Restricting access to a Web Application based on Geolocation using AWS WAF

Introduction

Securing web applications against unauthorized access is paramount in today’s digital landscape. One effective method to enhance security is restricting access based on geographic location.

In this blog post, we will explore how to leverage AWS Web Application Firewall (WAF) and Application Load Balancer (ALB) to implement geolocation-based access control for your web application. Whether you aim to block traffic from certain countries or only allow access from specific regions, AWS provides robust tools to enforce these policies seamlessly. Let’s dive into the step-by-step process to secure your application and ensure it operates within the desired geographic boundaries.

Pre-requisite

Before diving into the configuration steps, ensure that you have the following prerequisites in place:

1. AWS Account: You need an active AWS account with the necessary permissions to create and manage AWS WAF, ALB, and related resources.
2. Web Application: Your web application should already be deployed and running and accessible through an Application Load Balancer (ALB).
3. Basic Understanding of AWS Services:
   • AWS WAF: Familiarity with AWS Web Application Firewall (WAF) and its core concepts.
   • ALB: Understanding of Application Load Balancer (ALB) and its configuration.
   • AWS IAM: Basic knowledge of AWS Identity and Access Management (IAM) to manage permissions.

Step-by-Step Guide

Step 1: Access the AWS WAF and Shield Console

1. Sign in to the AWS Management Console.
2. In the navigation bar, choose the region where your resources are located.
3. Navigate to the AWS WAF & Shield console by typing “WAF” in the search bar and selecting “AWS WAF & Shield”.

Step 2: Create a WebACL

1. In the AWS WAF & Shield console, select “Web ACLs” from the left-hand menu.
2. Click on the “Create web ACL” button.

Step 3: Configure Basic Settings

1. Name: Enter a descriptive name for your WebACL.
2. Amazon CloudWatch metric name: Enter a name for the Amazon CloudWatch metric that AWS WAF will create.
3. Region: Select the region where you want to create the WebACL.

• Resource type: Select “Regional (for resources in one AWS region)”.

Step 4: Add Rules and Rule Groups

1. Click on “Next”.
2. In the “Add rules and rule groups” section, click “Add my own rules and rule groups”.
3. Click “Add rule” and select “Add my own rule and rule group”.

Step 5: Configure the Geolocation Rule

1. Rule type: Select “Rule builder”.
2. Rule name: Enter a name for your rule (e.g., “AllowOnlyUS”).
3. Conditions: Click “Add condition” and select “Geographic match”.
4. Countries: Choose the countries or regions you want to allow or block.
5. For example, select “United States” if you only want to allow traffic from the US.
6. Action: Choose the action to perform when a request matches the rule.
7. Select “Allow” if you want to allow traffic from the selected regions.
8. Select “Block” if you want to block traffic from the selected regions.
9. Click “Save rule”.

Step 6: Set Default Action

1. In the “Default web ACL action” section, choose the default action for requests that don’t match any rules.
2. Select “Block” to block all requests by default.
3. Select “Allow” to allow all requests by default.
4. Click on “Next”.

Step 7: Review and Create WebACL

1. Review your WebACL configuration.

• Click on “Create web ACL” to finalize the creation of the WebACL.

Your WebACL has been created, and you can associate it with your Application Load Balancer (ALB) to enforce geolocation-based access control.

Step 8: Associate it to ALB

1. Go inside the web ACL and associated AWS resources tab and click on “Add AWS Resouce”

2. Choose the ALB which is serving the web application.

Benefits

• Enhanced Security: Reduces the attack surface by blocking traffic from regions known for malicious activities.
• Regulatory Compliance: Helps adhere to data sovereignty and privacy laws by restricting access to specific geographic regions.
• Improved Performance and Latency: Optimizes performance by prioritizing traffic from regions closer to your data centers.
• Cost Efficiency: Lowers bandwidth and resource usage costs by reducing unnecessary traffic.
• Customizable and Scalable: Easily update and modify geolocation rules to meet changing business needs with automatic scalability.

Conclusion

Implementing geolocation-based access control using AWS WAF and ALB is a powerful strategy to enhance the security and compliance of your web application. By leveraging AWS’s robust tools, you can easily restrict access to specific geographic regions, ensuring your application is protected and optimized for your target audience. This setup helps adhere to regulatory requirements, improves performance, and reduces costs by filtering out unnecessary traffic. AWS WAF allows you to adapt your access control policies as your business grows and evolves. Start using geolocation-based access control today to take a proactive step towards a more secure and efficient web application environment.

Drop a query if you have any questions regarding AWS WAF and we will get back to you quickly.

About CloudThat