**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# IP sets and regex pattern sets in AWS WAF
This section introduces the topics of IP sets and regex pattern sets.
AWS WAF stores some more complex information in sets that you use by referencing them in your rules. Each of these sets has a name and is assigned an Amazon Resource Name (ARN) at creation. You can manage these sets from inside your rule statements and you can access and manage them on their own, through the console navigation pane.
You can use a managed set in a rule group or protection pack (web ACL).
+ To use an IP set, see [IP set match rule statement](waf-rule-statement-type-ipset-match.md).
+ To use a regex pattern set see [Regex pattern set match rule statement](waf-rule-statement-type-regex-pattern-set-match.md).
**Temporary inconsistencies during updates**
When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
The following are examples of the temporary inconsistencies that you might notice during change propagation:
+ After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable.
+ After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another.
+ After you change a rule action setting, you might see the old action in some places and the new action in others.
+ After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
**Topics**
+ [Creating and managing an IP set in AWS WAF](waf-ip-set-managing.md)
+ [Creating and managing a regex pattern set in AWS WAF](waf-regex-pattern-set-managing.md)
# Creating and managing an IP set in AWS WAF
An IP set provides a collection of IP addresses and IP address ranges that you want to use together in a rule statement. IP sets are AWS resources.
To use an IP set in a protection pack (web ACL) or rule group, you first create an AWS resource, `IPSet` with your address specifications. Then you reference the set when you add an IP set rule statement to a protection pack (web ACL) or rule group.
## Creating an IP set
Follow the procedure in this section to create a new IP set.
**Note**
In addition to the procedure in this section, you have the option to add a new IP set when you add an IP match rule to your protection pack (web ACL) or rule group. Choosing that option requires you to provide the same settings as those required by this procedure.
**To create an IP set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. In the navigation pane, choose **IP sets** and then **Create IP set**.
1. Enter a name and description for the IP set. You'll use these to identify the set when you want to use it.
**Note**
You can't change the name after you create the IP set.
1. For **Region**, choose Global (CloudFront) or choose the Region where you want to store the IP set. You can use regional IP sets only in protection packs (web ACLs) that protect regional resources. To use an IP set in protection packs (web ACLs) that protect Amazon CloudFront distributions, you must use Global (CloudFront).
1. For **IP version**, select the version you want to use.
1. In the **IP addresses** text box, enter one IP address or IP address range per line, in CIDR notation. AWS WAF supports all IPv4 and IPv6 CIDR ranges except for `/0`. For more information about CIDR notation, see the Wikipedia article [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
Here are some examples:
+ To specify the IPv4 address 192.0.2.44, type **192.0.2.44/32**.
+ To specify the IPv6 address 2620:0:2d0:200:0:0:0:0, type **2620:0:2d0:200:0:0:0:0/128**.
+ To specify the range of IPv4 addresses from 192.0.2.0 to 192.0.2.255, type **192.0.2.0/24**.
+ To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter **2620:0:2d0:200::/64**.
1. Review the settings for the IP set, and choose **Create IP set**.
## Deleting an IP set
Follow the guidance in this section to delete a referenced set.
**Deleting referenced sets and rule groups**
When you delete an entity that you can use in a protection pack (web ACL), like an IP set, regex pattern set, or rule group, AWS WAF checks to see if the entity is currently being used in a protection pack (web ACL). If it finds that it is in use, AWS WAF warns you. AWS WAF is almost always able to determine if an entity is being referenced by a protection pack (web ACL). However, in rare cases it might not be able to do so. If you need to be sure that nothing is currently using the entity, check for it in your protection packs (web ACLs) before deleting it. If the entity is a referenced set, also check that no rule groups are using it.
**To delete an IP set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. In the navigation pane, choose **IP sets**.
1. Select the IP set that you want to delete and choose **Delete**.
# Creating and managing a regex pattern set in AWS WAF
A regex pattern set provides a collection of regular expressions that you want to use together in a rule statement. Regex pattern sets are AWS resources.
To use a regex pattern set in a protection pack (web ACL) or rule group, you first create an AWS resource, `RegexPatternSet` with your regex pattern specifications. Then you reference the set when you add a regex pattern set rule statement to a protection pack (web ACL) or rule group. A regex pattern set must contain at least one regex pattern.
If your regex pattern set contains more than one regex pattern, when it's used in a rule, the pattern matching is combined with `OR` logic. That is, a web request will match the pattern set rule statement if the request component matches any of the patterns in the set.
AWS WAF supports the pattern syntax used by the PCRE library `libpcre` with some exceptions. The library is documented at [PCRE - Perl Compatible Regular Expressions](http://www.pcre.org/). For information about AWS WAF support, see [Supported regular expression syntax in AWS WAF](waf-regex-pattern-support.md).
## Creating a regex pattern set
Follow the procedure in this section to create a new regex pattern set.
**To create a regex pattern set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. In the navigation pane, choose **Regex pattern sets** and then **Create regex pattern set**.
1. Enter a name and description for the regex pattern set. You'll use these to identify it when you want to use the set.
**Note**
You can't change the name after you create the regex pattern set.
1. For **Region**, choose Global (CloudFront) or choose the Region where you want to store the regex pattern set. You can use regional regex pattern sets only in protection packs (web ACLs) that protect regional resources. To use a regex pattern set in protection packs (web ACLs) that protect Amazon CloudFront distributions, you must use Global (CloudFront).
1. In the **Regular expressions** text box, enter one regex pattern per line.
For example, the regular expression `I[a@]mAB[a@]dRequest` matches the following strings: `IamABadRequest`, `IamAB@dRequest`, `I@mABadRequest`, and `I@mAB@dRequest`.
AWS WAF supports the pattern syntax used by the PCRE library `libpcre` with some exceptions. The library is documented at [PCRE - Perl Compatible Regular Expressions](http://www.pcre.org/). For information about AWS WAF support, see [Supported regular expression syntax in AWS WAF](waf-regex-pattern-support.md).
1. Review the settings for the regex pattern set, and choose **Create regex pattern set**.
## Deleting a regex pattern set
Follow the guidance in this section to delete a referenced set.
**Deleting referenced sets and rule groups**
When you delete an entity that you can use in a protection pack (web ACL), like an IP set, regex pattern set, or rule group, AWS WAF checks to see if the entity is currently being used in a protection pack (web ACL). If it finds that it is in use, AWS WAF warns you. AWS WAF is almost always able to determine if an entity is being referenced by a protection pack (web ACL). However, in rare cases it might not be able to do so. If you need to be sure that nothing is currently using the entity, check for it in your protection packs (web ACLs) before deleting it. If the entity is a referenced set, also check that no rule groups are using it.
**To delete a regex pattern set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. In the navigation pane, choose **Regex pattern sets**.
1. Select the regex pattern set that you want to delete and choose **Delete**.