Prefix lists - Amazon Virtual Private Cloud

Prefix lists

A prefix list is a set of one or more CIDR blocks. There are two types of prefix lists:

  • AWS-managed prefix list — Represents the IP address ranges for an AWS service. You can reference an AWS-managed prefix list in your VPC security group rules and in subnet route table entries. For example, you can reference an AWS-managed prefix list in an outbound VPC security group rule when connecting to an AWS service through a gateway VPC endpoint. You cannot create, modify, share, or delete an AWS-managed prefix list.

  • Customer-managed prefix list — A set of IPv4 or IPv6 CIDR blocks that you define and manage. You can reference the prefix list in your VPC security group rules, subnet route table entries, and transit gateway route table entries. This enables you to manage the IP addresses that you frequently use for these resources in a single group, instead of repeatedly referencing the same IP addresses in each resource. You can share your prefix list with other AWS accounts, enabling those accounts to reference the prefix list in their own resources.

The following topics describe how to create and work with customer-managed prefix lists.

Prefix lists concepts and rules

A prefix list consists of entries. Each entry consists of a CIDR block and, optionally, a description for the CIDR block.

The following rules apply to customer-managed prefix lists:

  • When you create a prefix list, you must specify the maximum number of entries that the prefix list can support. You cannot modify the maximum number of entries later.

  • When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts as the same number of rules or entries for the resource. For example, if you create a prefix list with a maximum of 20 entries and you reference that prefix list in a security group rule, this counts as 20 rules for the security group.

  • You can modify a prefix list by adding or removing entries, or by changing its name.

  • A prefix list supports a single type of IP addressing only (IPv4 or IPv6). You cannot combine IPv4 and IPv6 CIDR blocks in a single prefix list.

  • There are quotas related to prefix lists. For more information, see Amazon VPC quotas.

  • When you reference a prefix list in a route table, route priority rules apply. For more information, see Route priority for prefix lists.

  • A prefix list only applies to the Region where you created it. For example, if you create a list in us-east-1, it is not available in eu-west-1.

The following rules apply to AWS-managed prefix lists:

  • You cannot create, modify, share, or delete an AWS-managed prefix list.

  • When you reference an AWS-managed prefix list in a resource, it counts as a single rule or entry for the resource.

  • You cannot view the version number of an AWS-managed prefix list.

Prefix list versions

A prefix list can have multiple versions. Each time you add or remove entries for a prefix list, we create a new version of the prefix list. The resources that reference the prefix always use the current (latest) version. You can restore the entries from a previous version of prefix list to a new version.

Working with prefix lists

The following topics describe how to create and work with customer-managed prefix lists. You can work with prefix lists using the Amazon VPC console or the AWS CLI.

Creating a prefix list

When you create a new prefix list, you must specify the maximum number of entries that the prefix list can support. Ensure that you specify a maximum number of entries that will meet your needs, because you cannot change this number later.

To create a prefix list using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Managed Prefix Lists.

  3. Choose Create prefix list.

  4. For Prefix list name, enter a name for the prefix list.

  5. For Max entries, enter the maximum number of entries for the prefix list.

  6. For Address family, choose whether the prefix list supports IPv4 or IPv6 entries.

  7. For Prefix list entries, choose Add new entry, and enter the CIDR block and a description for the entry. Repeat this step for each entry.

  8. (Optional) For Tags, add tags to the prefix list to help you identify it later.

  9. Choose Create prefix list.

To create a prefix list using the AWS CLI

Use the create-managed-prefix-list command.

Viewing prefix lists

You can view your prefix lists, prefix lists that are shared with you, and AWS-managed prefix lists using the Amazon VPC console or the AWS CLI.

To view prefix lists using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Managed Prefix Lists.

  3. The Owner ID column shows the AWS account ID of the prefix list owner. For AWS-managed prefix lists, the Owner ID is AWS.

To view prefix lists using the AWS CLI

Use the describe-managed-prefix-lists command.

Viewing the entries for a prefix list

You can view the entries for a prefix list using the Amazon VPC console or the AWS CLI.

To view the entries for a prefix list using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Managed Prefix Lists.

  3. Select the prefix list.

  4. In the lower pane, choose Entries to view the entries for the prefix list.

To view the entries for a prefix list using the AWS CLI

Use the get-managed-prefix-list-entries command.

Viewing associations (references) for your prefix list

You can view the IDs and owners of the resources that are associated with your prefix list. Associated resources are resources that reference your prefix list in their entries or rules.

You cannot view associated resources for an AWS-managed prefix list.

To view prefix list associations using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Managed Prefix Lists.

  3. Select the prefix list.

  4. In the lower pane, choose Associations to view the resources that are referencing the prefix list.

To view prefix list associations using the AWS CLI

Use the get-managed-prefix-list-associations command.

Modifying a prefix list (adding and removing entries)

You can modify the name of your prefix list, and you can add or remove entries.

You cannot modify an AWS-managed prefix list.

To modify a prefix list using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Managed Prefix Lists.

  3. Select the prefix list, and choose Actions, Modify prefix list.

  4. For Prefix list name, enter a new name for the prefix list.

  5. For Prefix list entries, choose Remove to remove an existing entry. To add a new entry, choose Add new entry and enter the CIDR block and a description for the entry.

  6. Choose Save prefix list.

To modify a prefix list using the AWS CLI

Use the modify-managed-prefix-list command.

Restoring a previous version of a prefix list

You can restore the entries from a previous version of your prefix list to a new version.

To restore a previous version of a prefix list using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Managed Prefix Lists.

  3. Select the prefix list, and choose Actions, Restore prefix list.

  4. In the drop-down list, choose the prefix list version.

  5. Choose Restore prefix list.

To restore a previous version of a prefix list using the AWS CLI

Use the restore-managed-prefix-list-version command.

Deleting a prefix list

To delete a prefix list, you must first remove any references to it in your resources (such as in your route tables). If you've shared the prefix list using AWS RAM, any references in consumer-owned resources must first be removed. To view the references to your prefix list, see Viewing associations (references) for your prefix list.

You cannot delete an AWS-managed prefix list.

To delete a prefix list using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Managed Prefix Lists.

  3. Select the prefix list, and choose Actions, Delete prefix list.

  4. In the confirmation dialog box, enter delete, and choose Delete.

To delete a prefix list using the AWS CLI

Use the delete-managed-prefix-list command.

Referencing prefix lists in your AWS resources

You can reference a prefix list in the following AWS resources.

Subnet route tables

You can specify a prefix list as the destination for route table entry. You cannot reference a prefix list in a gateway route table. For more information about route tables, see Route tables.

To reference a prefix list in a route table using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Route Tables, and select the route table.

  3. Choose Actions, Edit routes.

  4. To add a route, choose Add route. For Destination enter the ID of a prefix list.

  5. For Target, choose a target.

  6. Choose Save routes.

To reference a prefix list in a route table using the AWS CLI

Use the create-route (AWS CLI) command. Use the --destination-prefix-list-id parameter to specify the ID of a prefix list.

VPC security groups

You can specify a prefix list as the source for an inbound rule, or as the destination for an outbound rule. For more information about security groups, see Security groups for your VPC.

To reference a prefix list in a security group rule using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group to update.

  4. Choose Actions, Edit inbound rules or Actions, Edit outbound rules.

  5. Choose Add rule. For Type, select the traffic type. For Source (inbound rules) or Destination (outbound rules), choose the ID of the prefix list.

  6. Choose Save rules.

To reference a prefix list in a security group rule using the AWS CLI

Use the authorize-security-group-ingress and authorize-security-group-egress commands. For the --ip-permissions parameter, specify the ID of the prefix list using PrefixListIds.

Transit gateway route tables

You can specify a prefix list as the destination for a route. For more information, see Prefix list references in Amazon VPC Transit Gateways.

Identity and access management for prefix lists

By default, IAM users do not have permission to create, view, modify, or delete prefix lists. You can create an IAM policy that allows users to work with prefix lists.

To see a list of Amazon VPC actions and the resources and condition keys that you can use in an IAM policy, see Actions, Resources, and Condition Keys for Amazon EC2 in the IAM User Guide.

The following example policy allows users to view and work with prefix list pl-123456abcde123456 only. Users cannot create or delete prefix lists.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "ec2:DescribeManagedPrefixLists", "ec2:ModifyManagedPrefixList", "ec2:GetManagedPrefixListEntries", "ec2:RestoreManagedPrefixListVersion", "ec2:GetManagedPrefixListAssociations" ], "Resource": "arn:aws:ec2:region:account:prefix-list/pl-123456abcde123456" } ] }

For more information about working with IAM in Amazon VPC, see Identity and access management for Amazon VPC.