- 新しい順
- 投票が多い順
- コメントが多い順
Hi, can you share a reference where it states the prefix reference in your security group will break when you update the prefixes? As per the docs we have, " you can update the relevant prefix list and all security groups that use the prefix list are updated. You can also use managed prefix lists with other AWS accounts using Resource Access Manager (RAM)." ref: https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html
And the Modify section doesn't state that in the consideration or limitation: https://docs.aws.amazon.com/vpc/latest/userguide/working-with-managed-prefix-lists.html#modify-managed-prefix-list That is the main purpose of the AWS IP prefixes. You get to modify one place, and it will apply to many security groups at once which is using this prefix somewhere in the rules.
However, this is region specific resource. Thus, you can think of creating a workflow that will update the prefixes in every other region when the primary region prefix is updated. btw, interesting use-case.
I was confused by the structure of the following sentence on that page "You can modify a prefix list. When you add or remove entries, we create a new version of the prefix list. Resources that reference the prefix always use the current (latest) version. You can restore the entries from a previous version of the prefix list, which also creates a new version.", Which I misunderstood to indicate that the new version got a new object identity other than what the firewall rule referenced.
However this clarification doesn't handle the problem that there will be a separate prefix list for each AWS region, not one stored centrally in the AWS account and automatically distributed to the hardware in the regions.
You can't do this natively. You will need to create a workflow that is triggered by a change to the primary prefix, so it updates all the prefixes that mirrors that prefix in the other regions. That can be a Lambda that monitors the change on the primary Prefix using CloudWatch eventBridge and then it starts updating the other prefixes. If you are using CICD or IaC to deploy your resource in different regions, that can make the changes easier on your side. Unfortunately, not a change you can accomplish within the default options of Managed IP prefixes screen. If that answers your question, please accept the answer.