8

My company blocks US-embargoed countries from accessing several e-commerce sites that we manage. I have to investigate whether we can move our current blocking solution to AWS as well. If AWS does not offer a means by which to block these countries, there are some of our sites that, due to subsequent technical issues, can never move to AWS, so I need to know the technical offerings of AWS in order to provide guidance on what sites we can migrate to it and which we cannot. I know we could do this on the instance/iptables level, but because that would require modifying literally every front-end server, we are looking to do this blocking on the AWS service level only. Thanks!

DrStrangepork
  • 578
  • 1
  • 8
  • 19
  • AWS is an ecosystem of many services (any specific in mind?), you can block traffic from specific countries in EC2 Linux instances using `iptables` firewall and blocking per IP source (approximately since it's not exact/complete) – LinuxDevOps Mar 28 '14 at 15:41
  • Understood. We are looking to do this blocking on the AWS level, not on the instance/iptables level. – DrStrangepork Mar 28 '14 at 16:05
  • 3
    This question is NOT off-topic. I explicitly stated I don't want to get into a political debate about embargoed countries. I am looking for a technical analysis of AWS offerings that could be used to block embargoed countries. I know VPC can't do it. I know ELB can't do it. Are there other options? – DrStrangepork Mar 28 '14 at 16:29
  • without a big analysis, I'd say you can restrict using IP origin with the following AWS services: EC2 & load balancers (using security groups), Cloud Front and S3. (BTW I don't think the question is off-topic, just too broad) – LinuxDevOps Mar 28 '14 at 17:05
  • Security groups can do this. However, this only applies to EC2 and you'd be stuck trying to block things manually. Talk to Amazon. – Nathan C Mar 28 '14 at 22:35
  • I have an answer from AWS Support, so I'd like to answer this question. – DrStrangepork Apr 01 '14 at 19:52
  • 2
    Go right ahead. The question is certainly reasonable enough, even if the reason you have to do this is something that many people may disagree with. Compliance with relevant laws or regulations is part of our jobs. – Michael Hampton Apr 03 '14 at 01:05

1 Answers1

5

If you front your website with cloudfront, you could utilize their geo restriction feature. You could also use Route 53's geo DNS feature to null route the traffic.

http://aws.amazon.com/about-aws/whats-new/2013/12/18/amazon-cloudfront-adds-geo-restriction-feature/

http://aws.amazon.com/blogs/aws/route-53-domain-reg-geo-route-price-drop/

imperalix
  • 346
  • 2
  • 4
  • While the CloudFront option would have addressed the root issue, the answer I was looking for and needed to implement is the Route 53 Geo Routing (Geo DNS) option (the second link above). This was unavailable at the time of my post, but since it now exists, this is the answer. – DrStrangepork Sep 12 '14 at 13:59