Blocking traffic by country in Cloudflare is a fast way to reduce unwanted visits, tighten access, and lower risk from regions you do not serve.
This guide shows how to do it correctly, what to watch for, and when country blocking is the wrong tool.
Why block country traffic in Cloudflare?
Cloudflare sits in front of your website as a reverse proxy, which means it can inspect requests before they reach your origin server.
That makes it a strong control point for geo-based filtering, especially when you want to reduce exposure to bot traffic, fraud attempts, or regions outside your business footprint.
Common reasons to use geo-blocking include:
- Restricting access to internal tools, private documentation, or member portals
- Reducing automated attacks from specific regions
- Meeting licensing, legal, or distribution requirements
- Limiting spam, scraping, or account abuse
- Lowering noise in analytics and support requests
Before blocking, confirm that you are not excluding legitimate customers, search engines, partners, or remote teams.
Country-level blocking is broad, so it works best when the access policy is clear.
How Cloudflare determines visitor country
Cloudflare uses IP geolocation to map a request to a country.
The country value is derived from the visitor’s IP address and is available in Cloudflare security rules and logs.
This is useful, but it is not perfect: users on VPNs, mobile networks, corporate NATs, or roaming connections may appear to come from a different country.
Because of that, country blocking should be treated as a policy layer, not a guarantee of identity.
If you need stronger access control, pair it with authentication, device checks, allowlists, or Zero Trust policies.
How to block country traffic in Cloudflare using WAF rules
The most direct method is to create a Cloudflare WAF custom rule, sometimes referred to as a firewall rule depending on the interface and plan.
The rule checks the visitor’s country and then either blocks, challenges, or logs the request.
Steps to create a country block rule
- Sign in to the Cloudflare dashboard and select your domain.
- Go to Security and then WAF or Security Rules.
- Create a new custom rule.
- Set the expression using the country field, such as
ip.geoip.country in {