I am setting up AWS Cloudfront Management. I am blacklisting several countries of the world (e.g.: China). If someone from China uses a VPN via another country, can they still get access? Does the blacklist protect against access via VPN?
From the AWS documentation:
CloudFront determines the location of your users by using a third-party GeoIP database. The accuracy of the mapping between IP addresses and countries varies by Region. Based on recent tests, the overall accuracy is 99.8%. If CloudFront can't determine a user's location, CloudFront serves the content that the user has requested.
When users access your service through a VPN, their real IPs are hidden, and what you see is the IP of the server. Hence the geo-restriction will be mostly ineffective.
You can mitigate the use of VPNs to some extent by limiting the number of discrete sessions sharing a single IP. This can (for example) be achieved with Lambda@Edge and DynamoDB.