Rule Sets and Prefix Lists (BETA)
Rule Sets and Prefix Lists help automate Cloud Firewall rule management.
A Rule Set is a named, ordered set of firewall rules. A Prefix List is a named collection of IP addresses and CIDR blocks. Both are designed for reuse and can be referenced in your Cloud Firewalls to help manage access to network resources and services.
You can reference Rule Sets and Prefix Lists in both inbound and outbound firewall rules. When a Prefix List or Rule Set is updated, those changes automatically apply to all Cloud Firewall rules that reference them. This removes the need to manually update individual firewall rules.
Managing Rule Sets and Prefix Lists for Firewall Rules
You can create Rule Sets using the API only. To apply Rule Sets and Prefix Lists to firewall rules, use either the API or Cloud Manager.
You can create Rule Sets using the API only. To apply Rule Sets and Prefix Lists to firewall rules, use either the API or Cloud Manager.
Rule Sets
- Users or managed services can create Rule Sets. Rule Sets created by a managed service can't be modified, but you can view them. For example, LKE-E automatically creates and manages Rule Sets that allow cluster nodes to access required resources. You can review these rules, but LKE-E manages them for you.
- Rule Sets are available for Linodes.
- If a request to increase the number of inbound and outbound rules (with or without Rule Set references) exceeds the Cloud Firewall rules limit, the request fails. System limits for firewall rules and Rule Sets:
- Each firewall can have up to 25 rules for both inbound and outbound traffic.
- Each customer account can have up to 100 Rule Sets.
- Each Rule Set can contain up to 25 rules.
- Service-defined Rule Sets in a firewall are limited, but they do not count against the firewall’s 25-rule limit.
- Rule Sets are versioned for auditing.
- Rule Sets can be assigned to multiple firewalls, and each firewall can have multiple Rule Sets.
- Rule Sets can't reference other Rule Sets.
- Prefix Lists can be referenced in Rule Sets by name, for example
pl::vpcs:1234. - When you delete a Rule Set that is still referenced, the system marks the Rule Set for deletion. The Rule Set is deleted only after the last reference is removed.
Prefix Lists
- Enable Cloud Firewalls to reference Prefix Lists for platform service endpoint CIDRs. This allows platform services to update their endpoint IP ranges without requiring manual updates to firewall rules. Platform services provide the Prefix List names used to access their endpoints.
- Allow firewall rules to use a VPC’s CIDR when the firewall is attached to a VPC interface. This enables a single firewall to serve multiple VPCs, with rules automatically scoped to each VPC’s CIDR.
- Allow firewall rules to use a VPC subnet’s CIDR when the firewall is attached to a subnet interface. This enables one firewall to serve multiple subnets, even across VPCs, with rules automatically scoped to each subnet’s CIDR.
- Platform administrators create and manage Prefix Lists. Managed services can also create and manage Prefix Lists automatically or programmatically. However, all accounts with the Prefix List feature enabled can read, list, and reference Prefix Lists that are available on their account.
- Prefix Lists can be included in Rule Sets or referenced by name directly in Cloud Firewall rule addresses.
- A private Prefix List is visible only to you. A public Prefix List is visible to everyone.
- Prefix Lists are versioned for auditing.
Prefix List naming
Prefix List names all start with pl and follow this format: pl:{scope}:{list}:{key}
- {scope}. Can be blank, indicating account level scope, or set to
systemfor platform-wide scope.- Prefix Lists with a blank scope must be unique within each account. For example, you can have different
pl::foo:barPrefix Lists in separate accounts. Prefix List names starting withpl::are always private. - Prefix Lists with
systemas the scope must be unique across the entire platform. For example, only onepl:system:foo:barcan exist platform-wide. Prefix List names starting withpl:system:are visible to all enabled customers on the platform.
- Prefix Lists with a blank scope must be unique within each account. For example, you can have different
- {list}. Represents the platform service, such as
vpcs. - {key}. Identifies the specific instance of the service element with endpoint addresses to be accessed.
{key} can be subdivided by adding:stagingor:testfor example.
Special Prefix List names include pl::vpcs:<current> and pl::subnets:<current>. These Special Prefix Lists are generated and provide access to VPC or VPC subnet perimeter addresses. When these Prefix List names are used in firewall rules for IPv4 or IPv6 addresses and apply the firewall to a VPC interface, the Prefix List automatically adds the CIDRs for the VPC or VPC subnet perimeter to control access to the interface.
Examples of Prefix List names
| Platform Service | Examples |
|---|---|
| VPC | pl::vpcs:{vpc_id} (e.g., pl::vpcs:101)pl::subnets:{subnet_id} (e.g., pl::subnets:202)Special Prefix Lists pl::vpcs:<current>pl::subnets:<current> |
| Object Storage | pl:system:object-storage:{region} (e.g., pl:system:object-storage:us-iad)pl:system:object-storage:{region}:staging (e.g., pl:system:object-storage:no-osl-1:staging) |
| DNS | pl:system:resolvers:{region} (e.g., pl:system:resolvers:us-iad)pl:system:resolvers:{region}:staging (e.g., pl:system:resolvers:no-osl-1:staging) |
Updated about 2 months ago