation rules to meet changing business needs with automatic scalability.

Conclusion

Implementing geolocation-based access control using AWS WAF and ALB is a powerful strategy to enhance the security and compliance of your web application. By leveraging AWS’s robust tools, you can easily restrict access to specific geographic regions, ensuring your application is protected and optimized for your target audience. This setup helps adhere to regulatory requirements, improves performance, and reduces costs by filtering out unnecessary traffic. AWS WAF allows you to adapt your access control policies as your business grows and evolves. Start using geolocation-based access control today to take a proactive step towards a more secure and efficient web application environment.

Drop a query if you have any questions regarding AWS WAF and we will get back to you quickly.

Experience Effortless Cloud Migration with Our Expert Solutions

  • Stronger security  
  • Accessible backup      
  • Reduced expenses
Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training PartnerAWS Migration PartnerAWS Data and Analytics PartnerAWS DevOps Competency PartnerAWS GenAI Competency PartnerAmazon QuickSight Service Delivery PartnerAmazon EKS Service Delivery Partner, AWS Microsoft Workload PartnersAmazon EC2 Service Delivery PartnerAmazon ECS Service Delivery PartnerAWS Glue Service Delivery PartnerAmazon Redshift Service Delivery PartnerAWS Control Tower Service Delivery PartnerAWS WAF Service Delivery Partner and many more.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.

FAQs

1. Can I allow access from multiple countries using AWS WAF?

ANS: – Yes, you can configure AWS WAF to allow access from multiple countries by specifying them in the geolocation rule within your WebACL.

2. How do I test if my geolocation-based access control is working correctly?

ANS: – You can use a VPN or proxy service to simulate requests from different geographic locations and verify if the access control rules are correctly allowing or blocking traffic.

WRITTEN BY Avinash Kumar

Avinash Kumar is a Senior Research Associate at CloudThat, specializing in Cloud Engineering, NodeJS development, and Google Cloud Platform. With his skills, he creates innovative solutions that meet the complex needs of today's digital landscape. He's dedicated to staying at the forefront of emerging cloud technologies.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!