Monday, June 30, 2025

CloudFront Geo Restriction | Overview & Hands-On.

CloudFront Geo Restriction - Overview.

Scope:

  • Intro,
  • How  CloudFront Geo Restriction Works,
  • Use Cases,
  • Configuration Options,
  • How to Set It Up Via AWS Console,
  • How to Set It Up Via AWS CLI,
  • Best Practices,
  • Insights,
  • Project: Hands-on.

Intro:

  • CloudFront Geo Restriction (also called Geo Blocking) allows twtech to allow or block content delivery to users based on their geographic location.
  • This feature helps comply with content licensing agreements or limit access from specific regions.

How  CloudFront Geo Restriction Works

When a viewer requests content via CloudFront, the service detects the viewer’s country using the IP address. Based on the geo restriction rules twtech has configured, CloudFront either:

  •         Allows access, or
  •         Blocks access and returns an HTTP 403 Forbidden error

 Use Cases

  •         License restrictions: Block streaming content in countries where it’s not licensed.
  •         Compliance: Prevent access from sanctioned countries.
  •         Security: Restrict regions with high abuse traffic.
  •         Marketing: Target content only to specific countries.

 Configuration Options

CloudFront supports two modes of geo restriction:

Mode

Description

Allow list

Only specified countries can access twtech content. Others receive 403 errors.

Block list

All countries except those specified can access twtech content.

How to Set It Up Via AWS Console:

1.     Go to CloudFront in the AWS Console.

2.     Select the distribution.

3.     Go to the Restrictions tab.

4.     Under Geo restriction, choose:

o   Blacklist (block countries)

o   Whitelist (allow only specific countries)

5.     Select countries from the list.

6.     Save changes.

How to Set It Up Via AWS CLI:

#  bash
 aws cloudfront update-distribution \
  --id twtech_DISTRIBUTION_ID \
  --distribution-config file://config.json \
  --if-match E2QWRUHAPOMQZL

# Include this in config.json:

#  json
"Restrictions": {
  "GeoRestriction": {
    "RestrictionType": "blacklist",
    "Quantity": 2,
    "Items": ["CN", "IN"]
  }
}

twtech  Best Practices

  •         Country code format: Uses ISO 3166-1 alpha-2 codes, e.g., US, IN, CN.
  •         Not 100% foolproof: Users can bypass restrictions using VPNs/proxies.
  •         Per-request behavior: The restriction is applied before the origin request is made.

twtech Insights:

The different between cloudfront price classes: 200, 100 & all (other locations not categorized).

  • CloudFront Price Classes (100, 200, All) allow twtech to control costs by choosing which edge locations its content is delivered from. 
  • The fewer locations twtech uses, the cheaper it can be — but possibly at the cost of slightly higher latency for some users.

 CloudFront Price Class Comparison

Price Class

Includes Edge Locations In

Use Case Example

Price Class 100

North America & Europe only

Cost-sensitive global sites targeting U.S./EU

Price Class 200

North America, Europe, Asia, Middle East, Africa

Broader global audience, balanced cost/performance

Price Class All

All edge locations worldwide

Lowest latency & best performance globally

 What It Actually Does

  • Performance vs. Cost Tradeoff:
    • Price Class 100: Uses fewer edge locations → cheaper, but higher latency for users far from NA/EU
    • Price Class All: Uses all edge locations → lowest latency, but higher cost
  • Behind the Scenes:
    CloudFront automatically maps requests to the closest location within your selected price class.

 Cost Difference (Indicative)

Region

Price Class 100

Price Class 200

Price Class All

U.S./EU

Asia

South America

 (some)

Australia

NB:

  •  twtech is billed based on which edge locations served its content, not by which class it selected.

✅ When to Use Which

  • Price Class 100:
    Best for cost optimization when twtech users are mainly in North America and Europe.
  • Price Class 200:
    A good middle ground if twtech want better performance in Asia, Africa, and Middle East without paying for South America/Australia.
  • Price Class All:
    Use when performance is a priority and twtech users are truly global.

How twtech Set PriceClass: CLI

In the AWS Console or via CloudFormation/CLI when creating or updating a distribution:

#  json

"PriceClass": "PriceClass_100"

Options:

  • PriceClass_100
  • PriceClass_200
  • PriceClass_All



Project: Hands-on

  • How twtech enables geo restriction on its cloudfron distribution:
  • Select the cloudfront distribution to configure and click open: twtech-cloudfront-distribution

  • Go to security tab for: twtech-cloudfront-distribution
  • Navigate to cloudfront  geoprahic restrictions and: Edit countries

From: none

To:

  • Setup countries for:  Allow list

NB:

  • Any country not included in the allow list is automatically moved to the block list and vice versa

  • Save changes:




at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...