Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How often does the US-East-1 DynamoDB managed prefix list change?

0

Hi All, My application in EU-West-1 requires access to a DynamoDB table in US-East-1.

We need to get internet access locked down, so as a work around I've copied the "pl-02cd2c6b - com.amazonaws.us-east-1.dynamodb" managed prefix list to a prefix list "us-east-1-dynamodb-ips" in eu-west-1 and then added that to my applications egress rules. I've created an eventbridge rule that triggers a lambda which updates the eu-west-1 list whenever the us-east-1 list gets updated.

To account for any potential downtime, I'm just wondering:

  1. How often does the US-East-1 DynamoDB prefix list get modified? Is it a matter of days or months?
  2. When CIDR blocks get added, are they immediately in use, or is there a grace period between announcement and usage?

Thank you

Topics
DatabaseNetworking & Content Delivery
Tags
Amazon VPCSecurity GroupAmazon DynamoDB
Language
English
asked a year ago203 views
2 Answers
0
Accepted Answer

While I don't have specific information on how often the US-East-1 DynamoDB managed prefix list changes, I can provide some general insights about AWS-managed prefix lists and their management.

AWS-managed prefix lists, including the one for DynamoDB in US-East-1, are maintained by Amazon Web Services to provide up-to-date IP address ranges for their services. These lists are designed to simplify network configurations and reduce administrative overhead.

Regarding your specific questions:

  1. The frequency of modifications to the US-East-1 DynamoDB prefix list is not publicly specified. Changes to AWS-managed prefix lists can occur as needed to accommodate service expansions, network optimizations, or other operational requirements. It's best to assume that changes could happen at any time, though they are likely not extremely frequent.

  2. As for the timing between announcement and usage of new CIDR blocks, AWS typically aims to provide seamless service continuity. While there's no official information on a grace period, it's reasonable to assume that AWS would add new CIDR blocks to the prefix list before they are actively used by the service. This approach would allow customers like yourself, who are replicating these lists, to update their configurations before the new IP ranges are utilized.

Your approach of using an EventBridge rule to trigger a Lambda function for updating your custom prefix list in EU-West-1 is a good practice. This method ensures that your application's egress rules stay in sync with any changes AWS makes to the DynamoDB prefix list in US-East-1.

To further enhance your setup, you might consider implementing additional monitoring or alerting mechanisms to notify you of any updates to the prefix list. This could help you stay informed of changes and verify that your automation is working as expected.

Remember that while this approach can help manage your egress rules effectively, it's always a good idea to periodically review and validate your network configurations to ensure they align with AWS best practices and your security requirements.
Sources
AWS-managed prefix lists - Amazon Virtual Private Cloud

answered a year ago
EXPERT
reviewed a year ago
0

Hello.

As an alternative to the automatic response provided by the re:Post Agent's AI, it is also possible to connect the VPCs in eu-west-1 and us-east-1 using VPC peering or similar and access DynamoDB via an interface-type VPC endpoint created in us-east-1.
This eliminates the need to manage prefix list updates.
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/privately-access-a-central-aws-service-endpoint-from-multiple-vpcs.html

EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content