From d05aec312296022d17772a0c8af63592e3374a9c Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Tue, 24 Mar 2026 18:05:40 +0800
Subject: [PATCH 1/2] geoip docs

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>

geoip docs

Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 .../kubernetes/geoip-anonymous-ip-db.yaml     | 120 ++++++
 .../gateway_api_extensions/security-policy.md |   1 +
 .../en/latest/tasks/security/_index.md        |   1 +
 .../tasks/security/geoip-authorization.md     | 365 ++++++++++++++++++
 4 files changed, 487 insertions(+)
 create mode 100644 examples/kubernetes/geoip-anonymous-ip-db.yaml
 create mode 100644 site/content/en/latest/tasks/security/geoip-authorization.md

diff --git a/examples/kubernetes/geoip-anonymous-ip-db.yaml b/examples/kubernetes/geoip-anonymous-ip-db.yaml
new file mode 100644
index 0000000000..6f9e99fdb9
--- /dev/null
+++ b/examples/kubernetes/geoip-anonymous-ip-db.yaml
@@ -0,0 +1,120 @@
+# Vendored from https://github.com/maxmind/MaxMind-DB/blob/main/test-data/GeoIP2-Anonymous-IP-Test.mmdb
+# source: https://github.com/maxmind/MaxMind-DB/blob/main/source-data/GeoIP2-Anonymous-IP-Test.json
+# using the official MaxMind public test database. This keeps the example deterministic
+# without introducing a custom MMDB generator into the repository.
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: geoip-anonymous-ip-db
+  namespace: envoy-gateway-system
+binaryData:
+  GeoIP2-Anonymous-IP-Test.mmdb: |-
+    AAABAAAB/gAAAgAAAoUAAAMAAAGrAAAEAAAChQAABQAAAoUAAAYAAAKFAAAH
+    AAAChQAACAAAAXMAAAkAAAKFAAAKAAAChQAACwAAAoUAAAwAAAKFAAANAAAC
+    hQAADgAAAoUAAA8AAAKFAAAQAAAChQAAEQAAAoUAABIAAAKFAAATAAAChQAA
+    FAAAAoUAABUAAAKFAAAWAAAChQAAFwAAAoUAABgAAAKFAAAZAAAChQAAGgAA
+    AoUAABsAAAKFAAAcAAAChQAAHQAAAoUAAB4AAAKFAAAfAAAChQAAIAAAAoUA
+    ACEAAAKFAAAiAAAChQAAIwAAAoUAACQAAAKFAAAlAAAChQAAJgAAAoUAACcA
+    AAKFAAAoAAAChQAAKQAAAoUAACoAAAKFAAArAAAChQAALAAAAoUAAC0AAAKF
+    AAAuAAAChQAALwAAAoUAADAAAAKFAAAxAAAChQAAMgAAAoUAADMAAAKFAAA0
+    AAAChQAANQAAAoUAADYAAAKFAAA3AAAChQAAOAAAAoUAADkAAAKFAAA6AAAC
+    hQAAOwAAAoUAADwAAAKFAAA9AAAChQAAPgAAAoUAAD8AAAKFAABAAAAChQAA
+    QQAAAoUAAEIAAAKFAABDAAAChQAARAAAAoUAAEUAAAKFAABGAAAChQAARwAA
+    AoUAAEgAAAKFAABJAAAChQAASgAAAoUAAEsAAAKFAABMAAAChQAATQAAAoUA
+    AE4AAAKFAABPAAAChQAAUAAAAoUAAFEAAAFkAABSAAAChQAAUwAAAoUAAFQA
+    AAKFAABVAAAChQAAVgAAAoUAAFcAAAKFAABYAAAChQAAWQAAAoUAAFoAAAKF
+    AABbAAAChQAAXAAAAoUAAF0AAAKFAABeAAAChQAAXwAAAoUAAGAAAAKFAABh
+    AAAA4QAAYgAAAKUAAGMAAAKFAABkAAAChQAAZQAAAKIAAGYAAACGAABnAAAC
+    hQACdQAAAGgAAGkAAAKFAABqAAAAcAAAawAAAoUAAGwAAAKFAABtAAAChQAA
+    bgAAAoUAAoUAAABvAAKGAAAChQAChQAAAHEAAoUAAAByAAKFAAAAcwAChQAA
+    AHQAAHUAAAKFAAB2AAAChQAChQAAAHcAAoUAAAB4AAB5AAAChQAChQAAAHoA
+    AHsAAAKFAAKFAAAAfAAAfQAAAoUAAoUAAAB+AAB/AAAChQAAgAAAAoUAAIEA
+    AAKFAACCAAAChQAAgwAAAoUAAIQAAAKFAACFAAAChQAChQAAAqkAAoUAAACH
+    AACIAAAChQAAiQAAAoUAAIoAAAKFAACLAAAChQAAjAAAAoUAAI0AAAKFAACO
+    AAAChQAAjwAAAoUAAoUAAACQAACRAAAChQAAkgAAAoUAAJMAAAKFAACUAAAC
+    hQAAlQAAAoUAAJYAAAKFAACXAAAChQAAmAAAAoUAAJkAAAKFAACaAAAChQAA
+    mwAAAoUAAJwAAAKFAACdAAAChQAAngAAAKAAAoYAAACfAALFAAAC4AAAoQAA
+    AoUAAvcAAAKFAACjAAAChQAChQAAAKQAAnUAAAKFAACmAAAA1gAApwAAAMIA
+    AKgAAAKFAACpAAAAsAAAqgAAAoUAAoUAAACrAACsAAAChQAArQAAAoUAAK4A
+    AAKFAACvAAAChQADEwAAAoUAAoUAAACxAAKFAAAAsgAChQAAALMAALQAAAKF
+    AAKFAAAAtQAAtgAAAoUAALcAAAKFAAC4AAAChQAAuQAAAoUAALoAAAKFAAKF
+    AAAAuwAChQAAALwAAL0AAAKFAAKFAAAAvgAChQAAAL8AAoUAAADAAAKFAAAA
+    wQAChQAAAsUAAMMAAAKFAADEAAAChQAAxQAAAoUAAoUAAADGAADHAAAChQAA
+    yAAAAoUAAMkAAAKFAADKAAAChQAAywAAAoUAAMwAAAKFAAKFAAAAzQAAzgAA
+    AoUAAM8AAAKFAAKFAAAA0AAA0QAAAoUAANIAAAKFAADTAAAChQAChQAAANQA
+    ANUAAAKFAAKFAAADHAAA1wAAAN0AANgAAAKFAAKFAAAA2QAA2gAAAoUAANsA
+    AAKFAADcAAAChQAChQAAAnUAAoUAAADeAAKFAAAA3wAChQAAAOAAAoUAAAJ1
+    AADiAAABCgAChQAAAOMAAOQAAAD2AAKFAAAA5QAA5gAAAPAAAOcAAAKFAAKF
+    AAAA6AAChQAAAOkAAoUAAADqAAKFAAAA6wAChQAAAOwAAoUAAADtAAKFAAAA
+    7gAChQAAAO8AAnUAAAKFAADxAAAChQAA8gAAAoUAAPMAAAKFAAD0AAAChQAA
+    9QAAAoUAAoUAAAJ1AAKFAAAA9wAA+AAAAoUAAoUAAAD5AAD6AAAChQAA+wAA
+    AoUAAPwAAAKFAAD9AAAChQAChQAAAP4AAoUAAAD/AAKFAAABAAAChQAAAQEA
+    AQIAAAKFAAKFAAABAwAChQAAAQQAAoUAAAEFAAEGAAAChQAChQAAAQcAAoUA
+    AAEIAAEJAAAChQAC4AAAAoUAAQsAAAJ1AAEMAAAChQABDQAAAVEAAQ4AAAE7
+    AAEPAAAChQABEAAAAoUAAREAAAE0AAESAAABJgABEwAAAoUAARQAAAKFAAEV
+    AAAChQABFgAAAoUAARcAAAKFAAEYAAAChQABGQAAAoUAARoAAAKFAAEbAAAC
+    hQABHAAAAoUAAR0AAAKFAAEeAAAChQABHwAAASUAASAAAAKFAAEhAAAChQAB
+    IgAAAoUAASMAAAKFAAEkAAAChQACdQAAAoUAAnUAAAKFAAEnAAAChQAChQAA
+    ASgAAoUAAAEpAAEqAAAChQABKwAAAoUAASwAAAKFAAEtAAAChQAChQAAAS4A
+    AoUAAAEvAAEwAAAChQABMQAAAoUAATIAAAKFAAKFAAABMwAChQAAAnUAATUA
+    AAKFAAKFAAABNgABNwAAAoUAAoUAAAE4AAE5AAAChQABOgAAAoUAAnUAAAKF
+    AAKFAAABPAABPQAAAoUAAT4AAAKFAAE/AAAChQABQAAAAUQAAoUAAAFBAAFC
+    AAAChQABQwAAAoUAAoUAAAJ1AAKFAAABRQABRgAAAoUAAUcAAAKFAAKFAAAB
+    SAAChQAAAUkAAUoAAAKFAAKFAAABSwAChQAAAUwAAU0AAAKFAAFOAAAChQAC
+    hQAAAU8AAVAAAAKFAAJ1AAAChQABUgAAAoUAAoUAAAFTAAKFAAABVAABVQAA
+    AoUAAVYAAAKFAAFXAAAChQABWAAAAoUAAVkAAAKFAAFaAAAChQABWwAAAoUA
+    AVwAAAKFAAFdAAAChQAChQAAAV4AAoUAAAFfAAKFAAABYAABYQAAAoUAAWIA
+    AAKFAAFjAAAChQAChQAAAnUAAoUAAAFlAAKFAAABZgAChQAAAWcAAoUAAAFo
+    AAKFAAABaQAChQAAAWoAAoUAAAFrAAKFAAABbAAChQAAAW0AAoUAAAFuAAKF
+    AAABbwAChQAAAXAAAoUAAAFxAAKFAAABcgAChQAAAGAAAXQAAAKFAAF1AAAC
+    hQABdgAAAoUAAXcAAAKFAAF4AAAChQABeQAAAoUAAXoAAAKFAAF7AAAChQAB
+    fAAAAoUAAX0AAAKFAAF+AAAChQABfwAAAoUAAYAAAAKFAAGBAAAChQABggAA
+    AoUAAYMAAAKFAAGEAAAChQABhQAAAoUAAYYAAAKFAAGHAAAChQABiAAAAoUA
+    AYkAAAKFAAGKAAAChQABiwAAAoUAAYwAAAKFAAGNAAAChQABjgAAAoUAAY8A
+    AAKFAAGQAAAChQABkQAAAoUAAZIAAAKFAAGTAAAChQABlAAAAoUAAZUAAAKF
+    AAGWAAAChQABlwAAAoUAAZgAAAKFAAGZAAAChQABmgAAAoUAAZsAAAKFAAGc
+    AAAChQABnQAAAoUAAZ4AAAKFAAGfAAAChQABoAAAAoUAAaEAAAKFAAGiAAAC
+    hQABowAAAoUAAaQAAAKFAAGlAAAChQABpgAAAoUAAacAAAKFAAGoAAAChQAB
+    qQAAAoUAAaoAAAKFAAJ1AAAChQABrAAAAoUAAa0AAAKFAAGuAAAChQABrwAA
+    AoUAAbAAAAKFAAGxAAAChQABsgAAAoUAAbMAAAKFAAG0AAAChQABtQAAAoUA
+    AbYAAAKFAAG3AAAB/QAChQAAAbgAAbkAAAKFAAG6AAAChQABuwAAAoUAAbwA
+    AAKFAAG9AAAB8gABvgAAAcgAAb8AAAKFAAHAAAACdQABwQAAAnUAAcIAAAJ1
+    AAHDAAACdQABxAAAAnUAAcUAAAJ1AAHGAAACdQABxwAAAnUAAGAAAAJ1AAHJ
+    AAAChQABygAAAoUAAoUAAAHLAAHMAAAChQABzQAAAoUAAc4AAAKFAAHPAAAC
+    hQAB0AAAAoUAAdEAAAKFAAHSAAAChQAB0wAAAoUAAdQAAAKFAAHVAAAChQAB
+    1gAAAoUAAdcAAAKFAAHYAAAChQAB2QAAAoUAAdoAAAKFAAHbAAAChQAB3AAA
+    AoUAAoUAAAHdAAKFAAAB3gAChQAAAd8AAeAAAAKFAAKFAAAB4QAB4gAAAoUA
+    AeMAAAKFAAHkAAAChQAB5QAAAoUAAeYAAAKFAAHnAAAChQAB6AAAAoUAAekA
+    AAKFAAHqAAAChQAB6wAAAoUAAewAAAKFAAHtAAAChQAB7gAAAoUAAe8AAAKF
+    AAHwAAAChQAB8QAAAoUAAuAAAAKFAAKFAAAB8wAB9AAAAoUAAoUAAAH1AAKF
+    AAAB9gAB9wAAAoUAAoUAAAH4AAKFAAAB+QAChQAAAfoAAfsAAAKFAAH8AAAC
+    hQACdQAAAoUAAGAAAAKFAAH/AAACbQAChQAAAgAAAgEAAAKFAAKFAAACAgAC
+    AwAAAoUAAoUAAAIEAAKFAAACBQAChQAAAgYAAoUAAAIHAAIIAAAChQACCQAA
+    AoUAAoUAAAIKAAKFAAACCwACDAAAAoUAAoUAAAINAAIOAAAChQACDwAAAoUA
+    AhAAAAKFAAKFAAACEQACEgAAAoUAAhMAAAKFAAIUAAAChQACFQAAAoUAAhYA
+    AAKFAAIXAAAChQACGAAAAoUAAhkAAAKFAAIaAAAChQACGwAAAoUAAhwAAAKF
+    AAIdAAAChQACHgAAAoUAAh8AAAKFAAIgAAAChQACIQAAAoUAAiIAAAKFAAIj
+    AAAChQACJAAAAoUAAiUAAAKFAAImAAAChQACJwAAAoUAAigAAAKFAAIpAAAC
+    hQACKgAAAoUAAisAAAKFAAIsAAAChQACLQAAAoUAAi4AAAKFAAIvAAAChQAC
+    MAAAAoUAAjEAAAKFAAIyAAAChQACMwAAAoUAAjQAAAKFAAI1AAAChQACNgAA
+    AoUAAjcAAAKFAAI4AAAChQACOQAAAoUAAjoAAAKFAAI7AAAChQACPAAAAoUA
+    Aj0AAAKFAAI+AAAChQACPwAAAoUAAkAAAAKFAAJBAAAChQACQgAAAoUAAkMA
+    AAKFAAJEAAAChQACRQAAAoUAAkYAAAKFAAJHAAAChQACSAAAAoUAAkkAAAKF
+    AAJKAAAChQACSwAAAoUAAkwAAAKFAAJNAAAChQACTgAAAoUAAk8AAAKFAAJQ
+    AAAChQACUQAAAoUAAlIAAAKFAAJTAAAChQACVAAAAoUAAlUAAAKFAAJWAAAC
+    hQACVwAAAoUAAlgAAAKFAAJZAAAChQACWgAAAoUAAlsAAAKFAAJcAAAChQAC
+    XQAAAoUAAl4AAAKFAAJfAAAChQACYAAAAoUAAmEAAAKFAAJiAAAChQACYwAA
+    AoUAAmQAAAKFAAJlAAAChQACZgAAAoUAAmcAAAKFAAJoAAAChQACaQAAAoUA
+    AmoAAAKFAAJrAAAChQACbAAAAoUAAuAAAAKFAAKFAAACbgAChQAAAm8AAoUA
+    AAJwAAKFAAACcQACdQAAAnIAAnMAAAJ1AAKFAAACdAACdQAAAoUAAAAAAAAA
+    AAAAAAAAAAAA4OJMaXNfYW5vbnltb3VzAQdQaXNfYW5vbnltb3VzX3ZwbgEH
+    4yACAQcgEQEHUGlzX3Rvcl9leGl0X25vZGUBB+IgAgEHU2lzX2hvc3Rpbmdf
+    cHJvdmlkZXIBB+IgAgEHT2lzX3B1YmxpY19wcm94eQEH4iACAQdUaXNfcmVz
+    aWRlbnRpYWxfcHJveHkBB+IgAgEHIC0BB+YgAgEHIBEBByBFAQcgYAEHIHcB
+    ByAtAQerze9NYXhNaW5kLmNvbelbYmluYXJ5X2Zvcm1hdF9tYWpvcl92ZXJz
+    aW9uoQJbYmluYXJ5X2Zvcm1hdF9taW5vcl92ZXJzaW9uoEtidWlsZF9lcG9j
+    aAQCaYPM+U1kYXRhYmFzZV90eXBlU0dlb0lQMi1Bbm9ueW1vdXMtSVBLZGVz
+    Y3JpcHRpb27hQmVuXTJHZW9JUDIgQW5vbnltb3VzIElQIFRlc3QgRGF0YWJh
+    c2UgKGZha2UgR2VvSVAyIGRhdGEsIGZvciBleGFtcGxlIHB1cnBvc2VzIG9u
+    bHkpSmlwX3ZlcnNpb26hBklsYW5ndWFnZXMBBCB9Sm5vZGVfY291bnTCAnVL
+    cmVjb3JkX3NpemWhHA==
diff --git a/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md b/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md
index f7bdb45234..8a2ccd710b 100644
--- a/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md
+++ b/site/content/en/latest/concepts/gateway_api_extensions/security-policy.md
@@ -285,6 +285,7 @@ When policies are merged, secret references inherited from parent policies must
 - [Basic Authentication](../../tasks/security/basic-auth.md)
 - [CORS](../../tasks/security/cors.md)
 - [External Authorization](../../tasks/security/ext-auth.md)
+- [GeoIP Authorization](../../tasks/security/geoip-authorization.md)
 - [IP Allowlist/Denylist](../../tasks/security/restrict-ip-access.md)
 - [JWT Authentication](../../tasks/security/jwt-authentication.md)
 - [JWT Claim Based Authorization](../../tasks/security/jwt-claim-authorization.md)
diff --git a/site/content/en/latest/tasks/security/_index.md b/site/content/en/latest/tasks/security/_index.md
index 271b941345..4269d2c5a4 100644
--- a/site/content/en/latest/tasks/security/_index.md
+++ b/site/content/en/latest/tasks/security/_index.md
@@ -4,4 +4,5 @@ weight: 2
 description: This section includes Security tasks.
 ---
 
+- [GeoIP Authorization](geoip-authorization/)
 - [HTTP Header and Method Based Authentication](http-header-method-auth/)
diff --git a/site/content/en/latest/tasks/security/geoip-authorization.md b/site/content/en/latest/tasks/security/geoip-authorization.md
new file mode 100644
index 0000000000..c99e1d67a5
--- /dev/null
+++ b/site/content/en/latest/tasks/security/geoip-authorization.md
@@ -0,0 +1,365 @@
+---
+title: "GeoIP Authorization"
+---
+
+This task provides instructions for configuring GeoIP-based authorization with Envoy Gateway.
+
+GeoIP authorization uses geolocation data derived from the client IP address to determine whether a request should be
+allowed or denied before it is forwarded to the backend service.
+
+Envoy Gateway introduces a new CRD called [SecurityPolicy][] that allows the user to configure GeoIP-based authorization.
+This instantiated resource can be linked to a [Gateway][], [HTTPRoute][], or [GRPCRoute][] resource.
+
+GeoIP authorization is configured through `SecurityPolicy.spec.authorization.rules[].principal.clientIPGeoLocations`.
+
+GeoIP authorization requires:
+
+- GeoIP provider configuration on [EnvoyProxy][]
+- client IP detection on [ClientTrafficPolicy][]
+- a [SecurityPolicy][] attached to a [Gateway][], [HTTPRoute][] or [GRPCRoute][]
+
+## Prerequisites
+
+{{< boilerplate prerequisites >}}
+
+## Configuration
+
+### Prepare the GeoIP database
+
+Envoy reads GeoIP data from a local MaxMind `.mmdb` database file mounted into the proxy container.
+
+This task uses a public MaxMind anonymous-IP test database. Apply the example manifest before continuing:
+
+```shell
+kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/geoip-anonymous-ip-db.yaml
+```
+
+To keep this guide readable, the full base64-encoded `ConfigMap` is not repeated here.
+
+For production deployments, mount your own supported MaxMind database and update the file path in the `EnvoyProxy` resource accordingly.
+
+### Configure the Gateway and EnvoyProxy
+
+The following resources create a dedicated `Gateway`, mount the anonymous-IP database into the Envoy proxy, and configure `EnvoyProxy.spec.geoIP.provider.maxMind.anonymousIpDbSource` to read it.
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: geoip-authz-gateway
+spec:
+  gatewayClassName: eg
+  infrastructure:
+    parametersRef:
+      group: gateway.envoyproxy.io
+      kind: EnvoyProxy
+      name: geoip-authz-proxy
+  listeners:
+  - name: http
+    port: 80
+    protocol: HTTP
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: geoip-authz-proxy
+spec:
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyDeployment:
+        pod:
+          volumes:
+          - name: geoip-db
+            configMap:
+              name: geoip-anonymous-ip-db
+              items:
+              - key: GeoIP2-Anonymous-IP-Test.mmdb
+                path: GeoIP2-Anonymous-IP-Test.mmdb
+        container:
+          volumeMounts:
+          - name: geoip-db
+            mountPath: /etc/envoy/geoip
+            readOnly: true
+  geoIP:
+    provider:
+      type: MaxMind
+      maxMind:
+        anonymousIpDbSource:
+          local:
+            path: /etc/envoy/geoip/GeoIP2-Anonymous-IP-Test.mmdb
+EOF
+```
+
+{{% /tab %}}
+{{% tab header="Apply from file" %}}
+Save and apply the following resources to your cluster:
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: geoip-authz-gateway
+spec:
+  gatewayClassName: eg
+  infrastructure:
+    parametersRef:
+      group: gateway.envoyproxy.io
+      kind: EnvoyProxy
+      name: geoip-authz-proxy
+  listeners:
+  - name: http
+    port: 80
+    protocol: HTTP
+    allowedRoutes:
+      namespaces:
+        from: Same
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: geoip-authz-proxy
+spec:
+  provider:
+    type: Kubernetes
+    kubernetes:
+      envoyDeployment:
+        pod:
+          volumes:
+          - name: geoip-db
+            configMap:
+              name: geoip-anonymous-ip-db
+              items:
+              - key: GeoIP2-Anonymous-IP-Test.mmdb
+                path: GeoIP2-Anonymous-IP-Test.mmdb
+        container:
+          volumeMounts:
+          - name: geoip-db
+            mountPath: /etc/envoy/geoip
+            readOnly: true
+  geoIP:
+    provider:
+      type: MaxMind
+      maxMind:
+        anonymousIpDbSource:
+          local:
+            path: /etc/envoy/geoip/GeoIP2-Anonymous-IP-Test.mmdb
+```
+
+{{% /tab %}}
+{{< /tabpane >}}
+
+### Create the route and SecurityPolicy
+
+The following resources create an `HTTPRoute` for `/geo-anonymous` and attach a `SecurityPolicy` that denies requests identified as anonymous networks while allowing other traffic.
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-with-authorization-geoip-anonymous
+spec:
+  parentRefs:
+  - name: geoip-authz-gateway
+  rules:
+  - matches:
+    - path:
+        type: Exact
+        value: /geo-anonymous
+    backendRefs:
+    - name: backend
+      port: 3000
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: authorization-geoip-anonymous
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: http-with-authorization-geoip-anonymous
+  authorization:
+    defaultAction: Allow
+    rules:
+    - action: Deny
+      principal:
+        clientIPGeoLocations:
+        - anonymous:
+            isAnonymous: true
+EOF
+```
+
+{{% /tab %}}
+{{% tab header="Apply from file" %}}
+Save and apply the following resources to your cluster:
+
+```yaml
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-with-authorization-geoip-anonymous
+spec:
+  parentRefs:
+  - name: geoip-authz-gateway
+  rules:
+  - matches:
+    - path:
+        type: Exact
+        value: /geo-anonymous
+    backendRefs:
+    - name: backend
+      port: 3000
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: authorization-geoip-anonymous
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: http-with-authorization-geoip-anonymous
+  authorization:
+    defaultAction: Allow
+    rules:
+    - action: Deny
+      principal:
+        clientIPGeoLocations:
+        - anonymous:
+            isAnonymous: true
+```
+
+{{% /tab %}}
+{{< /tabpane >}}
+
+Verify the `SecurityPolicy` configuration:
+
+```shell
+kubectl get securitypolicy/authorization-geoip-anonymous -o yaml
+```
+
+### Enable client IP detection
+
+GeoIP authorization depends on Envoy Gateway correctly detecting the client IP address. Without `ClientTrafficPolicy.spec.clientIPDetection`, the `clientIPGeoLocations` match will not work as intended.
+
+The following `ClientTrafficPolicy` tells Envoy Gateway to use the `X-Forwarded-For` header and trust one upstream hop:
+
+{{< tabpane text=true >}}
+{{% tab header="Apply from stdin" %}}
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: enable-client-ip-detection-geoip
+spec:
+  clientIPDetection:
+    xForwardedFor:
+      numTrustedHops: 1
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: geoip-authz-gateway
+EOF
+```
+
+{{% /tab %}}
+{{% tab header="Apply from file" %}}
+Save and apply the following resource to your cluster:
+
+```yaml
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: enable-client-ip-detection-geoip
+spec:
+  clientIPDetection:
+    xForwardedFor:
+      numTrustedHops: 1
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: geoip-authz-gateway
+```
+
+{{% /tab %}}
+{{< /tabpane >}}
+
+Verify the `ClientTrafficPolicy` configuration:
+
+```shell
+kubectl get clienttrafficpolicy/enable-client-ip-detection-geoip -o yaml
+```
+
+## Testing
+
+Ensure the `GATEWAY_HOST` environment variable from the [Quickstart](../../quickstart) is set. If not, follow the Quickstart instructions to set the variable.
+
+```shell
+echo $GATEWAY_HOST
+```
+
+Send a request with a regular client IP that is not flagged as anonymous by the test database:
+
+```shell
+curl -v -H "Host: www.example.com" -H "X-Forwarded-For: 8.8.8.8" "http://${GATEWAY_HOST}/geo-anonymous"
+```
+
+The request should be allowed and return `200 OK`.
+
+Send a request with an IP that the anonymous-IP test database marks as anonymous:
+
+```shell
+curl -v -H "Host: www.example.com" -H "X-Forwarded-For: 6.1.0.3" "http://${GATEWAY_HOST}/geo-anonymous"
+```
+
+The request should be denied and return `403 Forbidden`.
+
+## Clean-Up
+
+Remove the resources created in this task:
+
+```shell
+kubectl delete clienttrafficpolicy/enable-client-ip-detection-geoip
+kubectl delete securitypolicy/authorization-geoip-anonymous
+kubectl delete httproute/http-with-authorization-geoip-anonymous
+kubectl delete gateway/geoip-authz-gateway
+kubectl delete envoyproxy/geoip-authz-proxy
+```
+
+If you applied the test GeoIP database `ConfigMap`, remove it as well:
+
+```shell
+kubectl delete configmap/geoip-anonymous-ip-db
+```
+
+## Next Steps
+
+Checkout the following related guides:
+
+- [IP Allowlist/Denylist](restrict-ip-access/)
+- [SecurityPolicy API Reference](../../api/extension_types#securitypolicy)
+- [ClientTrafficPolicy API Reference](../../api/extension_types#clienttrafficpolicy)
+
+[SecurityPolicy]: ../../api/extension_types#securitypolicy
+[EnvoyProxy]: ../../api/extension_types#envoyproxy
+[ClientTrafficPolicy]: ../../api/extension_types#clienttrafficpolicy
+[Gateway]: https://gateway-api.sigs.k8s.io/api-types/gateway
+[HTTPRoute]: https://gateway-api.sigs.k8s.io/api-types/httproute
+[GRPCRoute]: https://gateway-api.sigs.k8s.io/api-types/grpcroute

From 7a986fe2faa903a8ccd9d6185d32446edfa428d0 Mon Sep 17 00:00:00 2001
From: "Huabing (Robin) Zhao" <zhaohuabing@gmail.com>
Date: Sat, 28 Mar 2026 16:55:14 +0800
Subject: [PATCH 2/2] Apply suggestion from @rudrakhp

Co-authored-by: Rudrakh Panigrahi <rudrakh97@gmail.com>
Signed-off-by: Huabing (Robin) Zhao <zhaohuabing@gmail.com>
---
 site/content/en/latest/tasks/security/geoip-authorization.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site/content/en/latest/tasks/security/geoip-authorization.md b/site/content/en/latest/tasks/security/geoip-authorization.md
index c99e1d67a5..f8976ac7c7 100644
--- a/site/content/en/latest/tasks/security/geoip-authorization.md
+++ b/site/content/en/latest/tasks/security/geoip-authorization.md
@@ -31,7 +31,7 @@ Envoy reads GeoIP data from a local MaxMind `.mmdb` database file mounted into t
 This task uses a public MaxMind anonymous-IP test database. Apply the example manifest before continuing:
 
 ```shell
-kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/latest/examples/kubernetes/geoip-anonymous-ip-db.yaml
+kubectl apply -f https://raw.githubusercontent.com/envoyproxy/gateway/{{< yaml-version >}}/examples/kubernetes/geoip-anonymous-ip-db.yaml
 ```
 
 To keep this guide readable, the full base64-encoded `ConfigMap` is not repeated here.