# Consolidate and manage network CIDR blocks with managed prefix lists
Managed prefix lists

A managed prefix list is a set of one or more CIDR blocks. You can use prefix lists to make it easier to configure and maintain your security groups and route tables. You can create a prefix list from the IP addresses that you frequently use, and reference them as a set in security group rules and routes instead of referencing them individually. For example, you can consolidate security group rules with different CIDR blocks but the same port and protocol into a single rule that uses a prefix list. If you scale your network and need to allow traffic from another CIDR block, you can update the relevant prefix list and all security groups that use the prefix list are updated. You can also use managed prefix lists with other AWS accounts using Resource Access Manager (RAM).

There are two types of prefix lists:
+ **Customer-managed prefix lists** — Sets of IP address ranges that you define and manage. You can share your prefix list with other AWS accounts, enabling those accounts to reference the prefix list in their own resources.
+ **AWS-managed prefix lists** — Sets of IP address ranges for AWS services. You cannot create, modify, share, or delete an AWS-managed prefix list.

**Topics**
+ [

## Prefix lists concepts and rules
](#managed-prefix-lists-concepts)
+ [

## Identity and access management for prefix lists
](#managed-prefix-lists-iam)
+ [

# Customer-managed prefix lists
](working-with-managed-prefix-lists.md)
+ [

# AWS-managed prefix lists
](working-with-aws-managed-prefix-lists.md)
+ [

# Optimize AWS infrastructure management with prefix lists
](managed-prefix-lists-referencing.md)

## Prefix lists concepts and rules


A prefix list consists of *entries*. Each entry consists of a CIDR block and, optionally, a description for the CIDR block.

**Customer-managed prefix lists**

The following rules apply to customer-managed prefix lists:
+ A prefix list supports a single type of IP addressing only (IPv4 or IPv6). You cannot combine IPv4 and IPv6 CIDR blocks in a single prefix list.
+ A prefix list applies only to the Region where you created it.
+ When you create a prefix list, you must specify the maximum number of entries that the prefix list can support.
+ When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts against the quota for the number of entries for the resource. For example, if you create a prefix list with 20 maximum entries and you reference that prefix list in a security group rule, this counts as 20 security group rules.
+ When you reference a prefix list in a route table, route priority rules apply. For more information, see [Route priority for prefix lists](route-tables-priority.md#route-priority-managed-prefix-list).
+ You can modify a prefix list. When you add or remove entries, we create a new version of the prefix list. Resources that reference the prefix always use the current (latest) version. You can restore the entries from a previous version of the prefix list, which also creates a new version.
+ There are quotas related to prefix lists. For more information, see [Customer-managed prefix lists](amazon-vpc-limits.md#vpc-quotas-managed-prefix-lists).
+ Customer-managed prefix lists are available in all commercial [AWS Regions](https://aws.amazon.com//about-aws/global-infrastructure/regions_az/) (including GovCloud (US) and China Regions).

**AWS-managed prefix lists**

The following rules apply to AWS-managed prefix lists:
+ You cannot create, modify, share, or delete an AWS-managed prefix list.
+ Different AWS-managed prefix lists have a different weight when you use them. For more information, see [AWS-managed prefix list weight](working-with-aws-managed-prefix-lists.md#aws-managed-prefix-list-weights).
+ You cannot view the version number of an AWS-managed prefix list.

## Identity and access management for prefix lists


By default, users do not have permission to create, view, modify, or delete prefix lists. You can create an IAM policy and attach it to a role that allows users to work with prefix lists.

To see a list of Amazon VPC actions and the resources and condition keys that you can use in an IAM policy, see [Actions, resources, and condition keys for Amazon EC2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html) in the *Service Authorization Reference*.

The following example policy allows users to view and work with prefix list `pl-123456abcde123456` only. Users cannot create or delete prefix lists.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:GetManagedPrefixListAssociations",
                "ec2:GetManagedPrefixListEntries",
                "ec2:ModifyManagedPrefixList",
                "ec2:RestoreManagedPrefixListVersion"
            ],
            "Resource": "arn:aws:ec2:us-east-1:123456789012:prefix-list/pl-123456abcde123456"
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeManagedPrefixLists",
            "Resource": "*"
        }
    ]
}
```

------

For more information about working with IAM in Amazon VPC, see [Identity and access management for Amazon VPC](security-iam.md).

# Customer-managed prefix lists


Customer-managed prefix lists allow you to define and maintain your own sets of IP address ranges, known as prefixes, within AWS. Instead of hardcoding these IP addresses into your various resources, you can create a centralized prefix list and reference it wherever needed. This not only simplifies the management of your IP addresses but also promotes consistency and reusability across your AWS landscape. 

 One of the standout features of customer-managed prefix lists is the ability to share them with other AWS accounts. By granting access to your prefix lists, you can enable other teams or organizations to leverage your defined IP address ranges in their own resources. This collaborative approach fosters a more cohesive and efficient cloud experience, where IP address management is shared and synchronized. 

In the sections that follow, we'll dive deeper into the practical aspects of working with customer-managed prefix lists, including step-by-step guidance on creating, managing, and sharing your IP address ranges.

**Note**  
You can automate prefix list management using Amazon VPC IPAM to automatically sync CIDRs based on rules you define. This eliminates manual updates when your infrastructure changes. For more information, see [Automate prefix list updates with IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/automate-prefix-list-updates.html) in the *Amazon VPC IPAM User Guide*.

**Topics**
+ [

# Work with customer-managed prefix lists
](work-with-cust-managed-prefix-lists.md)

# Work with customer-managed prefix lists


This section describes how to work with customer-managed prefix lists.

**Topics**
+ [

## Create a prefix list
](#create-managed-prefix-list)
+ [

## View prefix lists
](#view-managed-prefix-lists)
+ [

## View the entries for a prefix list
](#view-managed-prefix-list-entries)
+ [

## View associations (references) for your prefix list
](#view-managed-prefix-list-associations)
+ [

## Modify a prefix list
](#modify-managed-prefix-list)
+ [

## Resize a prefix list
](#resize-managed-prefix-list)
+ [

## Restore a previous version of a prefix list
](#restore-managed-prefix-list)
+ [

## Delete a prefix list
](#delete-managed-prefix-list)
+ [

# Share customer-managed prefix lists
](sharing-managed-prefix-lists.md)

## Create a prefix list


When you create a prefix list, you must specify the maximum number of entries that the prefix list can support.

**Limitation**  
You can't add a prefix list to a security group rule if the number of rules plus the max entries for the prefix list exceeds the quota for rules per security group for your account.

**To create a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Choose **Create prefix list**.

1. For **Prefix list name**, enter a name for the prefix list.

1. For **Max entries**, enter the maximum number of entries for the prefix list.

1. For **Address family**, choose whether the prefix list supports IPv4 or IPv6 entries.

1. For **Prefix list entries**, choose **Add new entry**, and enter the CIDR block and a description for the entry. Repeat this step for each entry.

1. (Optional) For **Tags**, add tags to the prefix list to help you identify it later.

1. Choose **Create prefix list**.

**To create a prefix list using the AWS CLI**  
Use the [create-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-managed-prefix-list.html) command.

## View prefix lists


You can view your prefix lists, prefix lists that are shared with you, and AWS-managed prefix lists.

**To view prefix lists using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. The **Owner ID** column shows the AWS account ID of the prefix list owner. For AWS-managed prefix lists, the **Owner ID** is **AWS**.

**To view prefix lists using the AWS CLI**  
Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command.

## View the entries for a prefix list


You can view the entries for your prefix lists, prefix lists that are shared with you, and AWS-managed prefix lists.

**To view the entries for a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**. 

1. Select the checkbox for the prefix list.

1. In the lower pane, choose **Entries** to view the entries for the prefix list.

**To view the entries for a prefix list using the AWS CLI**  
Use the [get-managed-prefix-list-entries](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-entries.html) command.

## View associations (references) for your prefix list


You can view the IDs and owners of the resources that are associated with your prefix list. Associated resources are resources that reference your prefix list in their entries or rules.

**Limitation**  
You cannot view associated resources for an AWS-managed prefix list.

**To view prefix list associations using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**. 

1. Select the checkbox for the prefix list.

1. In the lower pane, choose **Associations** to view the resources that are referencing the prefix list.

**To view prefix list associations using the AWS CLI**  
Use the [get-managed-prefix-list-associations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-associations.html) command.

## Modify a prefix list


You can modify the name of your prefix list, and you can add or remove entries. To modify the maximum number of entries, see [Resize a prefix list](#resize-managed-prefix-list).

Updating the entries of a prefix list creates a new version of the prefix list. Updating the name or maximum number of entries for a prefix list does not create a new version of the prefix list.

**Considerations**
+ You cannot modify an AWS-managed prefix list.
+ When you increase the maximum number of entries in a prefix list, the increased maximum size is applied to the quota of entries for the resources that reference the prefix list. If any of these resources can't support the increased maximum size, the modify operation fails and the previous maximum size is restored.

**To modify a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the checkbox for prefix list, and choose **Actions**, **Modify prefix list**.

1. For **Prefix list name**, enter a new name for the prefix list.

1. If the managed prefix list has been configured as an IPAM prefix list resolver target, you'll see an **IPAM prefix list resolver sync** option.

   Choose whether to enable or disable synchronization with the IPAM prefix list resolver. When enabled, the prefix list CIDRs are automatically updated based on the associated resolver's CIDR selection rules. When disabled, the prefix list CIDRs are not automatically updated. For more information about this feature, see [Automate prefix list updates with IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/automate-prefix-list-updates.html) in the *Amazon VPC IPAM User Guide*.

1. For **Prefix list entries**, choose **Remove** to remove an existing entry. To add a new entry, choose **Add new entry** and enter the CIDR block and a description for the entry.

1. Choose **Save prefix list**.

**To modify a prefix list using the AWS CLI**  
Use the [modify-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-managed-prefix-list.html) command.

## Resize a prefix list


You can resize a prefix list and modify the maximum number of entries for the prefix list up to 1000. For more information about customer-managed prefix list quotas, see [Customer-managed prefix lists](amazon-vpc-limits.md#vpc-quotas-managed-prefix-lists).

**To resize a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the checkbox for the prefix list, and choose **Actions**, **Resize prefix list**.

1. For **New max entries**, enter a value.

1. Choose **Resize**.

**To resize a prefix list using the AWS CLI**  
Use the [modify-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-managed-prefix-list.html) command.

## Restore a previous version of a prefix list


You can restore the entries from a previous version of your prefix list. This creates a new version of the prefix list.

If you decreased the size of the prefix list, you must ensure that the prefix list is large enough to contain the entries from the previous version.

**To restore a previous version of a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the checkbox for the prefix list, and choose **Actions**, **Restore prefix list**.

1. For **Select prefix list version**, choose a previous version. The entries for the selected version are displayed in **Prefix list entries**.

1. Choose **Restore prefix list**.

**To restore a previous version of a prefix list using the AWS CLI**  
Use the [restore-managed-prefix-list-version](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-managed-prefix-list-version.html) command.

## Delete a prefix list


To delete a prefix list, you must first remove any references to it in your resources (such as in your route tables). If you've shared the prefix list using AWS RAM, any references in consumer-owned resources must first be removed.

**Limitation**  
You cannot delete an AWS-managed prefix list.

**To delete a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the prefix list, and choose **Actions**, **Delete prefix list**.

1. In the confirmation dialog box, enter `delete`, and choose **Delete**.

**To delete a prefix list using the AWS CLI**  
Use the [delete-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-managed-prefix-list.html) command.

# Share customer-managed prefix lists


With AWS Resource Access Manager (AWS RAM), the owner of a customer-managed prefix list can share the prefix list with the following:
+ Specific AWS accounts inside or outside of its organization in AWS Organizations
+ An organizational unit inside its organization in AWS Organizations
+ An entire organization in AWS Organizations

Consumers with whom a prefix list has been shared can view the prefix list and its entries, and they can reference the prefix list in their AWS resources.

For more information about AWS RAM, see the [AWS RAM User Guide](https://docs.aws.amazon.com/ram/latest/userguide/). For more information quotas, see [Service quotas](https://docs.aws.amazon.com/general/latest/gr/ram.html#limits_ram) in the AWS RAM User Guide.

**Important**  
There are no additional charges for sharing prefix lists.

**Topics**
+ [

# Shared prefix list permissions
](sharing-perms.md)
+ [

# Work with shared prefix lists
](work-with-shared-prefixes.md)

# Shared prefix list permissions


**Permissions for owners**

Owners are responsible for managing a shared prefix list and its entries. Owners can view the IDs of the AWS resources that reference the prefix list. However, they cannot add or remove references to a prefix list in AWS resources that are owned by consumers. 

Owners cannot delete a prefix list if the prefix list is referenced in a resource that's owned by a consumer.

**Permissions for consumers**

Consumers can view the entries in a shared prefix list, and they can reference a shared prefix list in their AWS resources. However, consumers can't modify, restore, or delete a shared prefix list.

# Work with shared prefix lists


AWS prefix lists provide a convenient way to manage and reference the IP address ranges used by various AWS services. In addition to the AWS-managed prefix lists, you also can create and share your own customer-managed prefix lists with other AWS accounts.

Sharing prefix lists can be particularly useful for organizations with complex networking requirements or those that need to coordinate IP address usage across multiple AWS workloads. By sharing a prefix list, you can ensure consistent IP address management and simplify networking configurations for your collaborators.

This section describes and how to share prefix lists and how to identify and use prefix lists that have been shared with your account.

**Topics**
+ [

## Share a prefix list
](#sharing-share)
+ [

## Unshare a shared prefix list
](#sharing-unshare)
+ [

## Identify a shared prefix list
](#sharing-identify)
+ [

## Identify references to a shared prefix list
](#sharing-identify-references)

## Share a prefix list


To share a prefix list, you must add it to a resource share. If you do not have a resource share, you must first create one using the [AWS RAM console](https://console.aws.amazon.com/ram).

If you are part of an organization in AWS Organizations, and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared prefix list. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared prefix list after accepting the invitation.

You can create a resource share and share a prefix list that you own using the AWS RAM console, or the AWS CLI.

**Important**  
To share a prefix list, you must own it. You cannot share a prefix list that has been shared with you. You cannot share an AWS-managed prefix list.
To share a prefix list with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see [ Enable sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*.

**To create a resource share and share a prefix list using the AWS RAM console**  
Follow the steps in [Create a resource share](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-create) in the *AWS RAM User Guide*. For **Select resource type**, choose **Prefix Lists**, and then select the check box for your prefix list.

**To add a prefix list to an existing resource share using the AWS RAM console**  
To add a managed prefix that you own to an existing resource share, follow the steps in [Updating a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*. For **Select resource type**, choose **Prefix Lists**, and then select the check box for your prefix list.

**To share a prefix list that you own using the AWS CLI**  
Use the following commands to create and update a resource share:
+ [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) 
+ [associate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share.html) 
+ [update-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/update-resource-share.html) 

## Unshare a shared prefix list


When you unshare a prefix list, consumers can no longer view the prefix list or its entries in their account, and they cannot reference the prefix list in their resources. If the prefix list is already referenced in the consumer's resources, those references continue to function as normal, and you can continue to [view those references](#sharing-identify-references). If you update the prefix list to a new version, the references use the latest version.

To unshare a shared prefix list that you own, you must remove it from the resource share using AWS RAM.

**To unshare a shared prefix list that you own using the AWS RAM console**  
See [Updating a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*.

**To unshare a shared prefix list that you own using the AWS CLI**  
Use the [disassociate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html) command.

## Identify a shared prefix list


Owners and consumers can identify shared prefix lists using the Amazon VPC console and AWS CLI.

**To identify a shared prefix list using the Amazon VPC console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. The page displays the prefix lists that you own and the prefix lists that are shared with you. The **Owner ID** column shows the AWS account ID of the prefix list owner.

1. To view the resource share information for a prefix list, select the prefix list and choose **Sharing** in the lower pane.

**To identify a shared prefix list using the AWS CLI**  
Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command. The command returns the prefix lists that you own and the prefix lists that are shared with you. `OwnerId` shows the AWS account ID of the prefix list owner.

## Identify references to a shared prefix list


Owners can identify the consumer-owned resources that are referencing a shared prefix list.

**To identify references to a shared prefix list using the Amazon VPC console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the prefix list and choose **Associations** in the lower pane.

1. The IDs of the resources that are referencing the prefix list are listed in the **Resource ID** column. The owners of the resources are listed in the **Resource Owner** column.

**To identify references to a shared prefix list using the AWS CLI**  
Use the [get-managed-prefix-list-associations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-associations.html) command.

# AWS-managed prefix lists


AWS-managed prefix lists are sets of IP address ranges for AWS services. These prefix lists are maintained by Amazon Web Services and provide a way to reference the IP addresses used by various AWS offerings. This can be particularly useful when configuring security groups or other network-level controls within a VPC.

The prefix lists cover a wide range of AWS services, including S3 and DynamoDB, and many others. By using the managed prefix lists, you can ensure that your network configurations are up-to-date and properly account for the IP addresses used by the AWS services you depend on. This can help simplify networking tasks and reduce the administrative overhead of manually maintaining lists of IP addresses.

In addition to the practical benefits, using the managed prefix lists also aligns with AWS security best practices. By relying on the authoritative IP address information provided by AWS, you can minimize the risk of misconfiguration or unexpected connectivity issues. This can be especially important for mission-critical applications or workloads with strict compliance requirements.

**Topics**
+ [

## Available AWS-managed prefix lists
](#available-aws-managed-prefix-lists)
+ [

## AWS-managed prefix list weight
](#aws-managed-prefix-list-weights)
+ [

## Use an AWS-managed prefix list
](#use-aws-managed-prefix-list)

## Available AWS-managed prefix lists


The following services provide AWS-managed prefix lists.

[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html)

**To view the AWS-managed prefix lists using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. In the search field, add the **Owner ID: AWS** filter.

**To view the AWS-managed prefix lists using the AWS CLI**  
Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command as follows.

```
aws ec2 describe-managed-prefix-lists --filters Name=owner-id,Values=AWS
```

## AWS-managed prefix list weight


The weight of an AWS-managed prefix list refers to the number of entries that it takes up in a resource.

For example, the weight of a Amazon CloudFront managed prefix list is 55. Here's how the this affects your Amazon VPC quotas:
+ **Security groups** – The [default quota](amazon-vpc-limits.md#vpc-limits-security-groups) is 60 rules, leaving room for only 5 additional rules in a security group. You can [request a quota increase](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-0EA8095F) for this quota.
+ **Route tables** – The [default quota](amazon-vpc-limits.md#vpc-limits-route-tables) is 50 routes, so you must [request a quota increase](https://console.aws.amazon.com/servicequotas/home/services/vpc/quotas/L-93826ACB) before you can add the prefix list to a route table.

## Use an AWS-managed prefix list


AWS-managed prefix lists are created and maintained by AWS and can be used by anyone with an AWS account. You cannot create, modify, share, or delete an AWS-managed prefix list.

As with customer-managed prefix lists, you can use AWS-managed prefix lists with AWS resources such as security groups and route tables. For more information, see [Optimize AWS infrastructure management with prefix lists](managed-prefix-lists-referencing.md).

# Optimize AWS infrastructure management with prefix lists


You can reference a prefix list in the following AWS resources.

**Topics**
+ [

## VPC security groups
](#prefix-list-vpc-security-group)
+ [

## Subnet route tables
](#prefix-list-subnet-route-table)
+ [

## Transit gateway route tables
](#prefix-list-tgw-route-table)
+ [

## AWS Network Firewall rule groups
](#prefix-list-nfw-rule-groups)
+ [

## Amazon Managed Grafana network access control
](#prefix-list-grafana)
+ [

## AWS Outposts rack local gateways
](#prefix-list-outpost-racks-lgw)

## VPC security groups


You can specify a prefix list as the source for an inbound rule, or as the destination for an outbound rule. For more information, see [Security groups](vpc-security-groups.md).

**Important**  
You can't modify an existing rule to use a prefix list. You have to create a new rule to use a prefix list.

**To reference a prefix list in a security group rule using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Security Groups**.

1. Select the security group to update.

1. Choose **Actions**, **Edit inbound rules** or **Actions**, **Edit outbound rules**.

1. Choose **Add rule**. For **Type**, select the traffic type. For **Source** (inbound rules) or **Destination** (outbound rules), choose **Custom**. Then, in the next field, under **Prefix lists**, choose the ID of the prefix list. 

1. Choose **Save rules**.

**To reference a prefix list in a security group rule using the AWS CLI**  
Use the [authorize-security-group-ingress](https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-ingress.html) and [authorize-security-group-egress](https://docs.aws.amazon.com/cli/latest/reference/ec2/authorize-security-group-egress.html) commands. For the `--ip-permissions` parameter, specify the ID of the prefix list using `PrefixListIds`.

## Subnet route tables


You can specify a prefix list as the destination for route table entry. You cannot reference a prefix list in a gateway route table. For more information about route tables, see [Configure route tables](VPC_Route_Tables.md).

**To reference a prefix list in a route table using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Route Tables**, and select the route table.

1. Choose **Actions**, **Edit routes**.

1. To add a route, choose **Add route**.

1. For **Destination** enter the ID of a prefix list. 

1. For **Target**, choose a target.

1. Choose **Save changes**.

**To reference a prefix list in a route table using the AWS CLI**  
Use the [create-route](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-route.html) (AWS CLI) command. Use the `--destination-prefix-list-id` parameter to specify the ID of a prefix list.

## Transit gateway route tables


You can specify a prefix list as the destination for a route. For more information, see [Prefix list references](https://docs.aws.amazon.com/vpc/latest/tgw/create-prefix-list-reference.html) in *Amazon VPC Transit Gateways*.

## AWS Network Firewall rule groups


An AWS Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. If you create Suricata-compatible stateful rule groups in AWS Network Firewall, you can reference a prefix list from the rule group. For more information, see [Referencing Amazon VPC prefix lists](https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references.html#rule-groups-referencing-prefix-lists) and [Creating a stateful rule group](https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-group-stateful-creating.html) in the *AWS Network Firewall Developer Guide*.

## Amazon Managed Grafana network access control


You can specify one or more prefix lists as an inbound rule for requests to Amazon Managed Grafana workspaces. For more information about Grafana workspace network access control, including how to reference prefix lists, see [Managing network access](https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-nac.html) in the *Amazon Managed Grafana User Guide*.

## AWS Outposts rack local gateways


Each AWS Outposts rack provides a local gateway that allows you to connect your Outpost resources with your on-premises networks. You can group CIDRs that you frequently use in a prefix list and reference this list as a route target in your local gateway route table. For more information, see [Manage local gateway route table routes](https://docs.aws.amazon.com/outposts/latest/userguide/routing.html#manage-lgw-routes) in the *AWS Outposts User Guide for racks*.