Policies

Geo-location filtering Policy

Block requests based on geo-location parameters: country, region code, and ASN

Configuration

The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-geo-filter-inbound-policy", "policyType": "geo-filter-inbound", "handler": { "export": "GeoFilterInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "allow": { "asns": "395747, 28304", "countries": "US, CA", "regionCodes": "TX, WA" }, "block": { "asns": "395747, 28304", "countries": "US, CA", "regionCodes": "TX, WA" }, "ignoreUnknown": true } } }

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • block <object> -
    • countries <string> -
      comma separated string of country codes to allow (e.g. "US, CA").
    • regionCodes <string> -
      comma separated string of region codes to allow (e.g. "TX, WA").
    • asns <string> -
      comma separated string of ASNs to allow (e.g. "395747, 28304").
  • allow <object> -
    • countries <string> -
      comma separated string of country codes to allow (e.g. "US, CA").
    • regionCodes <string> -
      comma separated string of region codes to allow (e.g. "TX, WA").
    • asns <string> -
      comma separated string of ASNs to allow (e.g. "395747, 28304").
  • ignoreUnknown <boolean> -
    Specifies whether unknown geo-location parameters should be ignored (allowed through).
    Defaults to true.

Using the Policy

Geo-location Filter Policy#

Specify an allow list or block list of:

  • Countries - Country of the incoming request. The two-letter country code in the request, for example, "US".
  • regionCodes - If known, the ISO 3166-2 code for the first-level region associated with the IP address of the incoming request, for example, "TX"
  • ASNs - ASN of the incoming request, for example, 395747.

Caution

If you specify an allow and block list for the same location type (e.g. country) may have no effect or block all requests.

{ "allow" : { "countries" : "US" }, "block" : { "countries" : "MC" } }

The policy will only allow requests from US, so any request from MC would be automatically blocked.

Read more about how policies work

Previous
RBAC Authorization