Monday, June 30, 2025

CloudFront Geo Restriction.

 

CloudFront Geo Restriction (also called Geo Blocking) allows twtech to allow or block content delivery to users based on their geographic location.

This feature helps comply with content licensing agreements or limit access from specific regions.

How  CloudFront Geo Restriction Works

When a viewer requests content via CloudFront, the service detects the viewer’s country using the IP address. Based on the geo restriction rules twtech has configured, CloudFront either:

·        Allows access, or

·        Blocks access and returns an HTTP 403 Forbidden error

 Use Cases

·        License restrictions: Block streaming content in countries where it’s not licensed.

·        Compliance: Prevent access from sanctioned countries.

·        Security: Restrict regions with high abuse traffic.

·        Marketing: Target content only to specific countries.

 Configuration Options

CloudFront supports two modes of geo restriction:

Mode

Description

Allow list

Only specified countries can access your content. Others receive 403 errors.

Block list

All countries except those specified can access your content.

How to Set It Up

Via AWS Console:

1.     Go to CloudFront in the AWS Console.

2.     Select your distribution.

3.     Go to the “Restrictions” tab.

4.     Under Geo restriction, choose:

o   Blacklist (block countries)

o   Whitelist (allow only specific countries)

5.     Select countries from the list.

6.     Save changes.

Via AWS CLI:

#  bash
 aws cloudfront update-distribution \
  --id YOUR_DISTRIBUTION_ID \
  --distribution-config file://config.json \
  --if-match E2QWRUHAPOMQZL

Include this in config.json:

#  json
"Restrictions": {
  "GeoRestriction": {
    "RestrictionType": "blacklist",
    "Quantity": 2,
    "Items": ["CN", "RU"]
  }
}

twtech Notes & Best Practices

·        Country code format: Uses ISO 3166-1 alpha-2 codes, e.g., US, IN, CN.

·        Not 100% foolproof: Users can bypass restrictions using VPNs/proxies.

·        Per-request behavior: The restriction is applied before the origin request is made.

 

Project: Hands-on

How twtech enables geo restriction on its cloudfron distribution:

Select the cloudfront distribution to configure and click open: twtech-cloudfront-distribution

Go to security tab for: twtech-cloudfront-distribution

Navigate to cloudfront  geoprahic restrictions and: Edit countries

From: none

To:

Setup countries for:  Allow list

NB:

Any country not included in the allow list is automatically moved to the block list and vice versa

Save changes:


twtech insights:

twtech-insights:

 

The different between cloudfront price classes 200, 100 and all.

CloudFront Price Classes (100, 200, All) allow you to control costs by choosing which edge locations your content is delivered from. The fewer locations you use, the cheaper it can be — but possibly at the cost of slightly higher latency for some users.

 CloudFront Price Class Comparison

Price Class

Includes Edge Locations In

Use Case Example

Price Class 100

North America & Europe only

Cost-sensitive global sites targeting U.S./EU

Price Class 200

North America, Europe, Asia, Middle East, Africa

Broader global audience, balanced cost/performance

Price Class All

All edge locations worldwide

Lowest latency & best performance globally

 

 What It Actually Does

  • Performance vs. Cost Tradeoff:
    • Price Class 100: Uses fewer edge locations → cheaper, but higher latency for users far from NA/EU
    • Price Class All: Uses all edge locations → lowest latency, but higher cost
  • Behind the Scenes:
    CloudFront automatically maps requests to the closest location within your selected price class.

 Cost Difference (Indicative)

Region

Price Class 100

Price Class 200

Price Class All

U.S./EU

Asia

South America

❌ (some)

Australia

❗ You are billed based on which edge locations served your content, not by which class you selected.

✅ When to Use Which

  • Price Class 100:
    Best for cost optimization when twtech users are mainly in North America and Europe.
  • Price Class 200:
    A good middle ground if twtech want better performance in Asia, Africa, and Middle East without paying for South America/Australia.
  • Price Class All:
    Use when performance is a priority and twtech users are truly global.

How twtech Set PriceClass: CLI

In the AWS Console or via CloudFormation/CLI when creating or updating a distribution:

#  json

"PriceClass": "PriceClass_100"

Options:

  • PriceClass_100
  • PriceClass_200
  • PriceClass_All


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Kubernetes Clusters | Upstream Vs Downstream.

  The terms "upstream" and "downstream" in the context of Kubernetes clusters often refer to the direction of code fl...