πŸš€ DevOps & SRE Certification Program πŸ“… Starting: 1st of Every Month 🀝 +91 8409492687 πŸ” Contact@DevOpsSchool.com

Upgrade & Secure Your Future with DevOps, SRE, DevSecOps, MLOps!

We spend hours on Instagram and YouTube and waste money on coffee and fast food, but won’t spend 30 minutes a day learning skills to boost our careers.
Master in DevOps, SRE, DevSecOps & MLOps!

Learn from Guru Rajesh Kumar and double your salary in just one year.


Get Started Now!

Uncategorised

AWS Tutorials: What is a Prefix List in AWS?

April 4, 2025 Leave a Comment

Here’s a complete guide to Prefix List and PREFIX_LIST_ID – particularly useful in AWS networking contexts such as Route Tables, Security Groups, and Network ACLs.

πŸ”° What is a Prefix List in AWS?

A Prefix List in AWS is a set of CIDR blocks grouped under a logical name, managed by AWS or the user, and assigned a unique ID. It simplifies the management of IP-based rules across multiple AWS services.

βœ… Key Use Cases

Use CaseDescription
βœ… Route TablesUse a Prefix List to define destination CIDR blocks
βœ… Security GroupsAllow or restrict traffic from a known set of IP ranges
βœ… Network ACLsApply consistent rules across VPCs using prefix lists
βœ… Simplified ManagementUpdate a prefix list once to affect all dependent resources

πŸ“¦ Types of Prefix Lists

TypeDescriptionExample
AWS-ManagedCreated and maintained by AWS for common servicescom.amazonaws.region.s3
Customer-ManagedCreated by the user with specific CIDRspl-0123456789abcdef0

πŸ” AWS-Managed Prefix List Examples

ServicePrefix List NameDescription
S3com.amazonaws.<region>.s3Access to S3 public endpoints
DynamoDBcom.amazonaws.<region>.dynamodbUsed for DynamoDB access
CloudFrontcom.amazonaws.global.cloudfront.origin-facingCloudFront IPs to allow through firewalls

πŸ”’ PREFIX_LIST_ID

  • A PREFIX_LIST_ID is a unique identifier for a Prefix List in AWS.
  • Format: pl-xxxxxxxxxxxxxxxxx
  • Used in Route Tables, Security Groups, and NACLs as a substitute for raw CIDRs.

βœ… Example:

If your S3 Prefix List ID is pl-1234abcd, you can use it in a route table like:

{
  "DestinationPrefixListId": "pl-1234abcd",
  "Target": "igw-0abc123de456"
}

πŸ› οΈ How to Create a Customer-Managed Prefix List

πŸ”§ Via Console

  1. Go to VPC Dashboard β†’ Prefix Lists
  2. Click Create Prefix List
  3. Enter name, maximum number of entries, and add CIDRs
  4. Create and note the PREFIX_LIST_ID

🧩 Via AWS CLI

aws ec2 create-managed-prefix-list \
  --prefix-list-name my-app-cidrs \
  --max-entries 5 \
  --address-family IPv4 \
  --entries Cidr=192.168.1.0/24,Description="App subnet"

πŸ“ How to Use PREFIX_LIST_ID in Terraform

resource "aws_route" "example" {
  route_table_id         = aws_route_table.example.id
  destination_prefix_list_id = "pl-1234abcd"
  gateway_id             = aws_internet_gateway.example.id
}

Or dynamically:

data "aws_prefix_list" "s3" {
  name = "com.amazonaws.us-east-1.s3"
}

resource "aws_security_group_rule" "allow_s3" {
  type                     = "egress"
  security_group_id        = aws_security_group.example.id
  from_port                = 443
  to_port                  = 443
  protocol                 = "tcp"
  prefix_list_ids          = [data.aws_prefix_list.s3.id]
}

πŸ“Œ Benefits of Using Prefix Lists

FeatureBenefit
ConsistencyNo need to update CIDRs manually in multiple places
SimplificationReplace long IP lists with a single identifier
ScalabilityOne change affects all related security or routing rules
SecurityEasier to audit and manage trusted IPs

πŸ”„ Updating a Prefix List

  • AWS-Managed: Automatically updated by AWS
  • Customer-Managed:
    • Use CLI or Console to add/remove CIDRs
    • Affects all associated route/security rules immediately

🧠 Best Practices

  • Use AWS-managed prefix lists for trusted AWS services.
  • Use customer-managed prefix lists to organize:
    • Office IPs
    • Partner networks
    • Application subnets
  • Tag your prefix lists for visibility and tracking.

❓ Common Questions

πŸ” How to find a prefix list ID?

aws ec2 describe-managed-prefix-lists

πŸ” Are prefix lists secure?

Yes. They’re only a way to manage IP lists, and your actual resource access is controlled by security groups, NACLs, or route tables.

🌍 Are prefix lists region-specific?

Yes, prefix lists are region-specific, especially AWS-managed ones like S3 or DynamoDB.

How to Configure the EKS nodes' security group to receive traffic from the VPC Lattice network.

$ PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.vpc-lattice\'"].PrefixListId" | jq -r '.[]')

$ echo $PREFIX_LIST_ID

$ aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1"

$ PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.ipv6.vpc-lattice\'"].PrefixListId" | jq -r '.[]')

$ echo $PREFIX_LIST_ID_IPV6

$ aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1"

Subscribe
Notify of
guest


0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Certification Courses

DevOpsSchool has introduced a series of professional certification courses designed to enhance your skills and expertise in cutting-edge technologies and methodologies. Whether you are aiming to excel in development, security, or operations, these certifications provide a comprehensive learning experience. Explore the following programs:

DevOps Certification, SRE Certification, and DevSecOps Certification by DevOpsSchool

Explore our DevOps Certification, SRE Certification, and DevSecOps Certification programs at DevOpsSchool. Gain the expertise needed to excel in your career with hands-on training and globally recognized certifications.

0
Would love your thoughts, please comment.x
()
x