Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::WAFRegional::IPSet

The AWS::WAFRegional::IPSet resource creates an AWS WAF Regional IPSet that specifies which web requests to permit or block based on the IP addresses from which the requests originate. For more information, see CreateIPSet in the AWS WAF Regional API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::WAFRegional::IPSet", "Properties" : { "IPSetDescriptors" : [ IPSet descriptor, ... ], "Name" : String } }

YAML

Copy
Type: "AWS::WAFRegional::IPSet" Properties: IPSetDescriptors: - IPSet descriptor Name: String

Properties

IPSetDescriptors

The IP address type and IP address range (in CIDR notation) from which web requests originate. If you associate the IPSet with a web ACL that is associated with a Amazon CloudFront (CloudFront) distribution, this descriptor is the value of one of the following fields in the CloudFront access logs:

c-ip

If the viewer did not use an HTTP proxy or a load balancer to send the request

x-forwarded-for

If the viewer did use an HTTP proxy or a load balancer to send the request

Required: No

Type: List of AWS WAF Regional IPSet IPSetDescriptors

Update requires: No interruption

Name

A friendly name or description of the IPSet.

Required: Yes

Type: String

Update requires: Replacement

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Examples

Define IP Addresses

The following example defines a set of IP addresses for a web access control list (ACL) rule.

JSON

Copy
"MyIPSetBlacklist": { "Type": "AWS::WAFRegional::IPSet", "Properties": { "Name": "IPSet for blacklisted IP addresses", "IPSetDescriptors": [ { "Type" : "IPV4", "Value" : "192.0.2.44/32" }, { "Type" : "IPV4", "Value" : "192.0.7.0/24" } ] } }

YAML

Copy
MyIPSetBlacklist: Type: "AWS::WAFRegional::IPSet" Properties: Name: "IPSet for blacklisted IP addresses" IPSetDescriptors: - Type: "IPV4" Value: "192.0.2.44/32" - Type: "IPV4" Value: "192.0.7.0/24"

Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IP Set with a web ACL rule.

JSON

Copy
"MyIPSetRule" : { "Type": "AWS::WAFRegional::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }

YAML

Copy
MyIPSetRule: Type: "AWS::WAFRegional::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"

Create a Web ACL

The following example associates the MyIPSetRule rule with a web ACL. The web ACL allows requests that originate from all IP addresses except for addresses that are defined in the MyIPSetRule.

JSON

Copy
"MyWebACL": { "Type": "AWS::WAFRegional::WebACL", "Properties": { "Name": "WebACL to block blacklisted IP addresses", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyIPSetRule" } } ] } }

YAML

Copy
MyWebACL: Type: "AWS::WAFRegional::WebACL" Properties: Name: "WebACL to block blacklisted IP addresses" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyIPSetRule"