Skip to content
Alchemy
GitHubXDiscord

IPSet

The IPSet resource allows you to manage AWS WAFRegional IPSets that contain a set of IP addresses. This resource is essential for controlling access to your applications based on IP address filtering.

Minimal Example

Section titled “Minimal Example”

Create a basic IPSet with a couple of IP address descriptors.

import AWS from "alchemy/aws/control";


const basicIPSet = await AWS.WAFRegional.IPSet("basicIPSet", {
  name: "BasicIPSet",
  IPSetDescriptors: [
    { Type: "IPV4", Value: "192.0.2.0/24" },
    { Type: "IPV4", Value: "203.0.113.0/24" }
  ]
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure an IPSet to include a broader range of IP addresses with additional settings.

const advancedIPSet = await AWS.WAFRegional.IPSet("advancedIPSet", {
  name: "AdvancedIPSet",
  IPSetDescriptors: [
    { Type: "IPV4", Value: "198.51.100.0/24" },
    { Type: "IPV6", Value: "2001:0db8:85a3:0000:0000:8a2e:0370:7334/64" },
    { Type: "IPV4", Value: "10.0.0.0/8" }
  ]
});

Dynamic Updates

Section titled “Dynamic Updates”

Create an IPSet that you can update dynamically to respond to changing security requirements.

const dynamicIPSet = await AWS.WAFRegional.IPSet("dynamicIPSet", {
  name: "DynamicIPSet",
  IPSetDescriptors: [
    { Type: "IPV4", Value: "192.168.1.0/24" }
  ],
  adopt: true // Allows adoption of existing resource if it already exists
});


// Later update to add more IP addresses
await AWS.WAFRegional.IPSet.update(dynamicIPSet.id, {
  IPSetDescriptors: [
    ...dynamicIPSet.IPSetDescriptors,
    { Type: "IPV4", Value: "172.16.0.0/12" }
  ]
});

Example of Resource Usage in a Web ACL

Section titled “Example of Resource Usage in a Web ACL”

Demonstrate how to utilize the IPSet as part of a Web ACL for enhanced security.

import AWS from "alchemy/aws/control";


const webACL = await AWS.WAFRegional.WebACL("webAcl", {
  name: "WebACLForMyApp",
  defaultAction: { Type: "ALLOW" },
  rules: [
    {
      name: "BlockSpecificIPs",
      priority: 1,
      action: { Type: "BLOCK" },
      visibilityConfig: {
        sampledRequestsEnabled: true,
        cloudWatchMetricsEnabled: true,
        metricName: "blockSpecificIPs"
      },
      statement: {
        ipSetReferenceStatement: {
          arn: dynamicIPSet.Arn
        }
      }
    }
  ]
});