Here’s a complete guide to Prefix List and PREFIX_LIST_ID โ particularly useful in AWS networking contexts such as Route Tables, Security Groups, and Network ACLs.
๐ฐ What is a Prefix List in AWS?
A Prefix List in AWS is a set of CIDR blocks grouped under a logical name, managed by AWS or the user, and assigned a unique ID. It simplifies the management of IP-based rules across multiple AWS services.
โ Key Use Cases
| Use Case | Description |
|---|---|
| โ Route Tables | Use a Prefix List to define destination CIDR blocks |
| โ Security Groups | Allow or restrict traffic from a known set of IP ranges |
| โ Network ACLs | Apply consistent rules across VPCs using prefix lists |
| โ Simplified Management | Update a prefix list once to affect all dependent resources |
๐ฆ Types of Prefix Lists
| Type | Description | Example |
|---|---|---|
| AWS-Managed | Created and maintained by AWS for common services | com.amazonaws.region.s3 |
| Customer-Managed | Created by the user with specific CIDRs | pl-0123456789abcdef0 |
๐ AWS-Managed Prefix List Examples
| Service | Prefix List Name | Description |
|---|---|---|
| S3 | com.amazonaws.<region>.s3 | Access to S3 public endpoints |
| DynamoDB | com.amazonaws.<region>.dynamodb | Used for DynamoDB access |
| CloudFront | com.amazonaws.global.cloudfront.origin-facing | CloudFront IPs to allow through firewalls |
๐ข PREFIX_LIST_ID
- A
PREFIX_LIST_IDis a unique identifier for a Prefix List in AWS. - Format:
pl-xxxxxxxxxxxxxxxxx - Used in Route Tables, Security Groups, and NACLs as a substitute for raw CIDRs.
โ Example:
If your S3 Prefix List ID is
pl-1234abcd, you can use it in a route table like:{ "DestinationPrefixListId": "pl-1234abcd", "Target": "igw-0abc123de456" }Code language: JSON / JSON with Comments (json)
๐ ๏ธ How to Create a Customer-Managed Prefix List
๐ง Via Console
- Go to VPC Dashboard โ Prefix Lists
- Click Create Prefix List
- Enter name, maximum number of entries, and add CIDRs
- Create and note the
PREFIX_LIST_ID
๐งฉ Via AWS CLI
aws ec2 create-managed-prefix-list \
--prefix-list-name my-app-cidrs \
--max-entries 5 \
--address-family IPv4 \
--entries Cidr=192.168.1.0/24,Description="App subnet"
Code language: PHP (php)๐ How to Use PREFIX_LIST_ID in Terraform
resource "aws_route" "example" {
route_table_id = aws_route_table.example.id
destination_prefix_list_id = "pl-1234abcd"
gateway_id = aws_internet_gateway.example.id
}
Code language: JavaScript (javascript)Or dynamically:
data "aws_prefix_list" "s3" {
name = "com.amazonaws.us-east-1.s3"
}
resource "aws_security_group_rule" "allow_s3" {
type = "egress"
security_group_id = aws_security_group.example.id
from_port = 443
to_port = 443
protocol = "tcp"
prefix_list_ids = [data.aws_prefix_list.s3.id]
}
Code language: JavaScript (javascript)๐ Benefits of Using Prefix Lists
| Feature | Benefit |
|---|---|
| Consistency | No need to update CIDRs manually in multiple places |
| Simplification | Replace long IP lists with a single identifier |
| Scalability | One change affects all related security or routing rules |
| Security | Easier to audit and manage trusted IPs |
๐ Updating a Prefix List
- AWS-Managed: Automatically updated by AWS
- Customer-Managed:
- Use CLI or Console to add/remove CIDRs
- Affects all associated route/security rules immediately
๐ง Best Practices
- Use AWS-managed prefix lists for trusted AWS services.
- Use customer-managed prefix lists to organize:
- Office IPs
- Partner networks
- Application subnets
- Tag your prefix lists for visibility and tracking.
โ Common Questions
๐ How to find a prefix list ID?
aws ec2 describe-managed-prefix-lists
๐ Are prefix lists secure?
Yes. They’re only a way to manage IP lists, and your actual resource access is controlled by security groups, NACLs, or route tables.
๐ Are prefix lists region-specific?
Yes, prefix lists are region-specific, especially AWS-managed ones like S3 or DynamoDB.
How to Configure the EKS nodes' security group to receive traffic from the VPC Lattice network.
$ PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.vpc-lattice\'"].PrefixListId" | jq -r '.[]')
$ echo $PREFIX_LIST_ID
$ aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1"
$ PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query "PrefixLists[?PrefixListName=="\'com.amazonaws.$AWS_REGION.ipv6.vpc-lattice\'"].PrefixListId" | jq -r '.[]')
$ echo $PREFIX_LIST_ID_IPV6
$ aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions "PrefixListIds=[{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1"Code language: PHP (php)
Iโm a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
Find Trusted Cardiac Hospitals
Compare heart hospitals by city and services โ all in one place.
Explore Hospitals