Photo by Oxana Melis on Unsplash

Isolating Cloud Web Services

Passport Check

Article from ADMIN 92/2026

By Sam Klein

Use geofence technology to isolate your web services from the broader public Internet with custom security rules and worker routes.

Have you ever gone online, perhaps while on holiday, and received a notification that your favorite BBC original comedy isn't available in your area? How does the service know what country you're in? You might assume it's information sent by the client in an HTTP header, but in reality, it involves a combination of allocation records, inference, and engineering that allows web applications to assess where an IP address likely originates (Figure 1).

Figure 1: Cloudflare blocks access to the origin server. Users see this when a geofence security rules policy blocks access to a website.

IP address blocks are distributed by regional Internet registries (RIRs): ARIN in North America, RIPE in Europe, and others worldwide. Each registry records who owns a block and for which country it is intended. If an IP address belongs to a block registered to a British Internet service provider (ISP), for example, it is reasonable to infer that the traffic originates from the United Kingdom. Geolocation databases aggregate RIR allocation data, ISP documentation, and historical routing information to estimate a country ISO code (e.g., US ) and often a subdivision code (e.g., WI for Wisconsin; Figure 2).

...

Use Express-Checkout link below to read the full article (PDF).