         | Did this page help you? Yes No Tell us about it... |
Overview of Restricting Access to Files in a CloudFront Distribution Based on Geographic Location
Amazon CloudFront improves the performance, reliability, and availability of your websites and applications by distributing your web content, such as images, video, and audio to a worldwide network of edge locations. When an end user requests your content, CloudFront serves your content to the user from the edge location that has the lowest latency for that user at that moment. If you have geographic restrictions on where your content can be distributed, you can use CloudFront with a third-party geolocation service to control distribution of your content according to the location of a request. This is known as geoblocking or geotargeting. For example, if a request comes from a country where, for copyright reasons, you are not authorized to distribute your content, you can block the request and direct the requester to a message that explains the situation.
Here's how it works:
An end user who is viewing your website requests a web page or a file that is georestricted.
Your web application gets the end user's IP address from the request and sends the IP address to a geolocation service. You will need an account with one of these services.
The geolocation service determines the geographic location of the end user's IP address and returns the result to your web application.
Your web application compares the end user's location with a list of locations where the file can (or can't) be distributed:
If the end user is allowed to access the web page or file, your application creates a CloudFront signed URL and returns it to the end user.
If the end user is not allowed to access the web page or file, your web application returns the URL of a "you are not authorized" message to the end user.
If the end user is allowed to access the web page or file, the end user's browser automatically uses the signed URL to request the file from CloudFront.
Using CloudFront and a third-party geolocation service to restrict access to your content from your application layer gives you full control over your end user's experience. For end users whose access is blocked, your application can display a meaningful message instead of returning an error code. You can also customize the error message you display for your end users according to their location.
The following task list guides you through the process of implementing geoblocking functionality in your applications to restrict access to the content in your CloudFront distribution according to the end user's location.
Task list for restricting access to files in a CloudFront distribution based on geographic location
Get an account with a geolocation service.
This section provides sample code for Digital Element and for MaxMind, but any geolocation service is supported.
If you don't already have an AWS account, create one. For more information, see Creating an Amazon Web Services Account
Upload your content to an Amazon Simple Storage Service (S3) bucket. For more information, see the Amazon S3 documentation.
Configure Amazon CloudFront and Amazon S3 to serve private content. For more information, see Private Content Process Overview.
Write your web application to do the following:
Send the IP address for each end-user request to the geolocation service.
Evaluate the return value from the geolocation service (commonly a country code) to determine whether the end user is in a location to which you want CloudFront to distribute your content.
Either generate a signed URL for your CloudFront content, or block access to the content.
Java, .NET, and PHP sample code is provided below for Digital Element and for MaxMind. See the applicable topic:
If you're using another geolocation service, refer to their documentation.
Amazon Web Services provides SDKs for Java, .NET, and PHP. For more information, see the applicable page on the Amazon Web Services website:
