Country Blocking
Overview
Country blocking enables denial of access to a circuit based on the geographic origin of the request. When a country is blocked, every request whose source IP geolocates to that country is rejected at the Horizon proxy before it reaches the backend service. This feature uses IP geolocation - the process of determining the approximate geographic location of an IP address by consulting databases that map IP address ranges to countries, maintained by organizations like MaxMind, IP2Location, and various Regional Internet Registries (RIRs). Horizon supports blocking for over 190 countries and territories using ISO country codes. Country blocking operates as an independent security layer alongside IP filtering, access policies, and bot detection - a request must pass all configured layers to reach the backend.
Adding Country Blocks
To add a country block, open the circuit's settings panel and navigate to the Country Blocking section. The interface provides a searchable dropdown containing all available countries. As text is entered in the search field, the dropdown filters in real-time, displaying only countries whose names match the input. Select a country to add it to the block list. Blocked countries appear as tags below the search field, each with a remove (X) button. Any number of country blocks can be added. Each block takes effect immediately - requests from the blocked country will be denied as soon as the block is added.
Removing Country Blocks
To remove a country block, click the remove (X) button on the country tag in the settings panel. The country is immediately unblocked, and subsequent requests geolocating to that country will no longer be denied by this rule (though they may still be blocked by other security layers such as IP filtering or the access policy).
How It Works
When a request arrives at a circuit's domain, the Horizon proxy extracts the source IP address from the request and performs a geolocation lookup to determine which country the IP address is associated with. This lookup uses IP geolocation databases that map ranges of IP addresses to their registered countries. If the resolved country matches any country on the circuit's block list, the request is immediately denied and logged as blocked with the country information included. If the resolved country does not match any block, the request proceeds to the next security layer. IP geolocation is generally accurate for identifying the country of an IP address (typically 95-99% accurate at the country level), but it is not infallible. Users who route their traffic through VPN services, proxy servers, or Tor exit nodes may appear to originate from a different country than their actual physical location. Additionally, some IP address ranges - particularly those belonging to satellite internet providers, mobile carriers, and cloud hosting services - may geolocate to unexpected countries.
Use Cases
Country blocking is valuable in several common scenarios. Access to circuits can be restricted so that only users in countries where the organization operates can reach them - for example, if operations are entirely within Australia and Germany, all other countries can be blocked to dramatically reduce exposure to automated attacks and unauthorized access attempts. Country blocking is also useful for compliance with data access regulations that restrict which jurisdictions can access certain systems or data. Additionally, monitoring request logs may reveal high volumes of automated scanning or attack traffic originating from specific countries, and blocking those countries can significantly reduce the noise in logs and the load on backend services.
INFO
Country blocking relies on IP geolocation databases, which are generally accurate at the country level but not infallible. Users behind VPNs, proxy servers, or cloud-hosted infrastructure may appear to originate from a different country than their actual physical location. Country blocking should be viewed as one layer in a defense-in-depth strategy, not as a standalone access control mechanism.