Case study

What are AWS-managed Prefix Lists and How do you Use Them?

CategoryArticles

What are AWS-managed Prefix Lists and How do you Use Them?

In this article, you will learn:

AWS (Amazon Web Services) recently announced the availability of AWS-managed Prefix Lists for Amazon CloudFront. As a result, AWS customers can now restrict inbound HTTP/HTTPS traffic to AWS VPCs from IP addresses belonging to CloudFront servers.

In this blog post, we'll learn what managed prefix lists are, how they can help protect your AWS infrastructure, and how they work with CloudFront, Application Load Balancers, and Auto-Scaling groups of Amazon EC2 instances.

If you want to know more or watch how to implement CloudFront managed prefix list to VPC security group. Watch the video below.

What is an AWS-managed Prefix List?

AWS-managed prefix lists are created and maintained by AWS and are available to anyone with an AWS account. A prefix list is a collection of one or more IP CIDR blocks used to simplify the configuration and management of security groups and routing tables.

There are customer-managed prefix lists and AWS-managed prefix lists. This blog post focuses on AWS-managed prefix lists for Amazon CloudFront.

You can simply find them in AWS Management Console, under VPC, Managed prefix lists.

43_AWS-managed-prefix-list-1.png

AWS-managed lists include updated IP addresses of AWS services which you can add to security groups or route tables to better manage what service or who can reach your VPC.

The following AWS-managed prefix lists are available:

  • Amazon S3: com.amazonaws.region.s3
  • Amazon DynamoDB: com.amazonaws.region.dynamodb
  • Amazon CloudFront: com.amazonaws.global.cloudfront.origin-facing

AWS managed prefix list with Amazon CloudFront IPs

You can use the AWS-managed prefix list for Amazon CloudFront. AWS keeps the managed prefix list up-to-date with the IP addresses of CloudFront’s edge servers, so you no longer have to maintain a prefix list yourself with, for example, this solution: Automatically update your security groups by using AWS Lambda.

Until recently, when using a load balancer or similar endpoint as the origin for a CloudFront distribution, you had to allow incoming HTTPS/HTTP traffic from anywhere (0.0.0.0/0). So your ALBs and EC2 instances behind it were accessible for anybody and this could be abused via a DDoS attack.

43_AWS-managed-prefix-list-3.jpg

Now, you can use the AWS-managed prefix list for CloudFront in the inbound rules of your VPC security group, allowing only CloudFront IP addresses to access your EC2 instances. Your infrastructure will then only be accessible through CloudFront distribution.

43_AWS-managed-prefix-list-4.jpg

However, keep in mind that anyone can create a CloudFront distribution. So, this does not guarantee that all the requests arriving at your load balancer originate from your CloudFront distribution.

How do you use the CloudFront-managed prefix list?

The managed prefix list is available for use via the AWS Console and the AWS SDK. The prefix list can be referenced in your CloudFormation templates in the available regions. There is no additional fee for using the CloudFront-managed prefix lists.

The Amazon CloudFront-managed prefix list weight is unique in how it affects Amazon VPC quotas:

  • It counts as 55 rules in a security group. The default quota is 60 rules, leaving room for five additional rules. However, you can request a quota increase.
  • It counts as 55 routes in a route table. The default quota is 50 routes, so you must request a quota increase.

For example, you can create a security group rule that allows inbound HTTPS access only from the CloudFront-managed prefix list. If you remove all other inbound rules from the security group, you prevent any non-CloudFront traffic from reaching the instance.

43_AWS-managed-prefix-list-2.png

If you need to find the Prefix list ID of a region-specific CloudFront-managed prefix list, try looking into the VPC Console and choosing the desired region.

43_AWS-managed-prefix-list-5.png

Conclusion

An AWS-managed prefix list, especially for CloudFront, simplifies security in your infrastructure. We believe that this function is useful for a lot of current AWS customers and our certified AWS Solution Architects can help you set it up.

Are you ready to accelerate your business to the cloud?

Contact us

Similar blog posts

See all posts
CategoryArticles

Amazon Route 53: Health Checks and DNS Failover

Learn about AWS Route 53 health-checking features and how to only route traffic to healthy AWS resources.

Find out more
CategoryCase Studies

InScope Choses StormIT and AWS for Deployment of their AML Solution

InScope chose to migrate its core technology platform to Amazon Web Services, a cloud leader in Infrastructure & Platform Services

Find out more
CategoryArticles

Scalability in Cloud Computing: Horizontal vs. Vertical Scaling

Look deeper into horizontal and vertical scaling and also into AWS scalability and which services you can use.

Find out more
CategoryArticles

What is a Web Application Firewall (WAF) and Why Use it?

What is the difference between a firewall and a web application firewall (WAF) and what are the benefits of WAF. Learn more...

Find out more
CategoryArticles

Origin Shield: How does it Help to Protect Your Origin?

Learn what Origin Shield is, its use cases, benefits, and how it improves the performance of a CloudFront distribution.

Find out more
CategoryArticles

AWS Instance Scheduler: Everything you Need to Know and Tutorial

What is the AWS Instance Scheduler? Deployment of the AWS Instance Scheduler solution. Learn more

Find out more