Introduction
In this article, we discuss how to restrict access to your Keycloak cluster using Geo-blocking.
Skycloak is a fully managed Keycloak platform hosted in the cloud.
Skycloak enables organizations to leverage the powerful capabilities of the open-source Keycloak Identity and Access Management (IAM) solution—without the operational overhead of installing, maintaining, and scaling Keycloak for production-grade environments. All of this is delivered in a secure and cost-effective manner.
To further strengthen security, Skycloak provides several enterprise-grade protection mechanisms, including:
- Web Application Firewall (WAF)
- Geo-blocking
- IP-based access control
- Rate limiting
- And more
In this article, we focus specifically on the Geo-blocking feature offered by Skycloak.
Overview
Skycloak provides built-in security controls to protect your Keycloak cluster from unauthorized or unwanted access. It is strongly recommended that administrators enable and configure these security features using the Skycloak Console.
The Geo-blocking feature uses GeoIP-based detection to determine the originating country of each incoming request and applies access control rules accordingly.
Skycloak’s Geo-blocking supports the following modes:
- Whitelisting
- Only requests from the selected countries will be allowed. All other countries will be blocked.
- Blacklisting
- Requests from the selected countries will be blocked. All other countries will be allowed.
You can choose either approach depending on your security requirements. For example
- Blacklisting is convenient when you want to block access from only a few countries.
- Whitelisting is more suitable when access should be limited strictly to a small set of approved countries
Skycloak includes an authorization component that evaluates each incoming request and makes an Allow or Deny decision based on the configured Geo-blocking rules.
The Keycloak System Admin page over here has more information on security best practices.
Configuration Steps
Navigate to:
Skycloak Console -> Security
On the right-hand panel, you will see a Security Score reflecting the security features currently enabled for your cluster.
Navigate to the Geo-blocking section and perform the following steps:
- Toggle the Geo-blocking switch to Enabled
- Select either Whitelisting or Blacklisting
- Under Selected Countries, choose the required countries from the dropdown
- Add countries one by one using the “+” button
- Click Save Configuration at the bottom of the page
Testing the Implementation
Access your Keycloak cluster from a location that is not blocked.
- You should be able to access Keycloak normally.
Attempt to access the Keycloak cluster from a blocked country.
- The request will be denied, and you will see a message in the browser similar to:
Access denied from country: <country_name>This confirms that Geo-blocking rules are correctly enforced.
Summary
In this article, we explored how to secure your Keycloak cluster using the Geo-blocking feature available in Skycloak. By restricting access based on geographic location, organizations can significantly reduce their attack surface and enforce regional access policies with ease.
If you’re new to Skycloak, visit the Skycloak Getting Started Guide to learn more and securing your Keycloak deployments.