Geo-Blocking with IP Geolocation

Q: How do I handle VPN users trying to bypass geo-blocks?

The is_vpn, is_proxy, and is_tor flags detect circumvention attempts. For compliance-critical restrictions (licensing, sanctions), block access from anonymized connections to the restricted content. For less critical restrictions, you can challenge VPN users with additional verification or display a notice explaining the geographic limitation. Use the IP lookup tool to test VPN detection accuracy.

Not all content can be served everywhere. Licensing agreements restrict media distribution to specific territories. Regulatory frameworks like GDPR and data sovereignty laws mandate geographic access controls. Sanctions regimes prohibit transactions with certain countries entirely. And security policies may require limiting administrative access to corporate networks within trusted regions. Geo-blocking — the practice of restricting or modifying access based on the user’s geographic location — addresses all of these requirements using IP geolocation as the detection mechanism. When implemented correctly, geo-blocking enforces compliance without degrading the experience for legitimate users in permitted regions.

Scan a list of IPs in seconds

Paste up to 100 IPs and get a full geolocation report with 40+ fields per IP — country, city, ISP, ASN, VPN/Tor/datacenter flags, and threat score. Exports to CSV, JSON, Excel, PDF, XML.

Starting at $1.99 per report No signup required 7-day money-back guarantee

Try Bulk Lookup See sample PDF

The Problem

Geographic access requirements arise from multiple sources, each with different compliance stakes. Content licensing agreements specify exactly which territories have distribution rights — streaming a film in a country where you do not hold the license exposes the distributor to contractual penalties and legal liability. The EU Digital Single Market strategy has addressed some cross-border content access within Europe, but global licensing remains territory-specific and requires enforcement at the point of access.

Regulatory compliance adds another layer. The GDPR’s territorial scope (Article 3) applies to any service processing data of EU residents, but some organizations choose to geo-block EU traffic entirely rather than implement full GDPR compliance — a legitimate business decision when the EU is not a target market. Financial services face even stricter requirements, with regulators mandating that certain products are only offered to residents of jurisdictions where the provider is licensed. Trade sanctions prohibit all commercial interaction with designated countries, and violations carry severe penalties. Without reliable geographic detection, organizations cannot enforce these requirements and expose themselves to regulatory risk.

Digital access control shield representing geographic content restrictions — Credit: via Unsplash

How IP Intelligence Helps

IP geolocation provides the geographic classification needed to enforce access policies at the network level. When a user connects, their IP address is resolved to a country, region, and city. This location data is evaluated against access rules to determine whether the user should receive full access, restricted access, or a block page explaining the restriction.

Country-level blocking — the country_code field determines the user’s country with over 99% accuracy. Maintain allowlists or blocklists of country codes and evaluate each request against them. This is the foundation for licensing enforcement, sanctions compliance, and regulatory restrictions where access decisions are made at the national level.
Region-level controls — some restrictions apply at the state or province level. US gambling regulations vary by state. Canadian content rules differ by province. The region field enables sub-national access controls without blocking an entire country when only certain regions are restricted.
Circumvention detection — users attempting to bypass geo-blocks commonly use VPNs, proxies, and Tor to mask their true location. The is_vpn, is_proxy, and is_tor flags identify these anonymization layers. When circumvention is detected on a geo-restricted resource, the system can block the request or require additional identity verification.
Connection type analysis — the connection_type field distinguishes residential, mobile, business, and hosting connections. For high-value geo-restricted content, requiring a residential or mobile connection (not datacenter or hosting) adds confidence that the request originates from an actual user in the permitted territory rather than a proxy server.
Graduated access policies — not all geo-blocking needs to be binary. Some scenarios call for showing different content versions, applying watermarks, limiting features, or displaying regulatory disclaimers based on the visitor’s location rather than blocking access entirely. IP intelligence provides the location data to implement nuanced policies.

Key API Fields for Geo-Blocking

API Field	Access Control Use	Plan
`country_code`	Primary geo-block decision (allow/deny by country)	Free
`region`	Sub-national restrictions (state/province level)	Free
`is_vpn`	VPN circumvention detection	Pro
`is_proxy`	Proxy-based geo-block bypass detection	Pro
`is_tor`	Tor network bypass detection	Pro
`connection_type`	Residential vs hosting classification	Business
`is_datacenter`	Cloud/hosting origin (possible bypass infrastructure)	Pro
`asn`	Network operator identification for allowlisting	Free
`threat_score`	IP reputation for risk-based decisions	Business
`city`	City-level restrictions for local regulations	Free

Implementation Example

A geo-blocking middleware evaluates each request against access rules before the content is served. Here is a simplified implementation that handles country blocking with circumvention detection:

async function enforceGeoBlock(requestIp, resource) {
  const geo = await ipLookup(requestIp);
  const rules = getAccessRules(resource);

  // Country-level check
  if (rules.blockedCountries.includes(geo.country_code)) {
    return { action: 'block', reason: 'country_restricted', country: geo.country_code };
  }

  if (rules.allowedCountries && !rules.allowedCountries.includes(geo.country_code)) {
    return { action: 'block', reason: 'country_not_allowed', country: geo.country_code };
  }

  // Region-level check (e.g., US state restrictions)
  if (rules.blockedRegions && rules.blockedRegions.includes(geo.region)) {
    return { action: 'block', reason: 'region_restricted', region: geo.region };
  }

  // Circumvention detection
  if (rules.blockCircumvention) {
    if (geo.is_vpn || geo.is_proxy || geo.is_tor) {
      return { action: 'challenge', reason: 'anonymizer_detected',
               type: geo.is_tor ? 'tor' : geo.is_vpn ? 'vpn' : 'proxy' };
    }
    if (geo.connection_type === 'hosting') {
      return { action: 'challenge', reason: 'datacenter_origin' };
    }
  }

  return { action: 'allow', country: geo.country_code, confidence: 'high' };
}

Apply this middleware at the edge (CDN level) or application level depending on your architecture. Edge-level enforcement prevents restricted traffic from reaching your origin servers entirely. Application-level enforcement allows more nuanced policies but passes all traffic through your infrastructure first.

Real-World Geo-Blocking Scenarios

Geographic access control serves distinct requirements across industries:

Streaming and media — content licensing is territory-specific. A streaming service may have rights to a film in North America but not in Europe. IP geolocation enforces these territorial restrictions by checking the viewer’s country before granting access to each title. Netflix’s geo-restriction system is the most widely recognized example, using IP data combined with VPN detection to enforce licensing boundaries worldwide.
Financial services — banks, investment platforms, and insurance providers are licensed to operate in specific jurisdictions. Offering financial products to residents of unlicensed jurisdictions violates regulatory requirements. IP geo-blocking prevents users from accessing product pages, applications, or trading interfaces that are not authorized in their country.
Online gambling and gaming — gambling regulations are jurisdiction-specific and strictly enforced. Many countries and US states prohibit or heavily regulate online gambling. IP geolocation determines whether the visitor is in a permitted jurisdiction before allowing access to gambling interfaces. Circumvention detection is critical here, as penalties for serving gambling content in prohibited jurisdictions are severe.
Trade sanctions compliance — US, EU, and other sanctions regimes prohibit commercial transactions with designated countries (e.g., OFAC’s Specially Designated Nationals list). Organizations must block access from sanctioned territories to their commercial platforms. IP-based country detection is the standard method for enforcing these restrictions at the point of access.
Data sovereignty — some organizations restrict administrative access and sensitive data views to users within the country where the data is stored. Healthcare platforms may limit access to patient data to IPs within the national jurisdiction. Government services may restrict certain functions to domestic IP ranges. The country_code field enforces these data residency requirements at the application layer.

Why My IP Help

99%+ country accuracy — geo-blocking decisions require high-confidence country detection. The API delivers over 99% country-level accuracy, minimizing false blocks of legitimate users while maintaining compliance with territorial restrictions.
Integrated circumvention detection — VPN, proxy, Tor, and datacenter flags are included in every response alongside geolocation data. No need for a separate circumvention detection service. A single API call provides both the location and the confidence level that the location is genuine.
Sub-50ms for edge enforcement — geo-blocking must happen before content delivery begins. API responses in under 50 milliseconds enable real-time access decisions at the application or CDN edge without introducing latency for permitted users.
Frequently updated detection databases — VPN and proxy databases update multiple times daily. As circumvention services add new servers and IP ranges, the detection data keeps pace to maintain the effectiveness of geo-blocking policies over time.

Global network connections illustrating geographic access control across regions — Credit: via Unsplash

Frequently Asked Questions

What is geo-blocking and why is it used?

Geo-blocking restricts or modifies access to online content based on the user’s geographic location, determined by their IP address. It is used to enforce content licensing agreements, comply with regional regulations, implement trade sanctions, restrict financial products to licensed jurisdictions, and limit administrative access to trusted geographic zones. The practice balances business and legal requirements with user access.

How accurate is IP-based geo-blocking?

Country-level IP geolocation accuracy exceeds 99%, which is sufficient for most geo-blocking requirements. Region and city-level accuracy is lower (70-85%), so geo-blocks that operate at sub-national levels should account for potential misclassification near borders. For compliance-critical applications, combine IP geolocation with additional verification methods for edge cases.

How do I handle VPN users trying to bypass geo-blocks?

The is_vpn, is_proxy, and is_tor flags detect circumvention attempts. For compliance-critical restrictions (licensing, sanctions), block access from anonymized connections to the restricted content. For less critical restrictions, you can challenge VPN users with additional verification or display a notice explaining the geographic limitation. Use the IP lookup tool to test VPN detection accuracy.

Is geo-blocking legal?

Geo-blocking legality varies by jurisdiction and context. The EU’s Geo-blocking Regulation prohibits unjustified geo-blocking within the EU for goods and certain services, but allows it for audiovisual content and licensed digital services. Outside the EU, geo-blocking is generally permitted and often legally required (sanctions compliance, financial regulation). Consult legal counsel for your specific jurisdiction and use case.

Should I implement geo-blocking at the CDN edge or application level?

Edge-level enforcement is faster and prevents restricted traffic from reaching your infrastructure, reducing load and potential exposure. Application-level enforcement enables more nuanced policies (partial access, content modification, user-specific overrides). For strict compliance requirements, implement at the edge. For graduated access policies, implement at the application level. Many organizations use both — edge for hard blocks, application for nuanced rules.

How do I handle legitimate users who are incorrectly blocked?

Provide a clear block page explaining the geographic restriction and offering a way to contact support. Include an appeal process for users who believe they are incorrectly blocked (e.g., due to IP geolocation inaccuracy or carrier NAT). Log all block events with the IP, detected country, and timestamp for troubleshooting. Use the IP lookup tool to verify the IP location when investigating user complaints.

Can I use geo-blocking for trade sanctions compliance?

Yes. IP-based geo-blocking is a standard component of sanctions compliance programs. Maintain an up-to-date list of sanctioned countries from your relevant authorities (OFAC, EU, UN) and block all access from those countries. Enable circumvention detection (VPN, proxy, Tor blocking) to prevent sanctions evasion. Document your geo-blocking implementation as part of your compliance program.

How do I geo-restrict specific pages while keeping the rest of the site accessible?

Apply geo-blocking at the route or resource level rather than the domain level. Your geo-blocking middleware checks the access rules for the specific resource being requested. Public pages like the homepage and informational content remain accessible worldwide, while restricted resources (streaming content, financial products, gambling interfaces) enforce geographic restrictions. This provides the best user experience while maintaining compliance.

What is the performance impact of geo-blocking checks?

The My IP Help API responds in under 50 milliseconds. With IP-level caching (cache the geolocation result per IP for the session), subsequent requests from the same IP require no API call at all. The performance impact is negligible for permitted users and adds a minimal delay for blocked users who will receive a block page regardless. Edge-level caching eliminates the API call entirely for repeated requests.

How do I handle geo-blocking for mobile users on carrier networks?

Mobile users connecting through cellular carriers are accurately geolocated at the country level. Carrier NAT may reduce city-level precision, but country-level accuracy remains above 99%, which is sufficient for most geo-blocking decisions. The connection_type field identifies mobile connections, which you can use to apply slightly more lenient rules if your policy allows tolerance for the reduced precision of mobile IP geolocation.

Ready to get started?

Free plan includes 1,000 lookups/month. No credit card required.

Get Free API Key View Documentation