Restricting access to a Web Application based on Geolocation using AWS WAF

Introduction

Securing web applications against unauthorized access is paramount in today’s digital landscape. One effective method to enhance security is restricting access based on geographic location.

In this blog post, we will explore how to leverage AWS Web Application Firewall (WAF) and Application Load Balancer (ALB) to implement geolocation-based access control for your web application. Whether you aim to block traffic from certain countries or only allow access from specific regions, AWS provides robust tools to enforce these policies seamlessly. Let’s dive into the step-by-step process to secure your application and ensure it operates within the desired geographic boundaries.

Pre-requisite

Before diving into the configuration steps, ensure that you have the following prerequisites in place:

1. AWS Account: You need an active AWS account with the necessary permissions to create and manage AWS WAF, ALB, and related resources.
2. Web Application: Your web application should already be deployed and running and accessible through an Application Load Balancer (ALB).
3. Basic Understanding of AWS Services:
   • AWS WAF: Familiarity with AWS Web Application Firewall (WAF) and its core concepts.
   • ALB: Understanding of Application Load Balancer (ALB) and its configuration.
   • AWS IAM: Basic knowledge of AWS Identity and Access Management (IAM) to manage permissions.

Step-by-Step Guide

Step 1: Access the AWS WAF and Shield Console

1. Sign in to the AWS Management Console.
2. In the navigation bar, choose the region where your resources are located.
3. Navigate to the AWS WAF & Shield console by typing “WAF” in the search bar and selecting “AWS WAF & Shield”.

Step 2: Create a WebACL

1. In the AWS WAF & Shield console, select “Web ACLs” from the left-hand menu.
2. Click on the “Create web ACL” button.

Step 3: Configure Basic Settings

1. Name: Enter a descriptive name for your WebACL.
2. Amazon CloudWatch metric name: Enter a name for the Amazon CloudWatch metric that AWS WAF will create.
3. Region: Select the region where you want to create the WebACL.

• Resource type: Select “Regional (for resources in one AWS region)”.

Step 4: Add Rules and Rule Groups

1. Click on “Next”.
2. In the “Add rules and rule groups” section, click “Add my own rules and rule groups”.
3. Click “Add rule” and select “Add my own rule and rule group”.

Step 5: Configure the Geolocation Rule

1. Rule type: Select “Rule builder”.
2. Rule name: Enter a name for your rule (e.g., “AllowOnlyUS”).
3. Conditions: Click “Add condition” and select “Geographic match”.
4. Countries: Choose the countries or regions you want to allow or block.
5. For example, select “United States” if you only want to allow traffic from the US.
6. Action: Choose the action to perform when a request matches the rule.
7. Select “Allow” if you want to allow traffic from the selected regions.
8. Select “Block” if you want to block traffic from the selected regions.
9. Click “Save rule”.

Step 6: Set Default Action

1. In the “Default web ACL action” section, choose the default action for requests that don’t match any rules.
2. Select “Block” to block all requests by default.
3. Select “Allow” to allow all requests by default.
4. Click on “Next”.

Step 7: Review and Create WebACL

1. Review your WebACL configuration.

• Click on “Create web ACL” to finalize the creation of the WebACL.

Your WebACL has been created, and you can associate it with your Application Load Balancer (ALB) to enforce geolocation-based access control.

Step 8: Associate it to ALB

1. Go inside the web ACL and associated AWS resources tab and click on “Add AWS Resouce”

2. Choose the ALB which is serving the web application.

Benefits

• Enhanced Security: Reduces the attack surface by blocking traffic from regions known for malicious activities.
• Regulatory Compliance: Helps adhere to data sovereignty and privacy laws by restricting access to specific geographic regions.
• Improved Performance and Latency: Optimizes performance by prioritizing traffic from regions closer to your data centers.
• Cost Efficiency: Lowers bandwidth and resource usage costs by reducing unnecessary traffic.
• Customizable and Scalable: Easily update and modify geolocation rules to meet changing business needs with automatic scalability.

Conclusion

Implementing geolocation-based access control using AWS WAF and ALB is a powerful strategy to enhance the security and compliance of your web application. By leveraging AWS’s robust tools, you can easily restrict access to specific geographic regions, ensuring your application is protected and optimized for your target audience. This setup helps adhere to regulatory requirements, improves performance, and reduces costs by filtering out unnecessary traffic. AWS WAF allows you to adapt your access control policies as your business grows and evolves. Start using geolocation-based access control today to take a proactive step towards a more secure and efficient web application environment.

Drop a query if you have any questions regarding AWS WAF and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.