I’ve been working with a client that acquired another company, and has multiple office sites, data centres, and a fair number of private networks. As part of the acquisition, they’ve been working on integrating the systems of the parent and the acquired company, and one element of that has been simplifying the IP address management by removing overlaps between private networks, including AWS VPCs.
As a result, I’ve been working on setting up some new VPCs, and connecting them into the corporate network. While setting this up I discovered that customer-managed prefix lists on AWS can really simplify some use cases.
By way of example, imagine a networking situation like this:
With multiple customer networks and multiple VPCs, you can quickly end up needing to add a lot of CIDR blocks to a lot of places, particularly if you only want to target specific ranges, rather than a broad block (like 10.0.0.0/8). Using specific examples, you might need to:
- add several CIDR ranges to each VPC’s route table to route the traffic to the transit gateway
- add several CIDR ranges to one or more ports in one or more security groups in each VPC in order to allow access from customer networks
If the organization adds another site or another CIDR block to an existing site, you might have to go back and find all the places you added those CIDR blocks to, and add it again. This can quickly get tedious.
This is particularly important if you’re making these changes by hand in the AWS console, either because you don’t have infrastructure setup automated or perhaps because you’re making an exploratory change ahead before changing your infrastructure automation, but even if your infrastructure is fully automated with Terraform, CloudFormation, CDK or Pulumi, you might find that a prefix list makes a security group easier to read.
For instance, this security group that allows ICMP, HTTP and HTTPS from a prefix list:
And this one allows it from the CIDR ranges in the diagram above:
I know which of these I find easier to visually inspect.
So if you’re managing complicated networking on AWS and you haven’t taken a look at prefix lists, I hope I’ve convinced you that it’s time to take a look.
Top comments (0)