AWS::WAFRegional::GeoMatchSet
Note
Amazon WAF Classic support will end on September 30, 2025.
This is Amazon WAF Classic documentation. For more information, see Amazon WAF Classic in the developer guide.
For the latest version of Amazon WAF , use the Amazon WAFV2 API and see the Amazon WAF Developer Guide. With the latest version, Amazon WAF has a single set of endpoints for regional and global use.
Contains one or more countries that Amazon WAF will search for.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::WAFRegional::GeoMatchSet", "Properties" : { "GeoMatchConstraints" :
[ GeoMatchConstraint, ... ]
, "Name" :String
} }
YAML
Type: AWS::WAFRegional::GeoMatchSet Properties: GeoMatchConstraints:
- GeoMatchConstraint
Name:String
Properties
GeoMatchConstraints
-
An array of
GeoMatchConstraint
objects, which contain the country that you want Amazon WAF to search for.Required: No
Type: Array of GeoMatchConstraint
Update requires: No interruption
Name
-
A friendly name or description of the AWS::WAFRegional::GeoMatchSet. You can't change the name of an
GeoMatchSet
after you create it.Required: Yes
Type: String
Pattern:
.*\S.*
Minimum:
1
Maximum:
128
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
Examples
Define Geographic Constraints
The following example defines a set of GeoMatchConstraints for a web access control list (ACL) rule.
JSON
"MyGeoConstraints": { "Type": "AWS::WAFRegional::GeoMatchSet", "Properties": { "Name": "GeoMatchSet for restricted countries", "GeoMatchConstraints": [ { "Type" : "Country", "Value" : "AE" }, { "Type" : "Country", "Value" : "ZW" } ] } }
YAML
MyGeoConstraints: Type: "AWS::WAFRegional::GeoMatchSet" Properties: Name: "GeoMatchSet for restricted countries" GeoMatchConstraints: - Type: "Country" Value: "AE" - Type: "Country" Value: "AE"
Associate a GeoMatchSet with a Web ACL Rule
The following example associates the MyGeoConstraints
with a web
ACL rule.
JSON
"MyGeoMatchRule" : { "Type": "AWS::WAFRegional::Rule", "Properties": { "Name": "MyGeoMatchRule", "MetricName" : "MyGeoMatchRule", "Predicates": [ { "DataId" : { "Ref" : "MyGeoConstraints" }, "Negated" : false, "Type" : "GeoMatch" } ] } }
YAML
MyGeoMatchRule: Type: "AWS::WAFRegional::Rule" Properties: Name: "MyGeoMatchRule" MetricName: "MyGeoMatchRule" Predicates: - DataId: Ref: "MyGeoConstraints" Negated: false Type: "GeoMatch"
Create a Web ACL
The following example associates the MyGeoMatchRule
rule with a web ACL.
The web ACL allows requests that originate from all countries except for those
that are defined in the MyGeoMatchRule
.
JSON
"MyWebACL": { "Type": "AWS::WAFRegional::WebACL", "Properties": { "Name": "WebACL to block restricted countries", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyGeoMatchRule" } } ] } }
YAML
MyWebACL: Type: "AWS::WAFRegional::WebACL" Properties: Name: "WebACL to block restricted countries" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyGeoMatchRule"