IP set match rule statement - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

IP set match rule statement

The IP set match statement inspects the IP address of a web request against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from. By default, AWS WAF uses the IP address from the web request origin, but you can configure the rule to use an HTTP header like X-Forwarded-For instead.

AWS WAF supports all IPv4 and IPv6 CIDR ranges except for /0. For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing. An IP set can hold up to 10,000 IP addresses or IP address ranges to check.


Each IP set match rule references an IP set, which you create and maintain independent of your rules. You can use a single IP set in multiple rules, and when you update the referenced set, AWS WAF automatically updates all rules that reference it.

For information about creating and managing an IP set, see Creating and managing an IP set.

When you add or update the rules in your rule group or web ACL, choose the option IP set and select the name of the IP set that you want to use.

Nestable – You can nest this statement type.

WCUs – 1 WCU for most. If you configure the statement to use forwarded IP addresses and specify a position of ANY, increase the WCU usage by 4.

This statement uses the following settings:

  • IP set specification – Choose the IP set that you want to use from the list or create a new one.

  • (Optional) Forwarded IP configuration – An alternate forwarded IP header name to use in place of the request origin. You specify whether to match against the first, last, or any address in the header. You also specify a fallback behavior to apply to a web request with a malformed IP address in the specified header. The fallback behavior sets the matching result for the request, to match or no match. For more information, see Forwarded IP address.

Where to find this rule statement
  • Rule builder on the console – For Request option, choose Originates from an IP address in.

  • Add my own rules and rule groups page on the console – Choose the IP set option.

  • APIIPSetReferenceStatement