Geo Restriction

You can control which countries can or cannot access your CloudFront distribution.

Allowlist — only users from approved countries can access your content. Everyone else is blocked.

Blocklist — users from banned countries are blocked. Everyone else can access.

Country is detected using a third-party Geo-IP database that maps IP addresses to countries.

Common use case: Copyright laws — some content is only licensed for certain countries, so you block access everywhere else.

Cache Invalidation

The Problem

You update a file in S3 (your origin). But CloudFront edge locations still have the old cached version and will keep serving it until the TTL expires — which could be hours or a full day.

You update index.html in S3
        |
CloudFront edges still serving old index.html
        |
Users see outdated content until TTL expires

The Fix — Cache Invalidation

You can force CloudFront to immediately clear its cache and fetch fresh content from origin — without waiting for TTL.

You trigger invalidation
        |
CloudFront clears cache at ALL edge locations
        |
Next request fetches fresh content from S3
        |
Users get updated content immediately

What to Invalidate

Path What gets cleared
/* Everything — full cache wipe
/index.html Only that specific file
/images/* All files inside the images folder

Where to do it: CloudFront → your distribution → Invalidations tab → Create invalidation → enter path → submit.

Key Point

Invalidation clears cache across all edge locations and Regional Edge Caches at once. Next request to any edge will go back to origin, fetch the latest version, and cache it again fresh.

image.png