Blocking Geographic Regions by Name?

New user here – I’ve written code that interfaces with with CF for an Enterprise environment, but all the core CF setup stuff was handled by the Networking & InfoSec Teams. Anyways, I was impressed with what I saw (particularly for DDoS protection) and made a note to explore using CF for any future sites I assist with–so here I am :slight_smile:

I have a colleague who is preparing to launch a free service that is a combination of social networking/dating site/forum…I think the site would benefit from CF services.

The problem: With the advent of GDPR, CCPA, and numerous other ever-expanding privacy legislation throughout the world’s legal jurisdictions, it’s become necessary to block users attempting to connect from those geographic regions.

I know CF offers the ability to block access from specific addresses/subnet ranges, but is there also support for blocking geographic regions by name? (E.g. Germany, France, California, Virginia, etc.)?

Yes, this approach sucks–especially for users that fall within the banned regions, but apparently it’s the cost effective route for individuals/small business who can’t afford a full-time legal team to validate they comply with every visitor’s legal jurisdiction requirements.

Yes, Cloudflare firewall rules are a perfect fit for this.


You can do by country, and by ISO 3166-2 codes. Countries is easy, but you will need to get the ISO-3166-2 codes in order to do states.

ISO list:


Excellent, thank you for the responses.

Looking at the CF plans, it looks like they all include the web application firewall and the number of supported rules are controlled by the level at which you subscribe? So with a Professional Subscription that allows 20 WAF rules, that means I could block a combination of 20 countries and/or cities using ISO 3166-2?

Thinking further, I surely can’t be the first customer who has this need. Is there a way to add a single WAF rule that encapsulates all regions that have active privacy legislation?

You can add as many as you want in a single rule.

Well maybe there’s a theoretical limit of expressions or a character limit, but you won’t reach it with 20.

1 Like

I am not familiar with this :point_up:, except if not using Business or Enterprise plan :thinking: Therefore, haven’t blocked a city yet so cannot tell if it’s possible.

Maybe something with Workers, if not already stated.

1 Like

It’s complicated, I know that this is a big deal for enterprise customers (why use a global service if you are going to worry about geo fencing your service? anyways…). Normally smaller customers don’t worry as much.

No, one firewall rule can block many different countries. I reckon the free plan would work just fine in this case.

1 Like

Oh, wow that is fantastic news.
Is the primary advantage of purchasing additional (e.g. rules) to allow the user to have them labeled one to one in the UI? Or is there another feature that each rule enables?

I am not familiar with this :point_up:, except if not using Business or Enterprise plan :thinking: Therefore, haven’t blocked a city yet so cannot tell if it’s possible.

Maybe something with Workers, if not already stated.

Apologies, I mistyped – I am only interested in blocking countries and specific states at this time (not cities)

Yes, this issue is for an individual (or small business once he gets his LLC stuff finished)
His software takes security, privacy, management, etc. very seriously but he just doesn’t have the resources to monitor and enforce every piece of legislation throughout the world. In order to help demonstrate he is not targeting these regions, it was suggested he block them.

Personally, I prefer the traditional method where users are responsible for the services which they choose to use and hosts are responsible for following the laws in the geographic region in which they operate…meaning if a host doesn’t advertise compliance with a particular privacy legislation, then it shouldn’t be their responsibility to support it – especially for individual/small business ventures.

I was able to take a look at the WAF options CF offers and I now I understand that a boolean expression can be specified, allowing multiple [e.g. country block] checks within a single rule.

The field appears to be what I want for blocking specific countries.

Morever the ip.geoip.is_in_european_union is exactly what I was looking for to block multiple countries with one check.

It would be very nice if CF would add pre-defined fields for blocking privacy legislation controlled regions. Eg:
ip.geoip.is_restricted_by_government_data_legislation (this field would trigger for all restricted regions)
…(fields for all the other privacy legislation directives)…

I think that ip.geoip.subdivision_2_iso_code is what I need to block specific [e.g. US states]

…but one problem I see is that the CF documentation states that:

  • Access to ip.geoip.is_in_european_union, ip.geoip.subdivision_1_iso_code, and ip.geoip.subdivision_2_iso_code fields requires a Cloudflare Business or Enterprise plan.
  • Access to http.request.cookies field requires a Cloudflare Pro, Business, or Enterprise plan.

Why is CF restricting these fields to business/enterprise users? Most enterprise customers have professional legal teams that will attempt to comply with the various legislations (because they want to sell products to these users/have a presence in those legal jurisdictions so that they have to comply already)

I’d like to see all the geoip fields available to everyone, but if that isn’t possible, please consider making them available to the paid Pro subscription level as well.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.