AWS CloudFormation
User Guide (API Version 2010-05-15)


The AWS::WAFRegional::IPSet resource creates an AWS WAF Regional IPSet that specifies which web requests to permit or block based on the IP addresses from which the requests originate. For more information, see CreateIPSet in the AWS WAF Regional API Reference.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::WAFRegional::IPSet", "Properties" : { "IPSetDescriptors" : [ IPSet descriptor, ... ], "Name" : String } }


Type: "AWS::WAFRegional::IPSet" Properties: IPSetDescriptors: - IPSet descriptor Name: String



The IP address type and IP address range (in CIDR notation) from which web requests originate. If you associate the IPSet with a web ACL that is associated with a Amazon CloudFront (CloudFront) distribution, this descriptor is the value of one of the following fields in the CloudFront access logs:


If the viewer did not use an HTTP proxy or a load balancer to send the request


If the viewer did use an HTTP proxy or a load balancer to send the request

Required: No

Type: List of AWS WAF Regional IPSet IPSetDescriptors

Update requires: No interruption


A friendly name or description of the IPSet.

Required: Yes

Type: String

Update requires: Replacement

Return Values


When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.


Define IP Addresses

The following example defines a set of IP addresses for a web access control list (ACL) rule.


"MyIPSetBlacklist": { "Type": "AWS::WAFRegional::IPSet", "Properties": { "Name": "IPSet for blacklisted IP addresses", "IPSetDescriptors": [ { "Type" : "IPV4", "Value" : "" }, { "Type" : "IPV4", "Value" : "" } ] } }


MyIPSetBlacklist: Type: "AWS::WAFRegional::IPSet" Properties: Name: "IPSet for blacklisted IP addresses" IPSetDescriptors: - Type: "IPV4" Value: "" - Type: "IPV4" Value: ""

Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IP Set with a web ACL rule.


"MyIPSetRule" : { "Type": "AWS::WAFRegional::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }


MyIPSetRule: Type: "AWS::WAFRegional::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"

Create a Web ACL

The following example associates the MyIPSetRule rule with a web ACL. The web ACL allows requests that originate from all IP addresses except for addresses that are defined in the MyIPSetRule.


"MyWebACL": { "Type": "AWS::WAFRegional::WebACL", "Properties": { "Name": "WebACL to block blacklisted IP addresses", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyIPSetRule" } } ] } }


MyWebACL: Type: "AWS::WAFRegional::WebACL" Properties: Name: "WebACL to block blacklisted IP addresses" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyIPSetRule"