What are AWS VPC Managed Prefix Lists

Manmohan Singh Bohara
3 min readMay 24, 2023
Photo by Markus Spiske on Unsplash

Do you remember, when you want to restrict access to your services/resources to certain IPs (Most of these IPs could be from your office network IPs, datacenter IPs, your overseas office IPs etc), You head to security group and realise that you have to add those IPs one by one and every-time you create another security group, you have to do the same tasks again and again.

Here comes the managed prefix lists to rescue. You can create a prefix list and add all your IPs and then use the prefix list in your security groups or route tables. Now when you want to update your IPs, you just need to update the prefix list.

Note: As it is with every security group rule or route table entry, you should consciously add IPs to the prefix lists. Any IP in the prefix list will have access to associated resources.

Now let’s discuss prefix lists in more detail and see how to create and use them. AWS supports two types of managed prefix lists.

1. AWS managed prefix lists

AWS supports prefix lists for CloudFront, DyanamoDB/S3 Gateway endpoints, Ground Station and VPC Lattice.

E.g. you can add CloudFront prefix list in a security group attached to your Application Load Balancer. This will allow only CloudFront to access your endpoints using Application Load Balancer and you don’t need to maintain IP range for CloudFront services.

AWS managed prefix lists are fully managed by AWS. You can not create, delete or modify these lists.

2. Customer managed prefix lists

You can create your own managed prefix list and add your IPs as shown below.

Once you have created customer managed prefix list, you can add that list in your security group as shown below and you are done.