AWS Security ChangesHomeSearch

AWS network-manager documentation change

Service: network-manager · 2026-04-04 · Documentation low

File: network-manager/latest/cloudwan/cloudwan-policy-examples-routing-policies.md

Summary

Updated routing policy example to clarify rule ordering (allow rules with lower numbers supersede drop rules with higher numbers) and added a new drop-all rule (rule 200) to the example policy configuration

Security assessment

This change clarifies routing policy behavior and adds a drop-all rule example, which helps users implement proper route filtering. While this is security-related documentation (network segmentation and route filtering are security controls), there's no evidence it addresses a specific security vulnerability or incident.

Diff

diff --git a/network-manager/latest/cloudwan/cloudwan-policy-examples-routing-policies.md b/network-manager/latest/cloudwan/cloudwan-policy-examples-routing-policies.md
index 3f493ff6e..6baaad008 100644
--- a//network-manager/latest/cloudwan/cloudwan-policy-examples-routing-policies.md
+++ b//network-manager/latest/cloudwan/cloudwan-policy-examples-routing-policies.md
@@ -7 +7 @@
-In this policy example, there are three segments `hybrid`, `production` and `development` with on-premises networks onboarding to `hybrid` segment via VPN or Direct Connect attachments and VPCs onboarding to `production` and `development` segments. There are two routing policies defined for filtering routes. Routing policy `100` only allows inbound routes from CIDR ranges `10.10.0.0/16` and `172.16.0.0/16` and is applied via label `inboundRouteFilterHybrid` to all VPN and Direct Connect attachments that connect to remote sites and onboard to the `hybrid` segment. Routing policy `200` only allows inbound routes from CIDR range `10.10.0.0/16` and is applied to the segment share between `production` and `hybrid` segment. As a result only `10.10.0.0/16` network routes from on-premises networks are learnt in the `production` segment and all other routes are filtered. Routing policy `300` will drop all routes contained in the prefix list referenced by the alias `prefixListAlias` see [AWS Cloud WAN prefix list associations](./cloudwan-prefix-lists.html) on how to setup a core network prefix list association. Routing policy `300` is applied to the segment `production` across the edge locations `us-east-2` and `us-west-2` since `us-east-2` is the first edge location in the segment action definition and the routing policy is inbounds the drop action will affect all routes coming from `us-west-2` going `us-east-2`. 
+In this policy example, there are three segments `hybrid`, `production` and `development` with on-premises networks onboarding to `hybrid` segment via VPN or Direct Connect attachments and VPCs onboarding to `production` and `development` segments. There are two routing policies defined for filtering routes. Routing policy `100` only allows inbound routes from CIDR ranges `10.10.0.0/16` and `172.16.0.0/16` and is applied via label `inboundRouteFilterHybrid` to all VPN and Direct Connect attachments that connect to remote sites and onboard to the `hybrid` segment (the allow rule will supersede the drop all routes rule that comes afterwards for all matching routes, thus allowing routes matching `10.10.0.0/16` and `172.16.0.0/16` and dropping everything else, the allow rule number must be lower than the drop rule number). Routing policy `200` only allows inbound routes from CIDR range `10.10.0.0/16` and is applied to the segment share between `production` and `hybrid` segment. As a result only `10.10.0.0/16` network routes from on-premises networks are learnt in the `production` segment and all other routes are filtered. Routing policy `300` will drop all routes contained in the prefix list referenced by the alias `prefixListAlias` see [AWS Cloud WAN prefix list associations](./cloudwan-prefix-lists.html) on how to setup a core network prefix list association. Routing policy `300` is applied to the segment `production` across the edge locations `us-east-2` and `us-west-2` since `us-east-2` is the first edge location in the segment action definition and the routing policy is inbounds the drop action will affect all routes coming from `us-west-2` going `us-east-2`. 
@@ -90 +90 @@ In this policy example, there are three segments `hybrid`, `production` and `dev
-          "routing-policy-description": "Filter routes landing in hybrid segment from on-premises network",
+          "routing-policy-description": "Filter all routes landing in hybrid segment from on-premises network except for allowed routes",
@@ -111,0 +112,15 @@ In this policy example, there are three segments `hybrid`, `production` and `dev
+            },
+            {
+              "rule-number": 200,
+              "rule-definition": {
+                "match-conditions": [
+                  {
+                    "type": "prefix-in-cidr",
+                    "value": "0.0.0.0/0"
+                  }
+                ],
+                "condition-logic": "or",
+                "action": {
+                  "type": "drop"
+                }
+              }