Reference prefix lists in your Amazon resources - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Reference prefix lists in your Amazon resources

You can reference a prefix list in the following Amazon resources.

VPC security groups

You can specify a prefix list as the source for an inbound rule, or as the destination for an outbound rule. For more information about security groups, see Control traffic to resources using security groups.

To reference a prefix list in a security group rule using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group to update.

  4. Choose Actions, Edit inbound rules or Actions, Edit outbound rules.

  5. Choose Add rule. For Type, select the traffic type. For Source (inbound rules) or Destination (outbound rules), choose the ID of the prefix list.

  6. Choose Save rules.

To reference a prefix list in a security group rule using the Amazon CLI

Use the authorize-security-group-ingress and authorize-security-group-egress commands. For the --ip-permissions parameter, specify the ID of the prefix list using PrefixListIds.

Subnet route tables

You can specify a prefix list as the destination for route table entry. You cannot reference a prefix list in a gateway route table. For more information about route tables, see Configure route tables.

To reference a prefix list in a route table using the console

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the navigation pane, choose Route Tables, and select the route table.

  3. Choose Actions, Edit routes.

  4. To add a route, choose Add route.

  5. For Destination enter the ID of a prefix list.

  6. For Target, choose a target.

  7. Choose Save changes.

To reference a prefix list in a route table using the Amazon CLI

Use the create-route (Amazon CLI) command. Use the --destination-prefix-list-id parameter to specify the ID of a prefix list.

Transit gateway route tables

You can specify a prefix list as the destination for a route. For more information, see Prefix list references in Amazon VPC Transit Gateways.

Amazon Network Firewall rule groups

An Amazon Network Firewall rule group is a reusable set of criteria for inspecting and handling network traffic. If you create Suricata-compatible stateful rule groups in Amazon Network Firewall, you can reference a prefix list from the rule group. For more information, see Referencing Amazon VPC prefix lists and Creating a stateful rule group in the Amazon Network Firewall Developer Guide.