{"id":48977,"date":"2025-04-04T01:32:27","date_gmt":"2025-04-04T01:32:27","guid":{"rendered":"https:\/\/www.devopsschool.com\/blog\/?p=48977"},"modified":"2025-04-04T01:32:27","modified_gmt":"2025-04-04T01:32:27","slug":"aws-tutorials-what-is-a-prefix-list-in-aws","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/blog\/aws-tutorials-what-is-a-prefix-list-in-aws\/","title":{"rendered":"AWS Tutorials: What is a Prefix List in AWS?"},"content":{"rendered":"\n<p>Here&#8217;s a <strong>complete guide to Prefix List and <code>PREFIX_LIST_ID<\/code><\/strong> \u2013 particularly useful in <strong>AWS networking<\/strong> contexts such as <strong>Route Tables, Security Groups, and Network ACLs<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">\ud83d\udd30 What is a Prefix List in AWS?<\/h1>\n\n\n\n<p>A <strong>Prefix List<\/strong> in AWS is a <strong>set of CIDR blocks grouped under a logical name<\/strong>, managed by AWS or the user, and assigned a unique ID. It simplifies the management of <strong>IP-based rules<\/strong> across multiple AWS services.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2705 Key Use Cases<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Use Case<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>\u2705 Route Tables<\/td><td>Use a Prefix List to define destination CIDR blocks<\/td><\/tr><tr><td>\u2705 Security Groups<\/td><td>Allow or restrict traffic from a known set of IP ranges<\/td><\/tr><tr><td>\u2705 Network ACLs<\/td><td>Apply consistent rules across VPCs using prefix lists<\/td><\/tr><tr><td>\u2705 Simplified Management<\/td><td>Update a prefix list once to affect all dependent resources<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udce6 Types of Prefix Lists<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Type<\/th><th>Description<\/th><th>Example<\/th><\/tr><\/thead><tbody><tr><td><strong>AWS-Managed<\/strong><\/td><td>Created and maintained by AWS for common services<\/td><td><code>com.amazonaws.region.s3<\/code><\/td><\/tr><tr><td><strong>Customer-Managed<\/strong><\/td><td>Created by the user with specific CIDRs<\/td><td><code>pl-0123456789abcdef0<\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd10 AWS-Managed Prefix List Examples<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Service<\/th><th>Prefix List Name<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>S3<\/td><td><code>com.amazonaws.&lt;region&gt;.s3<\/code><\/td><td>Access to S3 public endpoints<\/td><\/tr><tr><td>DynamoDB<\/td><td><code>com.amazonaws.&lt;region&gt;.dynamodb<\/code><\/td><td>Used for DynamoDB access<\/td><\/tr><tr><td>CloudFront<\/td><td><code>com.amazonaws.global.cloudfront.origin-facing<\/code><\/td><td>CloudFront IPs to allow through firewalls<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd22 PREFIX_LIST_ID<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A <code>PREFIX_LIST_ID<\/code> is a <strong>unique identifier<\/strong> for a Prefix List in AWS.<\/li>\n\n\n\n<li>Format: <code>pl-xxxxxxxxxxxxxxxxx<\/code><\/li>\n\n\n\n<li>Used in Route Tables, Security Groups, and NACLs as a substitute for raw CIDRs.<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u2705 Example:<\/p>\n\n\n\n<p>If your S3 Prefix List ID is <code>pl-1234abcd<\/code>, you can use it in a route table like:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"JSON \/ JSON with Comments\" data-shcb-language-slug=\"json\"><span><code class=\"hljs language-json\">{\n  <span class=\"hljs-attr\">\"DestinationPrefixListId\"<\/span>: <span class=\"hljs-string\">\"pl-1234abcd\"<\/span>,\n  <span class=\"hljs-attr\">\"Target\"<\/span>: <span class=\"hljs-string\">\"igw-0abc123de456\"<\/span>\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JSON \/ JSON with Comments<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">json<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre><\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udee0\ufe0f How to Create a Customer-Managed Prefix List<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 Via Console<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>VPC Dashboard \u2192 Prefix Lists<\/strong><\/li>\n\n\n\n<li>Click <strong>Create Prefix List<\/strong><\/li>\n\n\n\n<li>Enter name, maximum number of entries, and add CIDRs<\/li>\n\n\n\n<li>Create and note the <code>PREFIX_LIST_ID<\/code><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83e\udde9 Via AWS CLI<\/h3>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">aws ec2 create-managed-prefix-<span class=\"hljs-keyword\">list<\/span> \\\n  --prefix-<span class=\"hljs-keyword\">list<\/span>-name my-app-cidrs \\\n  --max-entries <span class=\"hljs-number\">5<\/span> \\\n  --address-family IPv4 \\\n  --entries Cidr=<span class=\"hljs-number\">192.168<\/span><span class=\"hljs-number\">.1<\/span><span class=\"hljs-number\">.0<\/span>\/<span class=\"hljs-number\">24<\/span>,Description=<span class=\"hljs-string\">\"App subnet\"<\/span>\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udcdd How to Use PREFIX_LIST_ID in Terraform<\/h2>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">resource <span class=\"hljs-string\">\"aws_route\"<\/span> <span class=\"hljs-string\">\"example\"<\/span> {\n  route_table_id         = aws_route_table.example.id\n  destination_prefix_list_id = <span class=\"hljs-string\">\"pl-1234abcd\"<\/span>\n  gateway_id             = aws_internet_gateway.example.id\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>Or dynamically:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"JavaScript\" data-shcb-language-slug=\"javascript\"><span><code class=\"hljs language-javascript\">data <span class=\"hljs-string\">\"aws_prefix_list\"<\/span> <span class=\"hljs-string\">\"s3\"<\/span> {\n  name = <span class=\"hljs-string\">\"com.amazonaws.us-east-1.s3\"<\/span>\n}\n\nresource <span class=\"hljs-string\">\"aws_security_group_rule\"<\/span> <span class=\"hljs-string\">\"allow_s3\"<\/span> {\n  type                     = <span class=\"hljs-string\">\"egress\"<\/span>\n  security_group_id        = aws_security_group.example.id\n  from_port                = <span class=\"hljs-number\">443<\/span>\n  to_port                  = <span class=\"hljs-number\">443<\/span>\n  protocol                 = <span class=\"hljs-string\">\"tcp\"<\/span>\n  prefix_list_ids          = &#91;data.aws_prefix_list.s3.id]\n}\n<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">JavaScript<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">javascript<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udccc Benefits of Using Prefix Lists<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature<\/th><th>Benefit<\/th><\/tr><\/thead><tbody><tr><td><strong>Consistency<\/strong><\/td><td>No need to update CIDRs manually in multiple places<\/td><\/tr><tr><td><strong>Simplification<\/strong><\/td><td>Replace long IP lists with a single identifier<\/td><\/tr><tr><td><strong>Scalability<\/strong><\/td><td>One change affects all related security or routing rules<\/td><\/tr><tr><td><strong>Security<\/strong><\/td><td>Easier to audit and manage trusted IPs<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83d\udd04 Updating a Prefix List<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS-Managed<\/strong>: Automatically updated by AWS<\/li>\n\n\n\n<li><strong>Customer-Managed<\/strong>:\n<ul class=\"wp-block-list\">\n<li>Use CLI or Console to <strong>add\/remove<\/strong> CIDRs<\/li>\n\n\n\n<li>Affects all associated route\/security rules immediately<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\ud83e\udde0 Best Practices<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>AWS-managed prefix lists<\/strong> for trusted AWS services.<\/li>\n\n\n\n<li>Use <strong>customer-managed prefix lists<\/strong> to organize:\n<ul class=\"wp-block-list\">\n<li>Office IPs<\/li>\n\n\n\n<li>Partner networks<\/li>\n\n\n\n<li>Application subnets<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Tag<\/strong> your prefix lists for visibility and tracking.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">\u2753 Common Questions<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd0d How to find a prefix list ID?<\/h3>\n\n\n<pre class=\"wp-block-code\"><span><code class=\"hljs\">aws ec2 describe-managed-prefix-lists\n<\/code><\/span><\/pre>\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd10 Are prefix lists secure?<\/h3>\n\n\n\n<p>Yes. They&#8217;re only a way to manage IP lists, and your actual resource access is controlled by security groups, NACLs, or route tables.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83c\udf0d Are prefix lists region-specific?<\/h3>\n\n\n\n<p>Yes, prefix lists are <strong>region-specific<\/strong>, especially AWS-managed ones like S3 or DynamoDB.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">How to Configure the EKS nodes<span class=\"hljs-string\">' security group to receive traffic from the VPC Lattice network.\n\n$ PREFIX_LIST_ID=$(aws ec2 describe-managed-prefix-lists --query \"PrefixLists&#91;?PrefixListName==\"\\'com.amazonaws.$AWS_REGION.vpc-lattice\\'\"].PrefixListId\" | jq -r '<\/span>.&#91;]<span class=\"hljs-string\">')\n\n$ echo $PREFIX_LIST_ID\n\n$ aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions \"PrefixListIds=&#91;{PrefixListId=${PREFIX_LIST_ID}}],IpProtocol=-1\"\n\n$ PREFIX_LIST_ID_IPV6=$(aws ec2 describe-managed-prefix-lists --query \"PrefixLists&#91;?PrefixListName==\"\\'com.amazonaws.$AWS_REGION.ipv6.vpc-lattice\\'\"].PrefixListId\" | jq -r '<\/span>.&#91;]<span class=\"hljs-string\">')\n\n$ echo $PREFIX_LIST_ID_IPV6\n\n$ aws ec2 authorize-security-group-ingress --group-id $CLUSTER_SG --ip-permissions \"PrefixListIds=&#91;{PrefixListId=${PREFIX_LIST_ID_IPV6}}],IpProtocol=-1\"<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here&#8217;s a complete guide to Prefix List and PREFIX_LIST_ID \u2013 particularly useful in AWS networking contexts such as Route Tables, Security Groups, and Network ACLs. \ud83d\udd30 What is a Prefix&#8230; <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[2],"tags":[],"class_list":["post-48977","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/comments?post=48977"}],"version-history":[{"count":1,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48977\/revisions"}],"predecessor-version":[{"id":48978,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/posts\/48977\/revisions\/48978"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/media?parent=48977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/categories?post=48977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/blog\/wp-json\/wp\/v2\/tags?post=48977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}