Menu
AWS WAF and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Working with Geographic Match Conditions

If you want to allow or block web requests based on the country that the requests originate from, create one or more geo match conditions. A geo match condition lists countries that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those countries.

You can use geo match conditions with other AWS WAF conditions or rules to build sophisticated filtering. For example, if you want to block certain countries, but still allow specific IP addresses from that country, you could create a rule containing a geo match condition and an IP match condition. Configure the rule to block requests that originate from that country and do not match the approved IP addresses. As another example, if you want to prioritize resources for users in a particular country, you could include a geo match condition in two different rate-based rules. Set a higher rate limit for users in the preferred country and set a lower rate limit for all other users.

Note

If you are using the CloudFront geo restriction feature to block a country from accessing your content, any request from that country is blocked and is not forwarded to AWS WAF. So if you want to allow or block requests based on geography in conjunction with other AWS WAF conditions, you should not use the CloudFront geo restriction feature and use an AWS WAF geo match condition instead.

Creating a Geo Match Condition

If you want to allow some web requests and block others based on the countries that the requests originate from, create a geo match condition for the countries that you want to allow and another geo match condition for the countries that you want to block.

Note

When you add a geo match condition to a rule, you also can configure AWS WAF to allow or block web requests that do not originate from the country that you specify in the condition.

To create a geo match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose Geo match.

  3. Choose Create condition.

  4. Type a name in the Name field.

    The name can contain only the characters A-Z, a-z, and 0-9. You can't change the name of a condition after you create it.

  5. Choose a Region.

  6. Choose a Location type and a country. Location type is currently limited to Country.

  7. Choose Add location.

  8. Choose Create.

Editing Geo Match Conditions

You can add countries to or delete countries from your geo match condition.

To edit a geo match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. In the navigation pane, choose Geo match.

  3. In the Geo match conditions pane, choose the geo match condition that you want to edit.

  4. To add a country:

    1. In the right pane, choose Add filter.

    2. Choose a Location type and a country. Location type is currently limited to Country.

    3. Choose Add.

  5. To delete a country:

    1. In the right pane, select the values that you want to delete.

    2. Choose Delete filter.

Deleting Geo Match Conditions

If you want to delete a geo match condition, you must first remove all countries in the condition and remove the condition from all the rules that are using it, as described in the following procedure.

To delete a geo match condition

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/waf/.

  2. Remove the geo match condition from the rules that are using it:

    1. In the navigation pane, choose Rules.

    2. Choose the name of a rule that is using the geo match condition that you want to delete.

    3. In the right pane, choose Edit rule.

    4. Choose the X next to the condition you want to delete.

    5. Choose Update.

    6. Repeat for all the remaining rules that are using the geo match condition that you want to delete.

  3. Remove the filters from the condition you want to delete:

    1. In the navigation pane, choose Geo match.

    2. Choose the name of the geo match condition that you want to delete.

    3. In the right pane, choose the check box next to Filter in order to select all of the filters.

    4. Choose the Delete filter.

  4. In the navigation pane, choose Geo match.

  5. In the Geo match conditions pane, choose the geo match condition that you want to delete.

  6. Choose Delete to delete the selected condition.