Optimize AWS infrastructure management with prefix lists - Amazon Virtual Private Cloud

Optimize AWS infrastructure management with prefix lists

You can reference a prefix list in the following AWS resources.

VPC security groups

You can specify a prefix list as the source for an inbound rule, or as the destination for an outbound rule. For more information, see Security groups.

Important

You can't modify an existing rule to use a prefix list. You have to create a new rule to use a prefix list.

To reference a prefix list in a security group rule using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group to update.

  4. Choose Actions, Edit inbound rules or Actions, Edit outbound rules.

  5. Choose Add rule. For Type, select the traffic type. For Source (inbound rules) or Destination (outbound rules), choose Custom. Then, in the next field, under Prefix lists, choose the ID of the prefix list.

  6. Choose Save rules.

To reference a prefix list in a security group rule using the AWS CLI

Use the authorize-security-group-ingress and authorize-security-group-egress commands. For the --ip-permissions parameter, specify the ID of the prefix list using PrefixListIds.

Subnet route tables

You can specify a prefix list as the destination for route table entry. You cannot reference a prefix list in a gateway route table. For more information about route tables, see Configure route tables.

To reference a prefix list in a route table using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables, and select the route table.

  3. Choose Actions, Edit routes.

  4. To add a route, choose Add route.

  5. For Destination enter the ID of a prefix list.

  6. For Target, choose a target.

  7. Choose Save changes.

To reference a prefix list in a route table using the AWS CLI

Use the create-route (AWS CLI) command. Use the --destination-prefix-list-id parameter to specify the ID of a prefix list.

Transit gateway route tables

You can specify a prefix list as the destination for a route. For more information, see Prefix list references in Amazon VPC Transit Gateways.

AWS Network Firewall rule groups

An AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. If you create Suricata-compatible stateful rule groups in AWS Network Firewall, you can reference a prefix list from the rule group. For more information, see Referencing Amazon VPC prefix lists and Creating a stateful rule group in the AWS Network Firewall Developer Guide.

Amazon Managed Grafana network access control

You can specify one or more prefix lists as an inbound rule for requests to Amazon Managed Grafana workspaces. For more information about Grafana workspace network access control, including how to reference prefix lists, see Managing network access in the Amazon Managed Grafana User Guide.

AWS Outposts rack local gateways

Each AWS Outposts rack provides a local gateway that allows you to connect your Outpost resources with your on-premises networks. You can group CIDRs that you frequently use in a prefix list and reference this list as a route target in your local gateway route table. For more information, see Manage local gateway route table routes in the AWS Outposts User Guide for racks.