AWS Cloudfront 黑名单，通过 VPN 访问

Question

I'm setting up AWS Cloudfront Management. I'm blacklisting several countries of the world (eg: China). If someone from China uses a VPN via another country, can they still get access? Does the blacklist protect against access via VPN?

Answer 1

From the AWS documentation :

CloudFront determines the location of your users by using a third-party GeoIP database. The accuracy of the mapping between IP addresses and countries varies by Region. Based on recent tests, the overall accuracy is 99.8%. If CloudFront can't determine a user's location, CloudFront serves the content that the user has requested.

When users access your service through a VPN, their real IPs are hidden, and what you see is the IP of the server. Hence the geo-restriction will be mostly ineffective.

You can mitigate the use of VPNs to some extent by limiting the number of discrete sessions sharing a single IP. This can (for example) be achieved with Lambda@Edge and DynamoDB .

Answer 2

To complement @aymericbeaumet answer. You could also setup WAF in front of CloudFront.

In WAF you could use AWS Managed Rules rule group called AWSManagedRulesAnonymousIpList :

This rule group contains rules to block requests from services that allow the obfuscation of viewer identity. These include requests from VPNs , proxies, Tor nodes, and hosting providers. This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.