How to achieve 1,000,000 CIDRs in AWS Network Firewall using IP set references?

The quota for "Maximum number of entries per prefix list" is an adjustable one, but be prepared to provide a valid use-case if you put in a request for an increase on that quota. As you've noted, the default is set at 1,000 so you'll have to open a support ticket to make that request (rather than doing it via the "Service Quota" page in the console). Having said that, I'm not sure a 10x increase in that limit is going to be a typical request, and I suspect that the current 1M CIDR limit for Network Firewall is designed to factor in potential future performance/limit increases on other components.

You are correct in your understanding of the basic limits, but there are a few key points to consider that can help you reach the 1,000,000 CIDRs limit in AWS Network Firewall:

1. IP set references are not limited to prefix lists. You can also use resource groups, which can potentially contain more IP addresses than a single prefix list.

2. The calculation of CIDRs differs between prefix lists and resource groups:

• For prefix lists, Network Firewall aggregates the CIDRs in each referenced IP set.
• For resource groups, Network Firewall calculates the number of IP addresses associated with all resources in the group. This includes both public and private IP addresses for resources like EC2 instances.

3. You're not limited to 1,000 CIDRs per IP set reference. The 1,000,000 CIDR limit is across all IP set references used in a single firewall, not per reference.

To scale up to 1,000,000 CIDRs:

1. Maximize your use of resource groups instead of relying solely on prefix lists. Resource groups can potentially represent more IP addresses, especially if they include resources with multiple IPs.

2. Optimize your CIDR aggregation in prefix lists. Instead of listing individual IP addresses, use broader CIDR ranges where possible to represent more IPs with fewer entries.

3. Utilize the full capacity of each IP set reference. You're not restricted to 1,000 CIDRs per reference - you can have much larger sets as long as the total across all references doesn't exceed 1,000,000.

4. Use the maximum of 5 IP set references per rule group, and utilize all 20 rule groups if necessary. This gives you up to 100 IP set references to work with.

5. Distribute your CIDRs efficiently across these references. For example, if you need exactly 1,000,000 CIDRs, you could have 10 references with 100,000 CIDRs each.

Remember, the 1,000,000 CIDR limit is per firewall, not per rule group or IP set reference. By efficiently using resource groups, optimizing your CIDR ranges, and fully utilizing the available IP set references across your rule groups, you should be able to approach or reach the 1,000,000 CIDR limit in a single firewall.
Sources
IP set references in Suricata compatible AWS Network Firewall rule groups - AWS Network Firewall
AWS network firewall managed rule groups | AWS re:Post