AWS CloudFormation
User Guide (API Version 2010-05-15)


The AWS::WAF::IPSet resource creates an AWS WAF IPSet that specifies which web requests to permit or block based on the IP addresses from which the requests originate. For more information, see CreateIPSet in the AWS WAF API Reference.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::WAF::IPSet", "Properties" : { "IPSetDescriptors" : [ IPSet descriptor, ... ], "Name" : String } }


Type: "AWS::WAF::IPSet" Properties: IPSetDescriptors: - IPSet descriptor Name: String



The IP address type and IP address range (in CIDR notation) from which web requests originate. If you associate the IPSet with a web ACL that is associated with an Amazon CloudFront (CloudFront) distribution and the viewer did not use an HTTP proxy or a load balancer to send the request, this descriptor is the value of the c-ip field in the CloudFront access logs.

Required: No

Type: List of AWS WAF IPSet IPSetDescriptors

Update requires: No interruption


A friendly name or description of the IPSet.

Required: Yes

Type: String

Update requires: Replacement

Return Values


When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.


Define IP Addresses

The following example defines a set of IP addresses for a web access control list (ACL) rule.


"MyIPSetBlacklist": { "Type": "AWS::WAF::IPSet", "Properties": { "Name": "IPSet for blacklisted IP adresses", "IPSetDescriptors": [ { "Type" : "IPV4", "Value" : "" }, { "Type" : "IPV4", "Value" : "" } ] } }


MyIPSetBlacklist: Type: "AWS::WAF::IPSet" Properties: Name: "IPSet for blacklisted IP adresses" IPSetDescriptors: - Type: "IPV4" Value: "" - Type: "IPV4" Value: ""

Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IP Set with a web ACL rule.


"MyIPSetRule" : { "Type": "AWS::WAF::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }


MyIPSetRule: Type: "AWS::WAF::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"

Create a Web ACL

The following example associates the MyIPSetRule rule with a web ACL. The web ACL allows requests that originate from all IP addresses except for addresses that are defined in the MyIPSetRule.


"MyWebACL": { "Type": "AWS::WAF::WebACL", "Properties": { "Name": "WebACL to block blacklisted IP addresses", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyIPSetRule" } } ] } }


MyWebACL: Type: "AWS::WAF::WebACL" Properties: Name: "WebACL to block blacklisted IP addresses" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyIPSetRule"