Sign In to the Console
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS Documentation » AWS CloudFormation » User Guide » Template Reference » AWS Resource and Property Types Reference » AWS WAF Resource Types Reference » AWS::WAF::IPSet

AWS::WAF::IPSet

The AWS::WAF::IPSet resource creates an AWS WAF IPSet that specifies which web requests to permit or block based on the IP addresses from which the requests originate. For more information, see CreateIPSet in the AWS WAF API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::WAF::IPSet",
  "Properties" : {
    "IPSetDescriptors" : [ IPSet descriptor, ... ],
    "Name" : String
  }
}

YAML

Type: "AWS::WAF::IPSet"
Properties: 
  IPSetDescriptors:
    - IPSet descriptor
  Name: String

Properties

IPSetDescriptors

The IP address type and IP address range (in CIDR notation) from which web requests originate. If you associate the IPSet with a web ACL that is associated with an Amazon CloudFront (CloudFront) distribution and the viewer did not use an HTTP proxy or a load balancer to send the request, this descriptor is the value of the c-ip field in the CloudFront access logs.

Required: No

Type: List of AWS WAF IPSet IPSetDescriptors

Update requires: No interruption

Name

A friendly name or description of the IPSet.

Required: Yes

Type: String

Update requires: Replacement

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Examples

Define IP Addresses

The following example defines a set of IP addresses for a web access control list (ACL) rule.

JSON

"MyIPSetBlacklist": {
  "Type": "AWS::WAF::IPSet",
  "Properties": {
    "Name": "IPSet for blacklisted IP adresses",
    "IPSetDescriptors": [
      {
        "Type" : "IPV4",
        "Value" : "192.0.2.44/32"
      },
      {
        "Type" : "IPV4",
        "Value" : "192.0.7.0/24"
      }
    ]
  }      
}

YAML

MyIPSetBlacklist: 
  Type: "AWS::WAF::IPSet"
  Properties: 
    Name: "IPSet for blacklisted IP adresses"
    IPSetDescriptors: 
      - 
        Type: "IPV4"
        Value: "192.0.2.44/32"
      - 
        Type: "IPV4"
        Value: "192.0.7.0/24"

Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IP Set with a web ACL rule.

JSON

"MyIPSetRule" : {
  "Type": "AWS::WAF::Rule",
  "Properties": {
    "Name": "MyIPSetRule",
    "MetricName" : "MyIPSetRule",
    "Predicates": [
      {
        "DataId" : {  "Ref" : "MyIPSetBlacklist" },
        "Negated" : false,
        "Type" : "IPMatch"
      }
    ]
  }      
}

YAML

MyIPSetRule: 
  Type: "AWS::WAF::Rule"
  Properties: 
    Name: "MyIPSetRule"
    MetricName: "MyIPSetRule"
    Predicates: 
      - 
        DataId: 
          Ref: "MyIPSetBlacklist"
        Negated: false
        Type: "IPMatch"

Create a Web ACL

The following example associates the MyIPSetRule rule with a web ACL. The web ACL allows requests that originate from all IP addresses except for addresses that are defined in the MyIPSetRule.

JSON

"MyWebACL": {
  "Type": "AWS::WAF::WebACL",
  "Properties": {
    "Name": "WebACL to block blacklisted IP addresses",
    "DefaultAction": {
      "Type": "ALLOW"
    },
    "MetricName" : "MyWebACL",
    "Rules": [
      {
        "Action" : {
          "Type" : "BLOCK"
        },
        "Priority" : 1,
        "RuleId" : { "Ref" : "MyIPSetRule" }
      }
    ]
  }      
}

YAML

MyWebACL: 
  Type: "AWS::WAF::WebACL"
  Properties: 
    Name: "WebACL to block blacklisted IP addresses"
    DefaultAction: 
      Type: "ALLOW"
    MetricName: "MyWebACL"
    Rules: 
      - 
        Action: 
          Type: "BLOCK"
        Priority: 1
        RuleId: 
          Ref: "MyIPSetRule"