Help Center/ Web Application Firewall/ User Guide/ Configuring Protection Policies/ Configuring Protection Rules/ Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
Updated on 2025-08-19 GMT+08:00

Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations

If you need to control access from IP addresses in a specific region, you can configure a geolocation access control rule. WAF blocks or allows access from IP addresses in a specific region. A geolocation access control rule allows you to allow or block requests from IP addresses from specified countries or regions.

To allow only the IP addresses in a certain region to access the protected website, configure a rule by referring to Configuration Example: Allowing Only IP Addresses from a Specified Location.

Prerequisites

Constraints

  • This function is not supported in the standard edition.
  • If you are using dedicated WAF instances, upgrade them to the latest version and add IPv6 addresses for IP Address Range, or the settings cannot work.
  • When you add a website through Cloud Mode - Load balancer and set Frontend Protocol of the listener of your ELB load balancer to TCP, UDP, or QUIC, this type of rule does not take effect.
  • One region can be configured in only one geolocation access control rule. For example, if you have blocked requests from Shanghai with a geolocation access control rule, then Shanghai cannot be added to other geolocation access control rules.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring a Geolocation Access Control Rule

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Policies.
  5. Click the name of the target policy to go to the protection rule configuration page.

    Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

  6. Click the Geolocation Access Control configuration area and ensure that the geolocation access control protection is enabled.

    : enabled.

  7. In the upper left corner above the Geolocation Access Control list, click Add Rule.
  8. In the dialog box displayed, add a geolocation access control rule.

    Table 1 Rule parameters

    Parameter

    Description

    Example Value

    Rule Name

    Name of the geolocation control rule.

    -

    Rule Description (Optional)

    A brief description of the rule.

    waf

    Geolocation

    Geographical location of IP addresses that can access your website. Locations are classified into China and Outside China.

    A geographical location cannot be added to multiple protection policies.

    China: Shanghai

    IP Address Range

    IP address range for the rule. You can select IPv4, IPv6, or Any (IPv4 and IPv6).

    NOTE:

    If you are using dedicated WAF instances, upgrade them to the latest version and add IPv6 addresses for IP Address Range, or the settings cannot work.

    IPv4

    Protective Action

    Protective action for the rule when a request matches the rule.
    • Block: The IP addresses from the specified geographical locations will be blocked, and a block response page will be returned to the client that initiates the request.

      By default, WAF uses a unified block response page. You can also customize this page.

    • Allow: The IP addresses from the specified geographical locations will be allowed to access the website domain name.
    • Log: The IP addresses from the specified geographical locations will not be blocked, but their accesses will be logged.

    Block

  9. Click OK. You can then view the added rule in the list of the geolocation access control rules.

    After completing the preceding configurations, you can:

    • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
    • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
    • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
    • Verify the protection effect:
      1. Clear the browser cache. Then, use an IP address from Shanghai to access the http://www.example.com page. If WAF blocks the access request from the IP address and returns the block page, the rule works.
      2. On the Events page, check the protection logs.

Configuration Example: Allowing Only IP Addresses from a Specified Location

If you want to allow only IP addresses from Shanghai to access the domain name, configure a rule as follows:

If IP addresses from Shanghai are allowed to access the domain name, requests from these IP addresses will bypass all access control rules with priorities lower than geolocation access control rules and be forwarded to the origin server. To prevent this issue, you are advised to block all requests from regions other than Shanghai. For the check sequence of protection rules, see Table 1.

  1. Add a geolocation access control rule, select all geographical locations except Shanghai, and set Protective Action to Block.
  2. Enable geolocation access control.

    Figure 1 Geolocation Access Control configuration area

  3. Configure a precise protection rule to block all requests.

    Figure 2 Blocking all access requests

    For details, see Configuring Custom Precise Protection Rules.

  4. Clear the browser cache and access http://www.example.com.

    When an access request from IP addresses outside Shanghai accesses the page, WAF blocks the access request.

    Figure 3 Block page

  5. Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page. You will see that all requests not from Shanghai have been blocked.

Configuration Example: Blocking IP Addresses from a Specified Location

If you want to block all IP addresses from Beijing, configure a rule as follows:

  1. Add a geolocation access control rule: Select Beijing for Geolocation and Block for Protective Action.
  2. Enable geolocation access control.

    Figure 4 Geolocation Access Control configuration area

  3. Clear the browser cache and access http://www.example.com.

    When an access request from IP addresses inside Beijing accesses the page, WAF blocks the access request.

    Figure 5 Block page

  4. Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.

    Figure 6 Viewing events - blocking access requests from IP addresses in a region