# Customer-managed prefix lists
<a name="working-with-managed-prefix-lists"></a>

Customer-managed prefix lists allow you to define and maintain your own sets of IP address ranges, known as prefixes, within AWS. Instead of hardcoding these IP addresses into your various resources, you can create a centralized prefix list and reference it wherever needed. This not only simplifies the management of your IP addresses but also promotes consistency and reusability across your AWS landscape. 

 One of the standout features of customer-managed prefix lists is the ability to share them with other AWS accounts. By granting access to your prefix lists, you can enable other teams or organizations to leverage your defined IP address ranges in their own resources. This collaborative approach fosters a more cohesive and efficient cloud experience, where IP address management is shared and synchronized. 

In the sections that follow, we'll dive deeper into the practical aspects of working with customer-managed prefix lists, including step-by-step guidance on creating, managing, and sharing your IP address ranges.

**Note**  
You can automate prefix list management using Amazon VPC IPAM to automatically sync CIDRs based on rules you define. This eliminates manual updates when your infrastructure changes. For more information, see [Automate prefix list updates with IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/automate-prefix-list-updates.html) in the *Amazon VPC IPAM User Guide*.

**Topics**
+ [Work with customer-managed prefix lists](work-with-cust-managed-prefix-lists.md)

# Work with customer-managed prefix lists
<a name="work-with-cust-managed-prefix-lists"></a>

This section describes how to work with customer-managed prefix lists.

**Topics**
+ [Create a prefix list](#create-managed-prefix-list)
+ [View prefix lists](#view-managed-prefix-lists)
+ [View the entries for a prefix list](#view-managed-prefix-list-entries)
+ [View associations (references) for your prefix list](#view-managed-prefix-list-associations)
+ [Modify a prefix list](#modify-managed-prefix-list)
+ [Resize a prefix list](#resize-managed-prefix-list)
+ [Restore a previous version of a prefix list](#restore-managed-prefix-list)
+ [Delete a prefix list](#delete-managed-prefix-list)
+ [Share customer-managed prefix lists](sharing-managed-prefix-lists.md)

## Create a prefix list
<a name="create-managed-prefix-list"></a>

When you create a prefix list, you must specify the maximum number of entries that the prefix list can support.

**Limitation**  
You can't add a prefix list to a security group rule if the number of rules plus the max entries for the prefix list exceeds the quota for rules per security group for your account.

**To create a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Choose **Create prefix list**.

1. For **Prefix list name**, enter a name for the prefix list.

1. For **Max entries**, enter the maximum number of entries for the prefix list.

1. For **Address family**, choose whether the prefix list supports IPv4 or IPv6 entries.

1. For **Prefix list entries**, choose **Add new entry**, and enter the CIDR block and a description for the entry. Repeat this step for each entry.

1. (Optional) For **Tags**, add tags to the prefix list to help you identify it later.

1. Choose **Create prefix list**.

**To create a prefix list using the AWS CLI**  
Use the [create-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/create-managed-prefix-list.html) command.

## View prefix lists
<a name="view-managed-prefix-lists"></a>

You can view your prefix lists, prefix lists that are shared with you, and AWS-managed prefix lists.

**To view prefix lists using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. The **Owner ID** column shows the AWS account ID of the prefix list owner. For AWS-managed prefix lists, the **Owner ID** is **AWS**.

**To view prefix lists using the AWS CLI**  
Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command.

## View the entries for a prefix list
<a name="view-managed-prefix-list-entries"></a>

You can view the entries for your prefix lists, prefix lists that are shared with you, and AWS-managed prefix lists.

**To view the entries for a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**. 

1. Select the checkbox for the prefix list.

1. In the lower pane, choose **Entries** to view the entries for the prefix list.

**To view the entries for a prefix list using the AWS CLI**  
Use the [get-managed-prefix-list-entries](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-entries.html) command.

## View associations (references) for your prefix list
<a name="view-managed-prefix-list-associations"></a>

You can view the IDs and owners of the resources that are associated with your prefix list. Associated resources are resources that reference your prefix list in their entries or rules.

**Limitation**  
You cannot view associated resources for an AWS-managed prefix list.

**To view prefix list associations using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**. 

1. Select the checkbox for the prefix list.

1. In the lower pane, choose **Associations** to view the resources that are referencing the prefix list.

**To view prefix list associations using the AWS CLI**  
Use the [get-managed-prefix-list-associations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-associations.html) command.

## Modify a prefix list
<a name="modify-managed-prefix-list"></a>

You can modify the name of your prefix list, and you can add or remove entries. To modify the maximum number of entries, see [Resize a prefix list](#resize-managed-prefix-list).

Updating the entries of a prefix list creates a new version of the prefix list. Updating the name or maximum number of entries for a prefix list does not create a new version of the prefix list.

**Considerations**
+ You cannot modify an AWS-managed prefix list.
+ When you increase the maximum number of entries in a prefix list, the increased maximum size is applied to the quota of entries for the resources that reference the prefix list. If any of these resources can't support the increased maximum size, the modify operation fails and the previous maximum size is restored.

**To modify a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the checkbox for prefix list, and choose **Actions**, **Modify prefix list**.

1. For **Prefix list name**, enter a new name for the prefix list.

1. If the managed prefix list has been configured as an IPAM prefix list resolver target, you'll see an **IPAM prefix list resolver sync** option.

   Choose whether to enable or disable synchronization with the IPAM prefix list resolver. When enabled, the prefix list CIDRs are automatically updated based on the associated resolver's CIDR selection rules. When disabled, the prefix list CIDRs are not automatically updated. For more information about this feature, see [Automate prefix list updates with IPAM](https://docs.aws.amazon.com/vpc/latest/ipam/automate-prefix-list-updates.html) in the *Amazon VPC IPAM User Guide*.

1. For **Prefix list entries**, choose **Remove** to remove an existing entry. To add a new entry, choose **Add new entry** and enter the CIDR block and a description for the entry.

1. Choose **Save prefix list**.

**To modify a prefix list using the AWS CLI**  
Use the [modify-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-managed-prefix-list.html) command.

## Resize a prefix list
<a name="resize-managed-prefix-list"></a>

You can resize a prefix list and modify the maximum number of entries for the prefix list up to 1000. For more information about customer-managed prefix list quotas, see [Customer-managed prefix lists](amazon-vpc-limits.md#vpc-quotas-managed-prefix-lists).

**To resize a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the checkbox for the prefix list, and choose **Actions**, **Resize prefix list**.

1. For **New max entries**, enter a value.

1. Choose **Resize**.

**To resize a prefix list using the AWS CLI**  
Use the [modify-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-managed-prefix-list.html) command.

## Restore a previous version of a prefix list
<a name="restore-managed-prefix-list"></a>

You can restore the entries from a previous version of your prefix list. This creates a new version of the prefix list.

If you decreased the size of the prefix list, you must ensure that the prefix list is large enough to contain the entries from the previous version.

**To restore a previous version of a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the checkbox for the prefix list, and choose **Actions**, **Restore prefix list**.

1. For **Select prefix list version**, choose a previous version. The entries for the selected version are displayed in **Prefix list entries**.

1. Choose **Restore prefix list**.

**To restore a previous version of a prefix list using the AWS CLI**  
Use the [restore-managed-prefix-list-version](https://docs.aws.amazon.com/cli/latest/reference/ec2/restore-managed-prefix-list-version.html) command.

## Delete a prefix list
<a name="delete-managed-prefix-list"></a>

To delete a prefix list, you must first remove any references to it in your resources (such as in your route tables). If you've shared the prefix list using AWS RAM, any references in consumer-owned resources must first be removed.

**Limitation**  
You cannot delete an AWS-managed prefix list.

**To delete a prefix list using the console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the prefix list, and choose **Actions**, **Delete prefix list**.

1. In the confirmation dialog box, enter `delete`, and choose **Delete**.

**To delete a prefix list using the AWS CLI**  
Use the [delete-managed-prefix-list](https://docs.aws.amazon.com/cli/latest/reference/ec2/delete-managed-prefix-list.html) command.

# Share customer-managed prefix lists
<a name="sharing-managed-prefix-lists"></a>

With AWS Resource Access Manager (AWS RAM), the owner of a customer-managed prefix list can share the prefix list with the following:
+ Specific AWS accounts inside or outside of its organization in AWS Organizations
+ An organizational unit inside its organization in AWS Organizations
+ An entire organization in AWS Organizations

Consumers with whom a prefix list has been shared can view the prefix list and its entries, and they can reference the prefix list in their AWS resources.

For more information about AWS RAM, see the [AWS RAM User Guide](https://docs.aws.amazon.com/ram/latest/userguide/). For more information quotas, see [Service quotas](https://docs.aws.amazon.com/general/latest/gr/ram.html#limits_ram) in the AWS RAM User Guide.

**Important**  
There are no additional charges for sharing prefix lists.

**Topics**
+ [Shared prefix list permissions](sharing-perms.md)
+ [Work with shared prefix lists](work-with-shared-prefixes.md)

# Shared prefix list permissions
<a name="sharing-perms"></a>

**Permissions for owners**

Owners are responsible for managing a shared prefix list and its entries. Owners can view the IDs of the AWS resources that reference the prefix list. However, they cannot add or remove references to a prefix list in AWS resources that are owned by consumers. 

Owners cannot delete a prefix list if the prefix list is referenced in a resource that's owned by a consumer.

**Permissions for consumers**

Consumers can view the entries in a shared prefix list, and they can reference a shared prefix list in their AWS resources. However, consumers can't modify, restore, or delete a shared prefix list.

# Work with shared prefix lists
<a name="work-with-shared-prefixes"></a>

AWS prefix lists provide a convenient way to manage and reference the IP address ranges used by various AWS services. In addition to the AWS-managed prefix lists, you also can create and share your own customer-managed prefix lists with other AWS accounts.

Sharing prefix lists can be particularly useful for organizations with complex networking requirements or those that need to coordinate IP address usage across multiple AWS workloads. By sharing a prefix list, you can ensure consistent IP address management and simplify networking configurations for your collaborators.

This section describes and how to share prefix lists and how to identify and use prefix lists that have been shared with your account.

**Topics**
+ [Share a prefix list](#sharing-share)
+ [Unshare a shared prefix list](#sharing-unshare)
+ [Identify a shared prefix list](#sharing-identify)
+ [Identify references to a shared prefix list](#sharing-identify-references)

## Share a prefix list
<a name="sharing-share"></a>

To share a prefix list, you must add it to a resource share. If you do not have a resource share, you must first create one using the [AWS RAM console](https://console.aws.amazon.com/ram).

If you are part of an organization in AWS Organizations, and sharing within your organization is enabled, consumers in your organization are automatically granted access to the shared prefix list. Otherwise, consumers receive an invitation to join the resource share and are granted access to the shared prefix list after accepting the invitation.

You can create a resource share and share a prefix list that you own using the AWS RAM console, or the AWS CLI.

**Important**  
To share a prefix list, you must own it. You cannot share a prefix list that has been shared with you. You cannot share an AWS-managed prefix list.
To share a prefix list with your organization or an organizational unit in AWS Organizations, you must enable sharing with AWS Organizations. For more information, see [ Enable sharing with AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the *AWS RAM User Guide*.

**To create a resource share and share a prefix list using the AWS RAM console**  
Follow the steps in [Create a resource share](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-create) in the *AWS RAM User Guide*. For **Select resource type**, choose **Prefix Lists**, and then select the check box for your prefix list.

**To add a prefix list to an existing resource share using the AWS RAM console**  
To add a managed prefix that you own to an existing resource share, follow the steps in [Updating a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*. For **Select resource type**, choose **Prefix Lists**, and then select the check box for your prefix list.

**To share a prefix list that you own using the AWS CLI**  
Use the following commands to create and update a resource share:
+ [create-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/create-resource-share.html) 
+ [associate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/associate-resource-share.html) 
+ [update-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/update-resource-share.html) 

## Unshare a shared prefix list
<a name="sharing-unshare"></a>

When you unshare a prefix list, consumers can no longer view the prefix list or its entries in their account, and they cannot reference the prefix list in their resources. If the prefix list is already referenced in the consumer's resources, those references continue to function as normal, and you can continue to [view those references](#sharing-identify-references). If you update the prefix list to a new version, the references use the latest version.

To unshare a shared prefix list that you own, you must remove it from the resource share using AWS RAM.

**To unshare a shared prefix list that you own using the AWS RAM console**  
See [Updating a resource share](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing.html#working-with-sharing-update) in the *AWS RAM User Guide*.

**To unshare a shared prefix list that you own using the AWS CLI**  
Use the [disassociate-resource-share](https://docs.aws.amazon.com/cli/latest/reference/ram/disassociate-resource-share.html) command.

## Identify a shared prefix list
<a name="sharing-identify"></a>

Owners and consumers can identify shared prefix lists using the Amazon VPC console and AWS CLI.

**To identify a shared prefix list using the Amazon VPC console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. The page displays the prefix lists that you own and the prefix lists that are shared with you. The **Owner ID** column shows the AWS account ID of the prefix list owner.

1. To view the resource share information for a prefix list, select the prefix list and choose **Sharing** in the lower pane.

**To identify a shared prefix list using the AWS CLI**  
Use the [describe-managed-prefix-lists](https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-managed-prefix-lists.html) command. The command returns the prefix lists that you own and the prefix lists that are shared with you. `OwnerId` shows the AWS account ID of the prefix list owner.

## Identify references to a shared prefix list
<a name="sharing-identify-references"></a>

Owners can identify the consumer-owned resources that are referencing a shared prefix list.

**To identify references to a shared prefix list using the Amazon VPC console**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **Managed Prefix Lists**.

1. Select the prefix list and choose **Associations** in the lower pane.

1. The IDs of the resources that are referencing the prefix list are listed in the **Resource ID** column. The owners of the resources are listed in the **Resource Owner** column.

**To identify references to a shared prefix list using the AWS CLI**  
Use the [get-managed-prefix-list-associations](https://docs.aws.amazon.com/cli/latest/reference/ec2/get-managed-prefix-list-associations.html) command.