AWS CloudFormation
User Guide (Version )


Contains one or more IP addresses or blocks of IP addresses specified in Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports IPv4 address ranges: /8 and any range between /16 through /32. AWS WAF supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128.

To specify an individual IP address, you specify the four-part IP address followed by a /32, for example, To block a range of IP addresses, you can specify /8 or any range between /16 through /32 (for IPv4) or /24, /32, /48, /56, /64, or /128 (for IPv6). For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::WAFRegional::IPSet", "Properties" : { "IPSetDescriptors" : [ IPSetDescriptor, ... ], "Name" : String } }


Type: AWS::WAFRegional::IPSet Properties: IPSetDescriptors: - IPSetDescriptor Name: String



The IP address type (IPV4 or IPV6) and the IP address range (in CIDR notation) that web requests originate from. If the WebACL is associated with a CloudFront distribution and the viewer did not use an HTTP proxy or a load balancer to send the request, this is the value of the c-ip field in the CloudFront access logs.

Required: No

Type: List of IPSetDescriptor

Update requires: No interruption


A friendly name or description of the IPSet. You can't change the name of an IPSet after you create it.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Update requires: Replacement

Return Values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.


Define IP Addresses

The following example defines a set of IP addresses for a web access control list (ACL) rule.


"MyIPSetBlacklist": { "Type": "AWS::WAFRegional::IPSet", "Properties": { "Name": "IPSet for blacklisted IP adresses", "IPSetDescriptors": [ { "Type" : "IPV4", "Value" : "" }, { "Type" : "IPV4", "Value" : "" } ] } }


MyIPSetBlacklist: Type: "AWS::WAFRegional::IPSet" Properties: Name: "IPSet for blacklisted IP adresses" IPSetDescriptors: - Type: "IPV4" Value: "" - Type: "IPV4" Value: ""

Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IP Set with a web ACL rule.


"MyIPSetRule" : { "Type": "AWS::WAFRegional::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }


MyIPSetRule: Type: "AWS::WAFRegional::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"

Create a Web ACL

The following example associates the MyIPSetRule rule with a web ACL. The web ACL allows requests that originate from all IP addresses except for addresses that are defined in the MyIPSetRule.


"MyWebACL": { "Type": "AWS::WAFRegional::WebACL", "Properties": { "Name": "WebACL to block blacklisted IP addresses", "DefaultAction": { "Type": "ALLOW" }, "MetricName" : "MyWebACL", "Rules": [ { "Action" : { "Type" : "BLOCK" }, "Priority" : 1, "RuleId" : { "Ref" : "MyIPSetRule" } } ] } }


MyWebACL: Type: "AWS::WAFRegional::WebACL" Properties: Name: "WebACL to block blacklisted IP addresses" DefaultAction: Type: "ALLOW" MetricName: "MyWebACL" Rules: - Action: Type: "BLOCK" Priority: 1 RuleId: Ref: "MyIPSetRule"