Can AWS block access from embargoed countries?
If you front your website with cloudfront, you could utilize their geo restriction feature. You could also use Route 53's geo DNS feature to null route the traffic.
http://aws.amazon.com/about-aws/whats-new/2013/12/18/amazon-cloudfront-adds-geo-restriction-feature/
http://aws.amazon.com/blogs/aws/route-53-domain-reg-geo-route-price-drop/
Related videos on Youtube
DrStrangepork
Updated on September 18, 2022Comments
-
DrStrangepork almost 2 years
My company blocks US-embargoed countries from accessing several e-commerce sites that we manage. I have to investigate whether we can move our current blocking solution to AWS as well. If AWS does not offer a means by which to block these countries, there are some of our sites that, due to subsequent technical issues, can never move to AWS, so I need to know the technical offerings of AWS in order to provide guidance on what sites we can migrate to it and which we cannot. I know we could do this on the instance/iptables level, but because that would require modifying literally every front-end server, we are looking to do this blocking on the AWS service level only. Thanks!
-
DrStrangepork over 10 yearsUnderstood. We are looking to do this blocking on the AWS level, not on the instance/iptables level.
-
DrStrangepork over 10 yearsThis question is NOT off-topic. I explicitly stated I don't want to get into a political debate about embargoed countries. I am looking for a technical analysis of AWS offerings that could be used to block embargoed countries. I know VPC can't do it. I know ELB can't do it. Are there other options?
-
LinuxDevOps over 10 yearswithout a big analysis, I'd say you can restrict using IP origin with the following AWS services: EC2 & load balancers (using security groups), Cloud Front and S3. (BTW I don't think the question is off-topic, just too broad)
-
DrStrangepork over 10 yearsI have an answer from AWS Support, so I'd like to answer this question.
-
Michael Hampton over 10 yearsGo right ahead. The question is certainly reasonable enough, even if the reason you have to do this is something that many people may disagree with. Compliance with relevant laws or regulations is part of our jobs.
-
-
DrStrangepork almost 10 yearsWhile the CloudFront option would have addressed the root issue, the answer I was looking for and needed to implement is the Route 53 Geo Routing (Geo DNS) option (the second link above). This was unavailable at the time of my post, but since it now exists, this is the answer.