0% found this document useful (0 votes)

97 views123 pages

Global Accelerator Guide

Tech guide ains

Uploaded by

Sherman Hakim

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

97 views123 pages

Global Accelerator Guide

Tech guide ains

Uploaded by

Sherman Hakim

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 123

AWS Global Accelerator

Developer Guide
AWS Global Accelerator Developer Guide

AWS Global Accelerator: Developer Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be aﬃliated with, connected to, or sponsored by Amazon.
AWS Global Accelerator Developer Guide

Table of Contents
What is AWS Global Accelerator? ......................................................................................................... 1
Components .............................................................................................................................. 2
How it works ............................................................................................................................. 3
Idle timeout ...................................................................................................................... 4
Static IP addresses ............................................................................................................. 5
Traffic dials and endpoint weights ........................................................................................ 5
Health checks .................................................................................................................... 6
Types of accelerators ................................................................................................................. 6
Location and IP address ranges of edge servers ............................................................................. 7
Use cases .................................................................................................................................. 7
Speed Comparison Tool .............................................................................................................. 8
How to get started .................................................................................................................... 9
Tagging ..................................................................................................................................... 9
Tagging support in Global Accelerator ................................................................................ 10
Adding, editing, and deleting tags in Global Accelerator ........................................................ 10
Pricing .................................................................................................................................... 11
Getting started ................................................................................................................................ 12
Getting started with a standard accelerator ................................................................................ 12
Before you begin ............................................................................................................ 12
Step 1: Create an accelerator ............................................................................................ 13
Step 2: Add listeners ........................................................................................................ 13
Step 3: Add endpoint groups ............................................................................................. 14
Step 4: Add endpoints ...................................................................................................... 14
Step 5: Test your accelerator ............................................................................................. 15
Step 6 (optional): Delete your accelerator ........................................................................... 15
Getting started with a custom routing accelerator ....................................................................... 16
Before you begin ............................................................................................................ 16
Step 1: Create a custom routing accelerator ....................................................................... 16
Step 2: Add listeners ........................................................................................................ 16
Step 3: Add endpoint groups ............................................................................................ 17
Step 4: Add VPC subnet endpoints .................................................................................... 17
Step 5 (optional): Delete your accelerator ........................................................................... 18
Actions ............................................................................................................................................ 20
Work with standard accelerators ........................................................................................................ 22
Standard accelerators ............................................................................................................... 22
Creating or updating a standard accelerator ....................................................................... 23
Deleting an accelerator .................................................................................................... 24
Viewing your accelerators .................................................................................................. 24
Add an accelerator when you create a load balancer ............................................................ 24
Using global static IP addresses instead of regional static IP addresses .................................... 25
Listeners for standard accelerators ............................................................................................. 26
Adding, editing, or removing a standard listener .................................................................. 26
Client affinity ................................................................................................................... 27
Endpoint groups for standard accelerators .................................................................................. 27
Adding, editing, or removing a standard endpoint group ...................................................... 28
Using traffic dials ............................................................................................................. 29
Overriding listener ports ................................................................................................... 30
Changing health check options .......................................................................................... 31
Endpoints for standard accelerators ............................................................................................ 32
Adding, editing, or removing a standard endpoint ................................................................ 33
Endpoint weights ............................................................................................................ 34
Adding endpoints with client IP address preservation ........................................................... 35
Transitioning endpoints to use client IP address preservation ................................................ 36
Work with custom routing accelerators ............................................................................................... 39

iii
AWS Global Accelerator Developer Guide

How custom routing accelerators work ....................................................................................... 40

Example of how custom routing works in Global Accelerator ................................................. 40
Guidelines and restrictions for custom routing accelerators ............................................................ 42
Custom routing accelerators ...................................................................................................... 44
Creating or updating a custom routing accelerator .............................................................. 44
Viewing your custom routing accelerators .......................................................................... 45
Deleting a custom routing accelerator ................................................................................ 45
Listeners for custom routing accelerators .................................................................................... 46
Adding, editing, or removing a custom routing listener ......................................................... 46
Endpoint groups for custom routing accelerators ......................................................................... 47
Adding, editing, or removing an endpoint group .................................................................. 48
VPC subnet endpoints for custom routing accelerators .................................................................. 49
Adding, editing, or removing a VPC subnet endpoint ........................................................... 49
DNS addressing and custom domains ................................................................................................. 52
Support for DNS addressing in Global Accelerator ........................................................................ 52
Route custom domain traffic to your accelerator .......................................................................... 52
Bring your own IP addresses ...................................................................................................... 53
Requirements ................................................................................................................... 53
IP address range authorization ........................................................................................... 54
Provision the address range for use with AWS Global Accelerator ............................................ 56
Advertise the address range through AWS ........................................................................... 57
Deprovision the address range ........................................................................................... 58
Create an accelerator ........................................................................................................ 58
Preserve client IP addresses ............................................................................................................... 59
How to enable client IP address preservation .............................................................................. 59
Benefits of client IP address preservation .................................................................................... 60
How the client IP address is preserved ........................................................................................ 61
Best practices for client IP address preservation ........................................................................... 61
Supported AWS Regions for client IP address preservation ............................................................ 63
Logging and monitoring .................................................................................................................... 64
Flow logs ................................................................................................................................ 64
Publishing to Amazon S3 .................................................................................................. 64
Timing of log file delivery ................................................................................................. 68
Flow log record syntax ...................................................................................................... 68
CloudWatch monitoring ............................................................................................................ 70
Global Accelerator metrics ................................................................................................. 70
Metric dimensions for accelerators ...................................................................................... 72
Statistics for Global Accelerator metrics .............................................................................. 73
View CloudWatch metrics for your accelerators .................................................................... 74
CloudTrail logging .................................................................................................................... 75
Global Accelerator information in CloudTrail ........................................................................ 76
Understanding Global Accelerator log file entries ................................................................. 76
Security ........................................................................................................................................... 83
Identity and access management ............................................................................................... 83
Concepts and terms .......................................................................................................... 84
Permissions required for console access, authentication management, and access control ........... 85
How Global Accelerator works with IAM .............................................................................. 88
Troubleshooting authentication and access control ............................................................... 89
Tag-based policies ........................................................................................................... 90
Service-linked role for Global Accelerator ............................................................................ 90
Overview of access and authentication ................................................................................ 94
Secure VPC connections .......................................................................................................... 108
Logging and monitoring .......................................................................................................... 108
Compliance validation ............................................................................................................. 109
Resilience .............................................................................................................................. 109
Infrastructure security ............................................................................................................. 110
Quotas .......................................................................................................................................... 111

iv
AWS Global Accelerator Developer Guide

General quotas ....................................................................................................................... 111

Quotas for endpoints per endpoint group ................................................................................. 111
Related quotas ....................................................................................................................... 112
Related information ........................................................................................................................ 113
Additional AWS Global Accelerator documentation .................................................................... 113
Getting support ...................................................................................................................... 113
Tips from the Amazon Web Services Blog .................................................................................. 113
Document history ........................................................................................................................... 115
AWS glossary ................................................................................................................................. 118

v
AWS Global Accelerator Developer Guide

What is AWS Global Accelerator?

AWS Global Accelerator is a service in which you create accelerators to improve the performance of your
applications for local and global users. Depending on the type of accelerator you choose, you can gain
additional beneﬁts.

• By using a standard accelerator, you can improve availability of your internet applications that are
used by a global audience. With a standard accelerator, Global Accelerator directs traﬃc over the AWS
global network to endpoints in the nearest Region to the client.
• By using a custom routing accelerator, you can map one or more users to a speciﬁc destination among
many destinations.

Global Accelerator is a global service that supports endpoints in multiple AWS Regions. To determine
if Global Accelerator or other services are currently supported in a speciﬁc AWS Region, see the AWS
Regional Services List.

By default, Global Accelerator provides you with two static IP addresses that you associate with your
accelerator. With a standard accelerator, instead of using the IP addresses that Global Accelerator
provides, you can configure these entry points to be IPv4 addresses from your own IP address ranges
that you bring to Global Accelerator. The static IP addresses are anycast from the AWS edge network.
Important
The static IP addresses remain assigned to your accelerator for as long as it exists, even if
you disable the accelerator and it no longer accepts or routes traffic. However, when you
delete an accelerator, you lose the static IP addresses that are assigned to it, so you can no
longer route traffic by using them. You can use IAM policies like tag-based permissions with
Global Accelerator to limit the users who have permissions to delete an accelerator. For more
information, see Tag-based policies (p. 90).

For standard accelerators, Global Accelerator uses the AWS global network to route traffic to the optimal
regional endpoint based on health, client location, and policies that you configure, which increases the
availability of your applications. Endpoints for standard accelerators can be Network Load Balancers,
Application Load Balancers, Amazon EC2 instances, or Elastic IP addresses that are located in one AWS
Region or multiple Regions. The service reacts instantly to changes in health or configuration to ensure
that internet traffic from clients is always directed to healthy endpoints.

Custom routing accelerators only support virtual private cloud (VPC) subnet endpoint types and route
traﬃc to private IP addresses in that subnet.

Topics
• AWS Global Accelerator components (p. 2)
• How AWS Global Accelerator works (p. 3)
• Types of accelerators (p. 6)
• Location and IP address ranges of Global Accelerator edge servers (p. 7)
• AWS Global Accelerator use cases (p. 7)
• AWS Global Accelerator Speed Comparison Tool (p. 8)
• How to get started with AWS Global Accelerator (p. 9)
• Tagging in AWS Global Accelerator (p. 9)

1
AWS Global Accelerator Developer Guide
Components

• Pricing for AWS Global Accelerator (p. 11)

AWS Global Accelerator components

AWS Global Accelerator includes the following components:

Static IP addresses

Global Accelerator provides you with a set of two static IP addresses that are anycast from the AWS
edge network. If you bring your own IP address range to AWS (BYOIP) to use with Global Accelerator,
you can instead assign IP addresses from your own pool to use with your accelerator. For more
information, see Bring your own IP addresses (BYOIP) in AWS Global Accelerator (p. 53).

The IP addresses serve as single ﬁxed entry points for your clients. If you already have Elastic Load
Balancing load balancers, Amazon EC2 instances, or Elastic IP address resources set up for your
applications, you can easily add those to a standard accelerator in Global Accelerator. This allows
Global Accelerator to use static IP addresses to access the resources.

The static IP addresses remain assigned to your accelerator for as long as it exists, even if you
disable the accelerator and it no longer accepts or routes traﬃc. However, when you delete an
accelerator, you lose the static IP addresses that are assigned to it, so you can no longer route traﬃc
by using them. You can use IAM policies like tag-based permissions with Global Accelerator to limit
the users who have permissions to delete an accelerator. For more information, see Tag-based
policies (p. 90).
Accelerator

An accelerator directs traﬃc to endpoints over the AWS global network to improve the performance
of your internet applications. Each accelerator includes one or more listeners.

There are two types of accelerators:

• A standard accelerator directs traffic to the optimal AWS endpoint based on several factors,
including the user’s location, the health of the endpoint, and the endpoint weights that you
configure. This improves the availability and performance of your applications. Endpoints can
be Network Load Balancers, Application Load Balancers, Amazon EC2 instances, or Elastic IP
addresses.
• A custom routing accelerator lets you deterministically route multiple users to a specific EC2
destination behind your accelerator, as is required for some use cases. You do this by directing
users to a unique IP address and port on your accelerator, which Global Accelerator has mapped to
the destination.

For more information, see Types of accelerators (p. 6).

DNS name

Global Accelerator assigns each accelerator a default Domain Name System (DNS) name, similar to
a1234567890abcdef.awsglobalaccelerator.com, that points to the static IP addresses that
Global Accelerator assigns to you or that you choose from your own IP address range. Depending on
the use case, you can use your accelerator's static IP addresses or DNS name to route traﬃc to your
accelerator, or set up DNS records to route traﬃc using your own custom domain name.
Network zone

A network zone services the static IP addresses for your accelerator from a unique IP subnet.
Similar to an AWS Availability Zone, a network zone is an isolated unit with its own set of physical
infrastructure. When you conﬁgure an accelerator, by default, Global Accelerator allocates two
IPv4 addresses for it. If one IP address from a network zone becomes unavailable due to IP address
blocking by certain client networks, or network disruptions, then client applications can retry on the
healthy static IP address from the other isolated network zone.

2
AWS Global Accelerator Developer Guide
How it works

Listener

A listener processes inbound connections from clients to Global Accelerator, based on the port (or
port range) and protocol (or protocols) that you configure. A listener can be configured for TCP,
UDP, or both TCP and UDP protocols. Each listener has one or more endpoint groups associated with
it, and traffic is forwarded to endpoints in one of the groups. You associate endpoint groups with
listeners by specifying the Regions that you want to distribute traffic to. With a standard accelerator,
traffic is distributed to optimal endpoints within the endpoint groups associated with a listener.
Endpoint group

Each endpoint group is associated with a specific AWS Region. Endpoint groups include one or more
endpoints in the Region. With a standard accelerator, you can increase or reduce the percentage of
traffic that would be otherwise directed to an endpoint group by adjusting a setting called a traffic
dial. The traffic dial lets you easily do performance testing or blue/green deployment testing, for
example, for new releases across different AWS Regions.
Endpoint

An endpoint is the resource that Global Accelerator directs traﬃc to.

Endpoints for standard accelerators can be Network Load Balancers, Application Load Balancers,
EC2 instances, or Elastic IP addresses. An Application Load Balancer endpoint can be an internet-
facing or internal. Traffic for standard accelerators is routed to endpoints based on the health of
the endpoint along with configuration options that you choose, such as endpoint weights. For each
endpoint, you can configure weights, which are numbers that you can use to specify the proportion
of traffic to route to each one. This can be useful, for example, to do performance testing within a
Region.

Endpoints for custom routing accelerators are virtual private cloud (VPC) subnets with one or many
Amazon EC2 instances that are the destinations for traﬃc.

How AWS Global Accelerator works

The static IP addresses provided by AWS Global Accelerator serve as single ﬁxed entry points for your
clients. When you set up your accelerator with Global Accelerator, you associate the static IP addresses
to regional endpoints in one or more AWS Regions. For standard accelerators, the endpoints are Network
Load Balancers, Application Load Balancers, Amazon EC2 instances, or Elastic IP addresses. For custom
routing accelerators, endpoints are virtual private cloud (VPC) subnets with one or more EC2 instances.
The static IP addresses accept incoming traﬃc onto the AWS global network from the edge location that
is closest to your users.
Note
If you bring your own IP address range to AWS (BYOIP) to use with Global Accelerator, you can
instead assign static IP addresses from your own pool to use with your accelerator. For more
information, see Bring your own IP addresses (BYOIP) in AWS Global Accelerator (p. 53).

From the edge location, traﬃc for your application is routed based on the type of accelerator that you
conﬁgure.

• For standard accelerators, traffic is routed to the optimal AWS endpoint based on several factors,
including the user’s location, the health of the endpoint, and the endpoint weights that you configure.
• For custom routing accelerators, each client is routed to a specific Amazon EC2 instance and port in a
VPC subnet, based on the external static IP address and listener port that you provide.

Traffic travels over the well-monitored, congestion-free, redundant AWS global network to the endpoint.
By maximizing the time that traffic is on the AWS network, Global Accelerator ensures that traffic is
always routed over the optimum network path.

3
AWS Global Accelerator Developer Guide
Idle timeout

With some endpoint types (in some AWS Regions (p. 63)), you have the option to preserve and access
the client IP address. Two types of endpoints can preserve the source IP address of the client in incoming
packets: Application Load Balancers and Amazon EC2 instances. Global Accelerator does not support
client IP address preservation for Network Load Balancer and Elastic IP address endpoints. Endpoints on
custom routing accelerators always have the client IP address preserved.

Global Accelerator terminates TCP connections from clients at AWS edge locations and, almost
concurrently, establishes a new TCP connection with your endpoints. This gives clients faster response
times (lower latency) and increased throughput.

In standard accelerators, Global Accelerator continuously monitors the health of all endpoints, and
instantly begins directing traﬃc to another available endpoint when it determines that an active
endpoint is unhealthy. This allows you to create a high-availability architecture for your applications on
AWS. Health checks aren't used with custom routing accelerators and there is no failover, because you
specify the destination to route traﬃc to.

When you add an accelerator, security groups and AWS WAF rules that you have already conﬁgured
continue to work as they did before you added the accelerator.

If you want fine-grained control over your global traffic, you can configure weights for your endpoints in
a standard accelerator. You can also increase (dial up) or decrease (dial down) the percentage of traffic to
a particular endpoint group, for example, for performance testing or stack upgrades.

Be aware of the following when you use Global Accelerator:

• IP address advertising: AWS Direct Connect does not advertise IP address prefixes for AWS Global
Accelerator over a public virtual interface. We recommend that you do not advertise IP addresses that
you use to communicate with Global Accelerator over your AWS Direct Connect public virtual interface.
If you advertise IP addresses that you use to communicate with Global Accelerator over your AWS
Direct Connect public virtual interface, it will result in an asymmetric traffic flow: your traffic toward
Global Accelerator goes to Global Accelerator over the internet, but return traffic coming to your on-
premises network comes over your AWS Direct Connect public virtual interface.
• IP fragmentation: IP packets that are too large to fit into a standard Ethernet frame (1500+ bytes)
when transmitted across the internet or other large networks are fragmented by intermediate
routers and sent individually. The TCP protocol does not require IP fragmentation because clients
and endpoints automatically negotiate a smaller Maximum Segment Size (MSS). However, the UDP
protocol requires IP fragmentation. When packets are fragmented, Global Accelerator forwards UDP
fragments to the configured endpoint, which reassembles the original IP packet. Global Accelerator
drops TCP fragments at the edge, because they are not supported by the AWS network.
• Cross-account resources: When you add a resource as an endpoint in Global Accelerator, the resource
cannot belong to another AWS account.

Topics
• Idle timeout in AWS Global Accelerator (p. 4)
• Static IP addresses in AWS Global Accelerator (p. 5)
• Traffic flow management with traffic dials and endpoint weights (p. 5)
• Health checks for AWS Global Accelerator (p. 6)

Idle timeout in AWS Global Accelerator

AWS Global Accelerator sets an idle timeout period that applies to its connections. If no data has
been sent or received by the time that the idle timeout period elapses, Global Accelerator closes the
connection. To ensure that the connection stays alive, the client or the endpoint must send at least 1
byte of data before the idle timeout period elapses.

4
AWS Global Accelerator Developer Guide
Static IP addresses

The Global Accelerator idle timeout for a network connection depends on the type of connection:

• The timeout is 340 seconds for TCP connections.

• The timeout is 30 seconds for UDP connections.

Global Accelerator continues to direct traﬃc to an endpoint until the idle timeout is met, even if the
endpoint is marked as unhealthy. Global Accelerator selects a new endpoint, if needed, only when a new
connection starts or after an idle timeout.

Static IP addresses in AWS Global Accelerator

You use the static IP addresses that Global Accelerator assigns to your accelerator—or that you specify
from your own IP address pool, for standard accelerators—to route internet traffic to the AWS global
network close to where your users are, regardless of their location. For standard accelerators, you
associate the addresses with Network Load Balancers, Application Load Balancers, Amazon EC2
instances, or Elastic IP addresses that run in a single AWS Region or multiple Regions. For custom routing
accelerators, you direct traffic to EC2 destinations in VPC subnets in one or more Regions. Routing traffic
through the AWS global network improves availability and performance because traffic doesn't have to
take multiple hops over the public internet. Using static IP addresses also lets you distribute incoming
application traffic across multiple endpoint resources in multiple AWS Regions.

In addition, using static IP addresses makes it easier to add your application to more Regions or to
migrate applications between Regions. Using ﬁxed IP addresses means that users have a consistent way
to connect to your application as you make changes.

If you like, you can associate your own custom domain name with the static IP addresses for your
accelerator. For more information, see Route custom domain traﬃc to your accelerator (p. 52).

Global Accelerator provides the static IP addresses for you from the Amazon pool of IP addresses, unless
you bring your own IP address range to AWS, and then specify the static IP addresses from that pool.
(For more information, see Bring your own IP addresses (BYOIP) in AWS Global Accelerator (p. 53).) To
create an accelerator on the console, the ﬁrst step is to prompt Global Accelerator to provision the static
IP addresses by entering a name for your accelerator or choose your own static IP addresses. To see the
steps for creating an accelerator, see Getting started with AWS Global Accelerator (p. 12).

The static IP addresses remain assigned to your accelerator for as long as it exists, even if you disable
the accelerator and it no longer accepts or routes traﬃc. However, when you delete an accelerator, you
lose the static IP addresses that are assigned to it, so you can no longer route traﬃc by using them.
You can use IAM policies like tag-based permissions with Global Accelerator to limit the users who have
permissions to delete an accelerator. For more information, see Tag-based policies (p. 90).

Traffic flow management with traffic dials and

endpoint weights
There are two ways that you can customize how AWS Global Accelerator sends traﬃc to your endpoints
with a standard accelerator:

• Change the traffic dial to limit the traffic for one or more endpoint groups
• Specify weights to change the proportion of traffic to the endpoints in a group

How traﬃc dials work

For each endpoint group in a standard accelerator, you can set a traffic dial to control the percentage
of traffic that is sent to the endpoint group. The percentage is applied only to traffic that is already
directed to the endpoint group, not to all listener traffic.

5
AWS Global Accelerator Developer Guide
Health checks

The traffic dial limits the portion of traffic that an endpoint group accepts, expressed as a
percentage of traffic directed to that endpoint group. For example, if you set the traffic dial for an
endpoint group in us-east-1 to 50 (that is, 50%) and the accelerator directs 100 user requests
to that endpoint group, only 50 requests are accepted by the group. The accelerator directs the
remaining 50 requests to endpoint groups in other Regions.

For more information, see Adjusting traffic flow with traffic dials (p. 29).
How weights work

For each endpoint in a standard accelerator, you can specify weights, which are numbers that
change the proportion of traﬃc that the accelerator routes to each endpoint. This can be useful, for
example, to do performance testing within a Region.

A weight is a value that determines the proportion of traﬃc that the accelerator directs to an
endpoint. By default, the weight for an endpoint is 128—that is, half of the maximum value for a
weight, 255.

The accelerator calculates the sum of the weights for the endpoints in an endpoint group, and then
directs traﬃc to the endpoints based on the ratio of each endpoint's weight to the total. For an
example of how weights work, see Endpoint weights (p. 34).

Traffic dials and weights affect how the standard accelerator serves traffic in different ways:

• You configure traffic dials for endpoint groups. The traffic dial lets you cut off a percentage of traffic
—or all traffic—to the group, by "dialing down" traffic that the accelerator has already directed to it
based on other factors, such as proximity.
• You use weights, on the other hand, to set values for individual endpoints within an endpoint group.
Weights provide a way to divide up traffic within the endpoint group. For example, you can use
weights to do performance testing for specific endpoints in a Region.

Note
For more information about how traﬃc dials and weights aﬀect failover, see Failover for
unhealthy endpoints (p. 35).

Health checks for AWS Global Accelerator

For standard accelerators, AWS Global Accelerator automatically checks the health of the endpoints that
are associated with your static IP addresses, and then directs user traﬃc only to healthy endpoints.

Global Accelerator includes default health checks that are run automatically, but you can configure
the timing for the checks and other options. If you've configured custom health check settings, Global
Accelerator uses those settings in specific ways, depending on your configuration. You configure those
settings in Global Accelerator for Amazon EC2 instance or Elastic IP address endpoints or by configuring
settings on the Elastic Load Balancing console for Network Load Balancers or Application Load Balancers.
For more information, see Changing health check options (p. 31).

When you add an endpoint to a standard accelerator, it must pass a health check to be considered
healthy before traﬃc is directed to it. If Global Accelerator doesn’t have any healthy endpoints to route
traﬃc to in a standard accelerator, it routes requests to all endpoints.

Types of accelerators
There are two types of accelerators that you can use with AWS Global Accelerator: standard accelerators
and custom routing accelerators. Both types of accelerators route traﬃc over the AWS global network to
improve performance and stability, but they're each designed for diﬀerent application needs.

6
AWS Global Accelerator Developer Guide
Location and IP address ranges of edge servers

Standard accelerator

By using a standard accelerator, you can improve the availability and performance of your
applications running on Application Load Balancers, Network Load Balancers, or Amazon EC2
instances. With a standard accelerator, Global Accelerator routes client traffic across regional
endpoints based on geo-proximity and endpoint health. It also allows customers to shift client traffic
across endpoints based on controls such as traffic dials and endpoint weights. This works for a wide
variety of use cases, including blue/green deployment, A/B testing, and multi-Region deployment.
To see more use cases, see AWS Global Accelerator use cases (p. 7).

To learn more, see Work with standard accelerators in AWS Global Accelerator (p. 22).
Custom routing accelerator

Custom routing accelerators work well for scenarios where you want to use custom application logic
to direct one or more users to a specific destination and port among many, while still gaining the
performance benefits of Global Accelerator. One example is VoIP applications that assign multiple
callers to a specific media server to start voice, video, and messaging sessions. Another example is
online real-time gaming applications where you want to assign multiple players to a single session
on a game server based on factors such as geographic location, player skill, and game mode.

To learn more, see Work with custom routing accelerators in AWS Global Accelerator (p. 39).

Based on your speciﬁc needs, you create one of these types of accelerators to accelerate your customer
traﬃc.

Location and IP address ranges of Global

Accelerator edge servers
For a list of Global Accelerator edge server locations, see Global Edge Network on the AWS Global
Accelerator features page.

AWS publishes its current IP address ranges in JSON format. To view the current ranges, download
ip-ranges.json. For more information, see AWS IP address ranges in the Amazon Web Services General
Reference.

To ﬁnd the IP address ranges that are associated with AWS Global Accelerator edge servers, search ip-
ranges.json for the following string:

"service": "GLOBALACCELERATOR"

Global Accelerator entries that include "region": "GLOBAL" refer to the static IP addresses that are
allocated to accelerators. If you want to filter for traffic through your accelerator that comes from points
of presence (POPs) in one area, filter for entries that include a specific geographical area, such as us-* or
eu-*. So, for example, if you filter for us-*, you will see only traffic coming through POPs in the United
States (U.S.).

AWS Global Accelerator use cases

Using AWS Global Accelerator can help you accomplish a variety of goals. This section lists some of them,
to give you an idea how you can use Global Accelerator to meet your needs.

Scale for increased application utilization

When application usage grows, the number of IP addresses and endpoints that you need to manage
also increases. Global Accelerator enables you to scale your network up or down. It lets you associate

7
AWS Global Accelerator Developer Guide
Speed Comparison Tool

regional resources, such as load balancers and Amazon EC2 instances, to two static IP addresses.
You include these addresses on allow lists just once in your client applications, ﬁrewalls, and DNS
records. With Global Accelerator, you can add or remove endpoints in AWS Regions, run blue/
green deployment, and do A/B testing without having to update the IP addresses in your client
applications. This is particularly useful for IoT, retail, media, automotive, and healthcare use cases in
which you can't easily update client applications frequently.
Acceleration for latency-sensitive applications

Many applications, especially in areas such as gaming, media, mobile apps, and financials, require
very low latency for a great user experience. To improve the user experience, Global Accelerator
directs user traffic to the application endpoint that is nearest to the client, which reduces internet
latency and jitter. Global Accelerator routes traffic to the closest edge location by using Anycast,
and then routes it to the closest regional endpoint over the AWS global network. Global Accelerator
quickly reacts to changes in network performance to improve your users’ application performance.
Disaster recovery and multi-Region resiliency

You must be able to rely on your network to be available. You might be running your application
across multiple AWS Regions to support disaster recovery, higher availability, lower latency, or
compliance. If Global Accelerator detects that your application endpoint is failing in the primary
AWS Region, it instantly triggers traﬃc re-routing to your application endpoint in the next available,
closest AWS Region.
Protect your applications

Exposing your AWS origins, such as Application Load Balancers or Amazon EC2 instances, to public
internet traﬃc creates an opportunity for malicious attacks. Global Accelerator decreases the risk
of attack by masking your origin behind two static entry points. These entry points are protected
by default from Distributed Denial of Service (DDoS) attacks with AWS Shield. Global Accelerator
creates a peering connection with your Amazon Virtual Private Cloud using private IP addresses,
keeping connections to your internal Application Load Balancers or private EC2 instances oﬀ the
public internet.
Improve performance for VoIP or online gaming applications

Using a custom routing accelerator, you can leverage the performance beneﬁts of Global Accelerator
for your VoIP or gaming applications. For example, you can use Global Accelerator for online gaming
applications that assign multiple players to a single gaming session. Use Global Accelerator to
reduce latency and jitter globally for applications that require custom logic to map users to speciﬁc
endpoints, such as multiplayer games or VoIP calls. You can use a single accelerator to connect
clients to thousands of Amazon EC2 instances running in a single or multiple AWS Regions, while
retaining full control over which client is directed to which EC2 instance and port.

AWS Global Accelerator Speed Comparison Tool

You can use the AWS Global Accelerator Speed Comparison Tool to see Global Accelerator download
speeds compared to direct internet downloads, across AWS Regions. This tool enables you to use your
browser to see the performance difference when you transfer data using Global Accelerator. You choose
a file size to download, and the tool downloads files over HTTPS/TCP from Application Load Balancers in
different Regions to your browser. For each Region, you see a direct comparison of the download speeds.

To access the Speed Comparison Tool, copy the following URL into your browser:

https://speedtest.globalaccelerator.aws

Important
Results may diﬀer when you run the test multiple times. Download times can vary based on
factors that are external to Global Accelerator, such as the quality, capacity, and distance of the
connection in the last-mile network that you're using.

8
AWS Global Accelerator Developer Guide
How to get started

How to get started with AWS Global Accelerator

You can get started with setting up AWS Global Accelerator by using the API or by using the AWS Global
Accelerator console. Because Global Accelerator is a global service, it’s not tied to a speciﬁc AWS Region.
Note that Global Accelerator is a global service that supports endpoints in multiple AWS Regions but you
must specify the US West (Oregon) Region to create or update accelerators.

To get started using Global Accelerator, you follow these general steps:

1. Choose the type of accelerator that you want to create: A standard accelerator or a custom routing
accelerator.
2. Configure the initial setup for Global Accelerator: Provide a name for your accelerator. Then
configure one or more listeners to process inbound connections from clients, based on the protocol
and port (or port range) that you specify.
3. Configure regional endpoint groups for your accelerator: You can select one or more regional
endpoint groups to add to your listener. The listener routes requests to the endpoints that you've
added to an endpoint group.

For a standard accelerator, Global Accelerator monitors the health of endpoints within the group
by using the health check settings that are defined for each of your endpoints. For each endpoint
group in a standard accelerator, you can configure a traffic dial percentage to control the percentage
of traffic that an endpoint group will accept. The percentage is applied only to traffic that is already
directed to the endpoint group, not all listener traffic. By default, the traffic dial is set to 100% for all
regional endpoint groups.

For a custom routing accelerators, traffic is deterministically routed to a specific destination in a VPC
subnet, based on the listener port that the traffic is received on.
4. Add endpoints to endpoint groups: The endpoints that you add depend on the type of accelerator.
• For a standard accelerator, you can add one or more regional resources, such as load balancers or
EC2 instances endpoints, to each endpoint group. Next, you can decide how much traffic you want
to route to each endpoint by setting endpoint weights.
• For a custom routing accelerator, you add one or more virtual private cloud (VPC) subnets with up
to thousands of Amazon EC2 instance destinations.

For detailed steps about how to create a standard accelerator or a custom routing accelerator using the
AWS Global Accelerator console, see Getting started with AWS Global Accelerator (p. 12). To work
with API operations, see Common actions that you can use with AWS Global Accelerator (p. 20) and
the AWS Global Accelerator API Reference.

Tagging in AWS Global Accelerator

Tags are words or phrases (metadata) that you use to identify and organize your AWS resources. You can
add multiple tags to each resource, and each tag includes a key and a value that you deﬁne. For example,
the key might be environment and the value might be production. You can search and ﬁlter your
resources based on the tags you add. In AWS Global Accelerator, you can tag accelerators.

The following are two examples of how it can be useful to work with tags in Global Accelerator:

• Use tags to track billing information in diﬀerent categories. To do this, apply tags to accelerators or
other AWS resources (such as Network Load Balancers, Application Load Balancers, or Amazon EC2
instances) and activate the tags. Then AWS generates a cost allocation report as a comma-separated
value (CSV ﬁle) with your usage and costs aggregated by your active tags. You can apply tags that
represent business categories (such as cost centers, application names, or owners) to organize your

9
AWS Global Accelerator Developer Guide
Tagging support in Global Accelerator

costs across multiple services. For more information, see Using Cost Allocation Tags in the AWS Billing
and Cost Management User Guide.
• Use tags to enforce tag-based permissions for accelerators. To do this, create IAM policies that
specify tags and tag values to allow or disallow actions. For more information, see Tag-based
policies (p. 90).

For usage conventions and links to other resources about tagging, see Tagging AWS resources in the AWS
General Reference. For tips on using tags, see Tagging Best Practices: AWS Resource Tagging Strategy in
the AWS Whitepapers blog.

For the maximum number of tags that you can add to a resource in Global Accelerator, see Quotas for
AWS Global Accelerator (p. 111).

You can add and update tags by using the AWS console, AWS CLI, or Global Accelerator API. This chapter
includes steps for working with tagging in the console. For more information about working with tags by
using the AWS CLI and the Global Accelerator API, including CLI examples, see the following operations
in the AWS Global Accelerator API Reference:

• CreateAccelerator
• TagResource
• UntagResource
• ListTagsForResource

Tagging support in Global Accelerator

AWS Global Accelerator supports tagging for accelerators.

Global Accelerator supports the tag-based access control feature of AWS Identity and Access
Management (IAM). For more information, see Tag-based policies (p. 90).

Adding, editing, and deleting tags in Global

Accelerator
The following procedure explains how to add, edit, and delete tags for accelerators in the Global
Accelerator console.
Note
You can add or remove tags using the console, the AWS CLI, or Global Accelerator API
operations. For more information, including CLI examples, see TagResource in the AWS Global
Accelerator API Reference.

To add tags, edit, or delete tags in Global Accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. Choose the accelerator that you want to add or update tags for.
3. In the Tags section, you can do the following:

Add a tag

Choose Add tag, then enter a key and, optionally, a value for the tag.
Edit a tag

Update the text for a key, value, or both. You can also clear the value for a tag, but the key is
required.

10
AWS Global Accelerator Developer Guide
Pricing

Delete a tag

Choose Remove on the right side of the value ﬁeld.

4. Choose Save changes.

Pricing for AWS Global Accelerator

With AWS Global Accelerator, you pay only for what you use. You are charged an hourly rate and data
transfer costs for each accelerator in your account. For more information, see AWS Global Accelerator
Pricing.

11
AWS Global Accelerator Developer Guide
Getting started with a standard accelerator

Getting started with AWS Global

Accelerator
These tutorials provide the steps for getting started with AWS Global Accelerator using the console.
You can also use AWS Global Accelerator API operations to create and customize your accelerators.
At each step in this tutorial, there's a link to the corresponding API operation for completing the task
programmatically. (When you set up a custom routing accelerator, you must use the API for certain
conﬁguration steps.) For more information about working with AWS Global Accelerator API operations,
see the AWS Global Accelerator API Reference.
Tip
To explore how you can use Global Accelerator to improve performance and availability for web
applications, check out the following self-paced workshop: AWS Global Accelerator Workshop.

Global Accelerator is a global service that supports endpoints in multiple AWS Regions, which are listed
in the AWS Region Table.

This chapter includes two tutorials: one for creating a standard accelerator and one for creating a
custom routing accelerator. To learn more about the two types of accelerators, see Work with standard
accelerators in AWS Global Accelerator (p. 22) and Work with custom routing accelerators in AWS
Global Accelerator (p. 39).

Topics
• Getting started with a standard accelerator (p. 12)
• Getting started with a custom routing accelerator (p. 16)

Getting started with a standard accelerator

This section provides steps for creating a standard accelerator that routes traﬃc to an optimal endpoint.

Tasks

• Before you begin (p. 12)

• Step 1: Create an accelerator (p. 13)
• Step 2: Add listeners (p. 13)
• Step 3: Add endpoint groups (p. 14)
• Step 4: Add endpoints (p. 14)
• Step 5: Test your accelerator (p. 15)
• Step 6 (optional): Delete your accelerator (p. 15)

Before you begin

Before you create an accelerator, create at least one resource that you can add as an endpoint to direct
traﬃc to. For example, create one of the following:

12
AWS Global Accelerator Developer Guide
Step 1: Create an accelerator

• Launch at least one Amazon EC2 instance to add as an endpoint. For more information, see Create
your EC2 resources and launch your EC2 instance in the Amazon EC2 User Guide for Linux Instances.
• Optionally, create one or more Network Load Balancers or Application Load Balancers that includes
EC2 instances. For more information, see Create a Network Load Balancer Application Load Balancer in
the User Guide for Network Load Balancers.

When you create a resource to add to Global Accelerator, be aware of the following:

• When you add an internal Application Load Balancer or an EC2 instance endpoint in Global Accelerator,
you enable internet traffic to flow directly to and from the endpoint in virtual private clouds (VPCs) by
targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an
internet gateway attached to it, to indicate that the VPC accepts internet traffic. For more information,
see Secure VPC connections in AWS Global Accelerator (p. 108).
• Global Accelerator requires your router and firewall rules to allow inbound traffic from the IP
addresses associated with Route 53 health checkers to complete health checks for EC2 instance or
Elastic IP address endpoints. You can find information about the IP address ranges associated with
Amazon Route 53 health checkers in Health Checks for Your Target Groups in the Amazon Route 53
Developer Guide.

Step 1: Create an accelerator

To create your accelerator, you enter a name.
Note
To complete this task by using an API operation instead of the console, see CreateAccelerator in
the AWS Global Accelerator API Reference.

To create an accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. Choose Create accelerator.
3. Provide a name for your accelerator.
4. Optionally, add one or more tags to help you identify your Global Accelerator resources.
5. Choose Next.

Step 2: Add listeners

Create a listener to process inbound connections from your users to Global Accelerator.
Note
To complete this task by using an API operation instead of the console, see CreateListener in the
AWS Global Accelerator API Reference.

To create a listener

1. On the Add listener page, enter the ports or port ranges that you want to associate with the
listener. Listeners support ports 1-65535.
2. Choose the protocol or protocols for the ports that you entered.
3. Optionally, choose to enable client affinity. Client affinity for a listener means that Global
Accelerator ensures that connections from a specific source (client) IP address are always routed to
the same endpoint. To enable this behavior, in the dropdown list, choose Source IP.

The default is None, which means that client aﬃnity is not enabled and Global Accelerator
distributes traﬃc equally between the endpoints in the endpoint groups for the listener.

13
AWS Global Accelerator Developer Guide
Step 3: Add endpoint groups

For more information, see Client aﬃnity (p. 27).

4. Optionally, choose Add listener to add an additional listener.
5. When you're ﬁnished adding listeners, choose Next.

Step 3: Add endpoint groups

Add one or more endpoint groups, each of which is associated with a speciﬁc AWS Region.
Note
To complete this task by using an API operation instead of the console, see
CreateEndpointGroup in the AWS Global Accelerator API Reference.

To add an endpoint group

1. On the Add endpoint groups page, in the section for a listener, choose a Region from the dropdown
list.
2. Optionally, for Traffic dial, enter a number from 0 to 100 to set a percentage of traffic for this
endpoint group. The percentage is applied only to the traffic already directed to this endpoint group,
not all listener traffic. By default, the traffic dial for an endpoint group is set to 100 (that is, 100%).
3. Optionally, for custom health check values, choose Configure health checks. When you configure
health check settings, Global Accelerator uses the settings for health checks for EC2 instance and
Elastic IP address endpoints. For Network Load Balancer and Application Load Balancer endpoints,
Global Accelerator uses the health check settings that you've already configured for the load
balancers themselves. For more information, see Changing health check options (p. 31).
4. Optionally, choose Add endpoint group to add additional endpoint groups for this listener or other
listeners.
5. Choose Next.

Step 4: Add endpoints

Add one or more endpoints that are associated with speciﬁc endpoint groups. This step isn't required,
but no traﬃc is directed to endpoints in a Region unless the endpoints are included in an endpoint
group.
Note
If you're creating your accelerator programmatically, you add endpoints as part of adding
endpoint groups. For more information, see CreateEndpointGroup in the AWS Global Accelerator
API Reference.

To add endpoints

1. On the Create endpoints page, in the section for an endpoint, choose an Endpoint.
2. Optionally, for Weight, enter a number from 0 to 255 to set a weight for routing traffic to this
endpoint. When you add weights to endpoints, you configure Global Accelerator to route traffic
based on proportions that you specify. By default, all endpoints have a weight of 128. For more
information, see Endpoint weights (p. 34).
3. Optionally, for an Application Load Balancer endpoint, under Preserve client IP address,
select Preserve address. For more information, see Preserve client IP addresses in AWS Global
Accelerator (p. 59).
4. Optionally, choose Add endpoint to add more endpoints.
5. Choose Next.

14
AWS Global Accelerator Developer Guide
Step 5: Test your accelerator

After you choose Next, on the Global Accelerator dashboard you'll see a message that your accelerator is
in progress. When the process is ﬁnished, the accelerator status in the dashboard is Active.

Step 5: Test your accelerator

Take steps to test your accelerator to make sure that traffic is being directed to your endpoints. For
example, run a curl command such as the following, substituting one of your accelerator's static IP
addresses, to show the AWS Regions where requests are processed. This is especially helpful if you set
different weights for endpoints or adjust the traffic dial on endpoint groups.

Run a curl command like the following, substituting one of your accelerator's static IP addresses, to call
the IP address 100 times and then output a count of where each request was processed.

for ((i=0;i<100;i++)); do curl http://198.51.100.0/ >> output.txt; done; cat output.txt |

sort | uniq -c ; rm output.txt;

If you've adjusted the traffic dial on any endpoint groups, this command can help you confirm that your
accelerator is directing the correct percentages of traffic to different groups. For more information, see
the detailed examples in the following blog post, Traffic management with AWS Global Accelerator.

Step 6 (optional): Delete your accelerator

If you created an accelerator as a test or if you're no longer using an accelerator, you can delete it. On
the console, disable the accelerator, and then you can delete it. You don't have to remove listeners and
endpoint groups from the accelerator.

To delete an accelerator by using an API operation instead of the console, you must ﬁrst remove all
listeners and endpoint groups that are associated with the accelerator as well as disable it. For more
information, see the DeleteAccelerator operation in the AWS Global Accelerator API Reference.

Be aware of the following when you remove endpoints or endpoint groups, or delete an accelerator:

• When you create an accelerator, Global Accelerator provides you with a set of two static IP addresses.
The IP addresses are assigned to your accelerator for as long as it exists, even if you disable the
accelerator and it no longer accepts or routes traffic. However, when you delete an accelerator, you lose
the static IP addresses that are assigned to the accelerator, so you can no longer route traffic by using
them. As a best practice, ensure that you have permissions in place to avoid inadvertently deleting
accelerators. You can use IAM policies with Global Accelerator, for example, tag-based permissions, to
limit the users who have permissions to delete an accelerator. For more information, see Tag-based
policies (p. 90).
• If you terminate an EC2 instance before you remove it from an endpoint group in Global Accelerator,
and then you create another instance with the same private IP address, and health checks pass, Global
Accelerator will route traffic to the new endpoint. If you don't want this to happen, remove the EC2
instance from the endpoint group before you terminate the instance.

To delete an accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. Choose the accelerator that you want to delete.
3. Choose Edit.
4. Choose Disable accelerator, and then choose Save.
5. Choose the accelerator that you want to delete.
6. Choose Delete accelerator.
7. In the conﬁrmation dialog box, choose Delete.

15
AWS Global Accelerator Developer Guide
Getting started with a custom routing accelerator

Getting started with a custom routing accelerator

This section provides steps for creating a custom routing accelerator that routes traﬃc deterministically
to Amazon EC2 instance destinations in virtual private cloud (VPC) subnet endpoints.

Tasks

• Before you begin (p. 16)

• Step 1: Create a custom routing accelerator (p. 16)
• Step 2: Add listeners (p. 16)
• Step 3: Add endpoint groups (p. 17)
• Step 4: Add endpoints (p. 17)
• Step 5 (optional): Delete your accelerator (p. 18)

Before you begin

Before you create a custom routing accelerator, create a resource that you can add as an endpoint to
direct traﬃc to. A custom routing accelerator endpoint must be a virtual private cloud (VPC) subnet,
which can include multiple Amazon EC2 instances. For instructions for creating the resources see the
following:

• Create a VPC subnet. For more information, see Create and Conﬁgure Your VPC in the AWS Directory
Service Administration Guide.
• Optionally, launch one or more Amazon EC2 instances in your VPC. For more information, see Create
your EC2 resources and launch your EC2 instance in the Amazon EC2 User Guide for Linux Instances.

When you create a resource to add to Global Accelerator, be aware of the following:

• When you add an EC2 instance endpoint in Global Accelerator, you enable internet traffic to flow
directly to and from the endpoint in VPCs by targeting it in a private subnet. The VPC that contains the
EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet
traffic. For more information, see Secure VPC connections in AWS Global Accelerator (p. 108).

Step 1: Create a custom routing accelerator

Note
To complete this task by using an API operation instead of the console, see
CreateCustomRoutingAccelerator in the AWS Global Accelerator API Reference.

To create an accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. Provide a name for your accelerator.
3. For Accelerator type, select Custom routing.
4. Optionally, add one or more tags to help you identify your accelerator resources.
5. Choose Next to add listeners, endpoint groups, and VPC subnet endpoints.

Step 2: Add listeners

Create a listener to process inbound connections from your users to Global Accelerator.

16
AWS Global Accelerator Developer Guide
Step 3: Add endpoint groups

The range that you specify when you create a listener deﬁnes how many listener port and destination IP
address combinations that you can use with your custom routing accelerator. For maximum ﬂexibility, we
recommend that you specify a large port range. Each listener port range that you specify must include a
minimum of 16 ports.
Note
To complete this task by using an API operation instead of the console, see
CreateCustomRoutingListener in the AWS Global Accelerator API Reference.

To create a listener

1. On the Add listener page, enter the ports or port ranges that you want to associate with the
listener. Listeners support ports 1-65535.
2. Choose the protocol or protocols for the ports that you entered.
3. Optionally, choose Add listener to add an additional listener.
4. When you're ﬁnished adding listeners, choose Next.

Step 3: Add endpoint groups

Add one or more endpoint groups, each of which is associated with a speciﬁc AWS Region. For each
endpoint group, specify one or more sets of port ranges and protocols. Global Accelerator uses these to
direct traﬃc to Amazon EC2 instances in subnets in the Region.

For each port range that you provide, you also specify the protocol to use: UDP, TCP, or both UDP and
TCP.
Note
To complete this task by using an API operation instead of the console, see
CreateCustomRoutingEndpointGroup in the AWS Global Accelerator API Reference.

To add an endpoint group

1. On the Add endpoint groups page, in the section for a listener, choose a Region.
2. For Ports and protocols sets, enter port ranges and protocols for your Amazon EC2 instances.

• Enter a From port and a To port to specify a range of ports.

• For each port range, specify the protocol or protocols for that range.

The port range doesn't have to be a subset of your listener port range, but there must be enough
total ports in the listener port range to support the total number of ports that you specify.
3. Choose Save.
4. Optionally, choose Add endpoint group to add additional endpoint groups for this listener or other
listeners.
5. Choose Next.

Step 4: Add VPC subnet endpoints

Add one or more virtual private cloud (VPC) subnet endpoints for this regional endpoint group.
Endpoints for custom routing accelerators deﬁne the VPC subnets that can receive traﬃc through a
custom routing accelerator. Each subnet can contain one or many Amazon EC2 instance destinations.

When you add a VPC subnet endpoint, Global Accelerator generates new port mappings that you can
use to route traﬃc to the destination EC2 instance IP addresses in the subnet. Then you can use the

17
AWS Global Accelerator Developer Guide
Step 5 (optional): Delete your accelerator

Global Accelerator API to get a static list of all the port mappings for the subnet, and use the mapping to
deterministically direct traﬃc to speciﬁc EC2 instances.
Note
The steps here show how to add endpoints in the console. If you're creating your accelerator
programmatically, you add endpoints with endpoint groups. For more information, see
CreateCustomRoutingEndpointGroup in the AWS Global Accelerator API Reference.

To add endpoints

1. On the Add endpoints page, in the section for the endpoint group that you want to add the
endpoint to, choose a subnet ID for Endpoint.
2. Optionally, do one of the following to enable traﬃc to EC2 instance destinations in the subnet:

• To allow traffic to be directed to all EC2 endpoints and ports on the subnet, select Allow all traffic
• To allow traffic to specific EC2 endpoints and ports on the subnet, select Allow traffic to specific
destination socket addresses. Then specify the IP addresses and ports or port ranges to allow.
Finally, choose Allow these destinations.

By default, no traffic is allowed to subnet endpoints. If you don't select an option to allow traffic,
traffic is denied to all destinations in the subnet.
Note
If you want to enable traffic to specific EC2 instances and ports in the subnet, you can do
that programmatically. For more information, see AllowCustomRoutingTraffic in the AWS
Global Accelerator API Reference.
3. Choose Next.

After you choose Next, on the Global Accelerator, dashboard you'll see a message that your accelerator is
in progress. When the process is ﬁnished, the accelerator status in the dashboard is Active.

Step 5 (optional): Delete your accelerator

To delete an accelerator by using an API operation instead of the console, you must ﬁrst remove all
listeners and endpoint groups that are associated with the accelerator as well as disable it. For more
information, see the DeleteCustomRoutingAccelerator operation in the AWS Global Accelerator API
Reference.

Be aware of the following when you delete an accelerator:

To delete an accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

18
AWS Global Accelerator Developer Guide
Step 5 (optional): Delete your accelerator

2. Choose the accelerator that you want to delete.

3. Choose Edit.
4. Choose Disable accelerator, and then choose Save.
5. Choose the accelerator that you want to delete.
6. Choose Delete accelerator.
7. In the conﬁrmation dialog box, choose Delete.

19
AWS Global Accelerator Developer Guide

Common actions that you can use

with AWS Global Accelerator
This section lists common AWS Global Accelerator actions that you can use with Global Accelerator
resources, with links to relevant documentation.

Actions to use with standard resources

The following table lists common Global Accelerator actions that you can use with Global Accelerator
standard accelerators, with links to relevant documentation.

Action Using the Global Accelerator Using the Global Accelerator

Console API

Create a standard accelerator See Getting started with a See CreateAccelerator

standard accelerator (p. 12)

Create a listener for a standard See Listeners for standard See CreateListener
accelerator accelerators in AWS Global
Accelerator (p. 26)

Create a endpoint group for a See Endpoint groups for See CreateEndpointGroup
standard accelerator standard accelerators in AWS
Global Accelerator (p. 27)

Update a standard accelerator See Standard accelerators See UpdateAccelerator

in AWS Global
Accelerator (p. 22)

List your accelerators See Viewing your See ListAccelerator

accelerators (p. 24)

Get all information about an See Viewing your See DescribeAccelerator

accelerator accelerators (p. 24)

Delete an accelerator See Creating or updating a See DeleteAccelerator

standard accelerator (p. 23)

Actions to use with custom routing resources

The following table lists common Global Accelerator actions that you can use with custom routing
accelerators, with links to relevant documentation.

Action Using the Global Accelerator Using the Global Accelerator

Console API

Create a custom routing See Getting started See

accelerator with a custom routing CreateCustomRoutingAccelerator
accelerator (p. 16)

20
AWS Global Accelerator Developer Guide

Action Using the Global Accelerator Using the Global Accelerator

Console API

Create a listener for a custom See Listeners for custom routing See
routing accelerator accelerators in AWS Global CreateCustomRoutingListener
Accelerator (p. 46)

Create an endpoint group for a See Endpoint groups for custom See
custom routing accelerator routing accelerators in AWS CreateCustomRoutingEndpointGroup
Global Accelerator (p. 47)

Update a custom routing See Custom routing See

accelerator accelerators in AWS Global UpdateCustomRoutingAccelerator
Accelerator (p. 44)

List your custom routing See Viewing your custom See

accelerators routing accelerators (p. 45) ListCustomRoutingAccelerator

Get all information about a See Viewing your custom See

custom routing accelerator routing accelerators (p. 45) DescribeCustomRoutingAccelerator

Delete a custom routing See Creating or updating See

accelerator a custom routing DeleteCustomRoutingAccelerator
accelerator (p. 44)

Get the static port mapping for N/A See

a custom routing accelerator ListCustomRoutingPortMappings

Allow all destination traﬃc for See Adding, editing, or See

a subnet in a custom routing removing a VPC subnet AllowCustomRoutingTraffic
accelerator endpoint (p. 49)

Deny all destination traﬃc for See Adding, editing, or See

a subnet in a custom routing removing a VPC subnet DenyCustomRoutingTraffic
accelerator endpoint (p. 49)

Allow traﬃc to speciﬁc See Adding, editing, or See

destinations in a custom routing removing a VPC subnet AllowCustomRoutingTraffic
accelerator endpoint (p. 49)

Deny traﬃc to speciﬁc See Adding, editing, or See

destinations in a custom routing removing a VPC subnet DenyCustomRoutingTraffic
accelerator endpoint (p. 49)

21
AWS Global Accelerator Developer Guide
Standard accelerators

Work with standard accelerators in

AWS Global Accelerator
This chapter includes procedures and recommendations for creating standard accelerators in AWS Global
Accelerator. With a standard accelerator, Global Accelerator chooses the closest healthy endpoint for
your traﬃc.

If instead you want to use custom application logic to direct one or more users to a speciﬁc endpoint
among many endpoints, create a custom routing accelerator. For more information, see Work with
custom routing accelerators in AWS Global Accelerator (p. 39).

To set up a standard accelerator, do the following:

1. Create an accelerator, and choose the standard accelerator option.

2. Add a listener with a speciﬁc set of ports or port range, and choose the protocol to accept: TCP, UDP,
or both.
3. Add one or more endpoint groups, one for each AWS Region in which you have endpoint resources.
4. Add one or more endpoints to endpoint groups. This isn't required, but traﬃc won't be routed if you
don't have any endpoints. Endpoints can be Network Load Balancers, Application Load Balancers,
Amazon EC2 instances, or Elastic IP addresses.

The following sections step through working with standard accelerators, listeners, endpoint groups, and
endpoints.

Topics
• Standard accelerators in AWS Global Accelerator (p. 22)
• Listeners for standard accelerators in AWS Global Accelerator (p. 26)
• Endpoint groups for standard accelerators in AWS Global Accelerator (p. 27)
• Endpoints for standard accelerators in AWS Global Accelerator (p. 32)

Standard accelerators in AWS Global Accelerator

A standard accelerator in AWS Global Accelerator directs traﬃc to optimal endpoints over the AWS global
network to improve the availability and performance of your internet applications that have a global
audience. Each accelerator includes one or more listeners. A listener processes inbound connections
from clients to Global Accelerator, based on the protocol (or protocols) and port (or port range) that you
conﬁgure.

22
AWS Global Accelerator Developer Guide
Creating or updating a standard accelerator

you lose the Global Accelerator static IP addresses that are assigned to the accelerator, so you
can no longer route traﬃc by using them. As a best practice, ensure that you have permissions
in place to avoid inadvertently deleting accelerators. You can use IAM policies with Global
Accelerator, for example, tag-based permissions, to limit the users who have permissions to
delete an accelerator. For more information, see Tag-based policies (p. 90).

This section explains how to create, edit, or delete a standard accelerator on the Global Accelerator
console. If you want to use API operations with Global Accelerator, see the AWS Global Accelerator API
Reference.

Topics
• Creating or updating a standard accelerator (p. 23)
• Deleting an accelerator (p. 24)
• Viewing your accelerators (p. 24)
• Add an accelerator when you create a load balancer (p. 24)
• Using global static IP addresses instead of regional static IP addresses (p. 25)

Creating or updating a standard accelerator

This section explains how to create or update standard accelerators on the console. To work with Global
Accelerator programmatically, see the AWS Global Accelerator API Reference.

To create a standard accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. Choose Create accelerator.
3. Provide a name for your accelerator.
4. For Accelerator type, select Standard.
5. Optionally, if you brought your own IP address ranges to AWS (BYOIP), you can specify a static IP
address for your accelerator, one from each address pool. Make this choice for each of the two static
IP addresses for your accelerator.

• For each static IP address, choose the IP address pool to use.

Note
You must choose a different IP address pool for each static IP address. This restriction is
because Global Accelerator assigns each address range to a different network zone, for
high availability.
• If you chose your own IP address pool, also choose a specific IP address from the pool. If you
choose the default Amazon IP address pool, Global Accelerator assigns a specific IP address to
your accelerator.
6. Optionally, add one or more tags to help you identify your accelerator resources.
7. Choose Next to add listeners, endpoint groups, and endpoints.

To edit a standard accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. In the list of accelerators, choose one, and then choose Edit.
3. On the Edit accelerator page, make any changes that you like. For example, you can disable the
accelerator so that it no longer accepts or routes traﬃc, or so that you can delete it. Or, if the
accelerator is disabled, you can enable it.

23
AWS Global Accelerator Developer Guide
Deleting an accelerator

4. Choose Save changes.

Deleting an accelerator
If you created an accelerator as a test or if you're no longer using an accelerator, you can delete it. On
the console, disable the accelerator, and then you can delete it. You don't have to remove listeners and
endpoint groups from the accelerator.

To delete an accelerator by using an API operation instead of the console, you must ﬁrst remove all
listeners and endpoint groups that are associated with the accelerator, and then disable it. For more
information, see the DeleteAccelerator operation in the AWS Global Accelerator API Reference.

To disable an accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. In the list, choose an accelerator that you want to disable.
3. Choose Edit.
4. Choose Disable accelerator, and then choose Save.

To delete an accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. In the list, choose an accelerator that you want to delete.
3. Choose Delete.
Note
If you haven't disabled the accelerator, Delete is unavailable.
4. In the conﬁrmation dialog box, choose Delete.
Important
When you delete an accelerator, you lose the static IP addresses that are assigned to the
accelerator, so you can no longer route traﬃc by using them.

Viewing your accelerators

You can view information about your accelerators on the console. To see descriptions of your accelerators
programmatically, see ListAccelerators and DescribeAccelerator in the AWS Global Accelerator API
Reference.

To view information about your accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. To see details about an accelerator, in the list, choose an accelerator, and then choose View.

Add an accelerator when you create a load balancer

When you create an Application Load Balancer in the AWS Management Console, you can optionally
add an accelerator at the same time. Elastic Load Balancing and Global Accelerator work together to
transparently add the accelerator for you. The accelerator is created in your account, with the load
balancer as an endpoint. Using an accelerator provides static IP addresses and improves the availability
and performance of your applications. (Learn more about accelerators by reading What is AWS Global
Accelerator? (p. 1).)

24
AWS Global Accelerator Developer Guide
Using global static IP addresses
instead of regional static IP addresses

Important
To create an accelerator, you must have the correct permissions in place. For more information,
see Permissions required for console access, authentication management, and access
control (p. 85).

Conﬁgure and view your accelerator

You must update your DNS configuration to direct traffic to the static IP addresses or DNS name for
the accelerator. Traffic won't go through the accelerator to your load balancer until your configuration
changes are complete.

After you create your load balancer by choosing the Global Accelerator add-on on the Amazon EC2
console, go to the Integrated services tab to see the static IP addresses and Domain Name System (DNS)
name for your accelerator. You use this information to start routing user traﬃc to the load balancer over
the AWS global network. For more information about the DNS name assigned to your accelerator, see
DNS addressing and custom domains in AWS Global Accelerator (p. 52).

You can view and conﬁgure your accelerator by navigating to Global Accelerator in the AWS
Management Console. For example, you can see the accelerators that are associated with your
account or add additional load balancers to your accelerator. For more information, see Viewing your
accelerators (p. 24) and Creating or updating a standard accelerator (p. 23).

Pricing
With AWS Global Accelerator, you pay only for what you use. You are charged an hourly rate and data
transfer costs for each accelerator in your account. For more information, see AWS Global Accelerator
Pricing.

Stop using the accelerator

If you'd like to stop routing traﬃc through Global Accelerator to your load balancer, do the following:

1. Update your DNS conﬁguration to point your traﬃc directly to the load balancer.
2. Delete the load balancer from the accelerator. For more information, see To remove an endpoint in
Adding, editing, or removing a standard endpoint (p. 33).
3. Delete the accelerator. For more information, see Deleting an accelerator (p. 24).

Using global static IP addresses instead of regional

static IP addresses
If you want to use a static IP address in front of an AWS resource, such as an Amazon EC2 instance, you
have several options. For example, you can allocate an Elastic IP address, which is a static IPv4 address
that you can associate with an Amazon EC2 instance or network interface in a single AWS Region.

If you have a global audience, you can create an accelerator with Global Accelerator to get two global
static IP addresses that are announced from AWS edge locations around the world. If you already have
AWS resources set up for your applications, in one or multiple Regions, including Amazon EC2 instances,
Network Load Balancers, and Application Load Balancers, you can easily add those to Global Accelerator
to front them with global static IP addresses.

Opting to use global static IP addresses provisioned by Global Accelerator can also improve the
availability and performance of your applications. With Global Accelerator, static IP addresses accept
incoming traﬃc onto the AWS global network from the edge location that is closest to your users.
Maximizing time that traﬃc is on the AWS network can provide a faster and better customer experience.
For more information, see How AWS Global Accelerator works (p. 3).

25
AWS Global Accelerator Developer Guide
Listeners for standard accelerators

You can add an accelerator from the AWS Management Console or by using API operations with the AWS
CLI or SDKs. For more information, see Creating or updating a standard accelerator (p. 23).

Note the following when you add an accelerator:

• The global static IP addresses provisioned by Global Accelerator remain assigned to you for as long as
your accelerator exists, even if you disable the accelerator and it no longer accepts or routes traﬃc.
However, if you delete an accelerator, you lose the static IP addresses that are assigned to it. For more
information, see Deleting an accelerator (p. 24).
• With Global Accelerator, you pay only for what you use. You are charged an hourly rate and data
transfer costs for each accelerator in your account. For more information, see AWS Global Accelerator
Pricing.

Listeners for standard accelerators in AWS Global

Accelerator
With AWS Global Accelerator, you add listeners that process inbound connections from clients based on
the ports and protocols that you specify. Listeners support TCP, UDP, or both TCP and UDP protocols.

You deﬁne a standard listener when you create your standard accelerator, and you can add more listeners
at any time. You associate each listener with one or more endpoint groups, and you associate each
endpoint group with one AWS Region.

Topics
• Adding, editing, or removing a standard listener (p. 26)
• Client aﬃnity (p. 27)

Adding, editing, or removing a standard listener

This section explains how to work with listeners on the AWS Global Accelerator console. To complete
these tasks by using an API operation instead of the console, see CreateListener, UpdateListener,
and DeleteListener in the AWS Global Accelerator API Reference.

To add a listener

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the accelerators page, choose an accelerator.
3. Choose Add listener.
4. On the Add listener page, enter the ports or port ranges that you want to associate with the
listener. Listeners support ports 1-65535.
5. Choose the protocol for the ports that you entered.
6. Optionally, choose to enable client affinity. Client affinity for a listener means that Global
Accelerator ensures that connections from a specific source (client) IP address are always routed to
the same endpoint. To enable this behavior, in the dropdown list, choose Source IP.

The default is None, which means that client aﬃnity is not enabled and Global Accelerator
distributes traﬃc equally between the endpoints in the endpoint groups for the listener.

For more information, see Client aﬃnity (p. 27).

7. Choose Add listener.

26
AWS Global Accelerator Developer Guide
Client aﬃnity

To edit a standard listener

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the accelerators page, choose an accelerator.
3. Choose a listener, and then choose Edit listener.
4. On the Edit listener page, change the ports, port ranges, or protocols that you want to associate
with the listener.
5. Optionally, choose to enable client affinity. Client affinity for a listener means that Global
Accelerator ensures that connections from a specific source (client) IP address are always routed to
the same endpoint. To enable this behavior, in the dropdown list, choose Source IP.

The default is None, which means that client aﬃnity is not enabled and Global Accelerator
distributes traﬃc equally between the endpoints in the endpoint groups for the listener.

For more information, see Client aﬃnity (p. 27).

6. Choose Save.

To remove a listener

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the accelerators page, choose an accelerator.
3. Choose a listener, and then choose Remove.
4. In the conﬁrmation dialog box, choose Remove.

Client affinity
If you have stateful applications that you use with a standard accelerator, you can choose to have Global
Accelerator direct all requests from a user at a specific source (client) IP address to the same endpoint
resource, to maintain client affinity.

By default, client aﬃnity for a standard listener is set to None and Global Accelerator distributes traﬃc
equally between the endpoints in the endpoint groups for the listener.

Global Accelerator uses a consistent-flow hashing algorithm to choose the optimal endpoint for a user's
connection. If you configure client affinity for your Global Accelerator resource to be None, Global
Accelerator uses the 5-tuple properties—source IP, source port, destination IP, destination port, and
protocol—to select the hash value. Next, it chooses the endpoint that provides the best performance. If a
given client uses different ports to connect to Global Accelerator and you've specified this setting, Global
Accelerator can't ensure that connections from the client are always routed to the same endpoint.

If you want to maintain client affinity by routing a specific user—identified by their source IP address—to
the same endpoint each time they connect, set client affinity to Source IP. When you specify this option,
Global Accelerator uses the 2-tuple properties—source IP and destination IP—to select the hash value
and route the user to the same endpoint whenever they connect. Additionally, Global Accelerator honors
client affinity by routing all connections with the same source IP address to the same endpoint group.

Endpoint groups for standard accelerators in AWS

Global Accelerator
An endpoint group routes requests to one or more registered endpoints in AWS Global Accelerator. When
you add a listener in a standard accelerator, you specify the endpoint groups for Global Accelerator to

27
AWS Global Accelerator Developer Guide
Adding, editing, or removing a standard endpoint group

direct traffic to. An endpoint group, and all the endpoints in it, must be in one AWS Region. You can add
different endpoint groups for different purposes, for example, for blue/green deployment testing.

Global Accelerator directs traffic to endpoint groups in standard accelerators based on the location of
the client and the health of the endpoint group. If you like, you can also set the percentage of traffic
to send to an endpoint group. You do that by using the traffic dial to increase (dial up) or decrease (dial
down) traffic to the group. The percentage is applied only to the traffic that Global Accelerator is already
directing to the endpoint group, not all traffic coming to a listener.

You can deﬁne health check settings for Global Accelerator for each endpoint group. By updating health
check settings, you can change your requirements for polling and verifying the health of Amazon EC2
instance and Elastic IP address endpoints. For Network Load Balancer and Application Load Balancer
endpoints, conﬁgure health check settings on the Elastic Load Balancing console.

Global Accelerator continually monitors the health of all endpoints that are included in a standard
endpoint group, and routes requests only to the active endpoints that are healthy. If there aren't any
healthy endpoints to route traﬃc to, Global Accelerator routes requests to all endpoints.

This section explains how to work with endpoint groups for standard accelerators on the AWS Global
Accelerator console. If you want to use API operations with Global Accelerator, see the AWS Global
Accelerator API Reference.

Topics
• Adding, editing, or removing a standard endpoint group (p. 28)
• Adjusting traffic flow with traffic dials (p. 29)
• Overriding listener ports (p. 30)
• Changing health check options (p. 31)

Adding, editing, or removing a standard endpoint

group
You work with endpoint groups on the AWS Global Accelerator console or by using an API operation. You
can add or remove endpoints from an endpoint group at any time.

This section explains how to work with standard endpoint groups on the AWS Global Accelerator console.
If you want to use API operations with Global Accelerator, see the AWS Global Accelerator API Reference.

To add a standard endpoint group

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose an accelerator.
3. In the Listeners section, for Listener ID, choose the ID of the listener that you want to add an
endpoint group to.
4. Choose Add endpoint group.
5. In the section for a listener, specify a Region for the endpoint group by choosing one from the
dropdown list.
6. Optionally, for Traffic dial, enter a number from 0 to 100 to set a percentage of traffic for this
endpoint group. The percentage is applied only to the traffic that is already directed to this endpoint
group, not all listener traffic. By default, the traffic dial is set to 100.
7. Optionally, to override the listener port used for routing traffic to endpoints and reroute traffic
to specific ports on your endpoints, choose Configure port overrides. For more information, see
Overriding listener ports (p. 30).

28
AWS Global Accelerator Developer Guide
Using traﬃc dials

8. Optionally, to specify custom health check values to be applied to EC2 instance and Elastic IP
address endpoints, choose Conﬁgure health checks. For more information, see Changing health
check options (p. 31).
9. Optionally, choose Add endpoint group to add additional endpoint groups for this listener or other
listeners.
10. Choose Add endpoint group.

To edit an endpoint group

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose an accelerator.
3. In the Listeners section, for Listener ID, choose the ID of the listener that the endpoint group is
associated with.
4. Choose Edit endpoint group.
5. On the Edit endpoint group page, change the Region, adjust the traﬃc dial percentage, or choose
Conﬁgure health checks to modify the health check settings.
6. Choose Save.

To remove a standard endpoint group

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose an accelerator.
3. In the Listeners section, choose a listener.
4. In the Endpoint groups section, choose an endpoint group, and then choose Remove.
5. On the conﬁrmation dialog box, choose Remove.

Adjusting traffic flow with traffic dials

For each standard endpoint group, you can set a traffic dial to control the percentage of traffic that is
directed to the group. The percentage is applied only to traffic that is already directed to the endpoint
group, not to all listener traffic.

By default, the traffic dial is set to 100 (that is, 100%) for all regional endpoint groups in an accelerator.
The traffic dial lets you easily do performance testing or blue/green deployment testing for new releases
across different AWS Regions, for example.

Here are a few examples to illustrate how you can use traffic dials to change the traffic flow to endpoint
groups.

Upgrade your application by Region

If you want to upgrade an application in a Region or do maintenance, first set the traffic dial to 0 to
cut off traffic for the Region. When you complete the work and you're ready bring the Region back
into service, adjust the traffic dial to 100 to dial the traffic back up.
Mix traffic between two Regions

This example shows how traffic flow works when you change the traffic dials for two regional
endpoint groups at the same time. Let’s say that you have two endpoint groups for your accelerator
—one for the us-west-2 Region and one for the us-east-1 Region—and you've set the traffic
dials to 50% for each endpoint group.

Now, say you have 100 requests coming to your accelerator, with 50 from the East Coast of the
United States and 50 from the West Coast. The accelerator directs the traﬃc as follows:

29
AWS Global Accelerator Developer Guide
Overriding listener ports

• The ﬁrst 25 requests on each coast (50 requests in total) are served from their nearby endpoint
group. That is, 25 requests are directed to the endpoint group in us-west-2 and 25 are directed
to the endpoint group in us-east-1.
• The next 50 requests are directed to the opposite Regions. That is, the next 25 requests from the
East Coast are served by us-west-2, and the next 25 requests from the West Coast are served by
us-east-1.

The result in this scenario is that both endpoint groups serve the same amount of traﬃc. However,
each one receives a mix of traﬃc from both Regions.

Overriding listener ports

By default, an accelerator routes user traffic to endpoints in AWS Regions using the protocol and port
ranges that you specify when you create a listener. For example, if you define a listener that accepts TCP
traffic on ports 80 and 443, the accelerator routes traffic to those ports on an endpoint.

However, when you add or update an endpoint group, you can override the listener port used for routing
traffic to endpoints. For example, you can create a port override in which the listener receives user traffic
on ports 80 and 443, but your accelerator routes that traffic to ports 1080 and 1443, respectively, on the
endpoints.

Overriding a port can help you avoid issues with listening on restricted ports. It's safer to run applications
that don't require superuser (root) privileges on your endpoints. However, in Linux and other UNIX-
like systems, you must have superuser privileges to listen on restricted ports (TCP or UDP ports below
1024). By mapping a restricted port on a listener to a non-restricted port on an endpoint, you avoid this
issue. You can accept traﬃc on restricted ports while running applications without root access on your
endpoints behind Global Accelerator. For example, you can override a listener port 443 to an endpoint
port 8443.

For each port override, you specify a listener port that accepts traﬃc from users and the endpoint port
that Global Accelerator will route that traﬃc to. For more information, see Adding, editing, or removing
a standard endpoint group (p. 28).

When you create a port override, keep the following in mind:

• Endpoint ports can’t overlap listener port ranges. The endpoint ports that you specify in a
port override cannot be included in any of the listener port ranges that you've configured for the
accelerator. For example, say that you have two listeners for an accelerator, and you've defined the
port ranges for those listeners as 100-199 and 200-299, respectively. When you create a port override,
you can't define one from listener port 100 to endpoint port 210, for example, because the endpoint
port (210) is included in a listener port range that you defined (200-299).
• No duplicate endpoint ports. If one port override in an accelerator specifies an endpoint port, you
can’t specify the same endpoint port with port override from a different listener port. For example,
you can’t specify a port override from listener port 80 to endpoint port 90 together with an override
from listener port 81 to endpoint port 90.
• Health check continues to use the original port. If you specify a port override for a port that is
configured as a health check port, the health check still uses the original port, not the override port.
For example, say that you specify health checks on listener port 80, and you also specify a port
override from listener port 80 to endpoint port 480. Health checks continue to use endpoint port 80.
However, user traffic that comes in through port 80 goes to port 480 on the endpoint.

This behavior maintains consistency between Network Load Balancer, Application Load Balancer, EC2
instance, and Elastic IP address endpoints. Because Network Load Balancers and Application Load
Balancers don’t map health check ports to a diﬀerent endpoint ports when you specify a port override
in Global Accelerator, it would be inconsistent for Global Accelerator to map health check ports to
diﬀerent endpoint ports for EC2 instance and Elastic IP address endpoints.

30
AWS Global Accelerator Developer Guide
Changing health check options

• Security group settings must allow port access. Make sure that your security groups allow traﬃc to
arrive at endpoint ports that you've designated in port overrides. For example, if you override listener
port 443 to endpoint port 1433, make sure that any port restrictions set in your security group for that
Application Load Balancer or Amazon EC2 endpoint allow inbound traﬃc on port 1433.

Changing health check options

AWS Global Accelerator regularly sends requests to standard endpoints to test their status. These health
checks run automatically. The guidance for determining the health of each endpoint and the timing for
the health checks depend on the type of endpoint resource.
Important
Global Accelerator requires your router and firewall rules to allow inbound traffic from the IP
addresses associated with Amazon Route 53 health checkers to complete health checks for
EC2 instance or Elastic IP address endpoints. You can find information about the IP address
ranges associated with Route 53 health checkers in Health Checks for Your Target Groups in the
Amazon Route 53 Developer Guide.

If you specify health check options, Global Accelerator uses the settings for EC2 instance or Elastic IP
address health checks but not for Network Load Balancers or Application Load Balancers. Note the
following when you specify health check options:

• For Application Load Balancer or Network Load Balancer endpoints, you configure health checks for
the resources by using Elastic Load Balancing configuration options. For more information, see Health
Checks for Your Target Groups. Health check options that you choose in Global Accelerator do not
affect Application Load Balancers or Network Load Balancers that you've added as endpoints.
Note
When you have an Application Load Balancer or Network Load Balancer that includes multiple
target groups, Global Accelerator considers the load balancer endpoint to be healthy only
if each target group behind the load balancer has at least one healthy target. If any single
target group for the load balancer has only unhealthy targets, Global Accelerator considers
the endpoint to be unhealthy.
• For EC2 instance or Elastic IP address endpoints that you've added to a listener configured with TCP,
you can specify the port to use for health checks. By default, if you don't specify a port for health
checks, Global Accelerator uses the listener port that you specified for your accelerator.
• For EC2 instance or Elastic IP address endpoints with UDP listeners, Global Accelerator uses the listener
port and the TCP protocol for health checks, so you must have a TCP server on your endpoint.
Note
Be sure to check that the port that you've configured for the TCP server on each endpoint
is the same as the port that you specify for the health check in Global Accelerator. If the
port numbers aren't the same, or if you haven't set up a TCP server for the endpoint, Global
Accelerator marks the endpoint as unhealthy, regardless of the endpoint's health.

You can add the following health check options for an endpoint group.

Health check port

The port to use when Global Accelerator performs health checks on endpoints that are part of this
endpoint group.
Note
You can't set a port override for health check ports.
Health check protocol

The protocol to use when Global Accelerator performs health checks on endpoints that are part of
this endpoint group.

31
AWS Global Accelerator Developer Guide
Endpoints for standard accelerators

Health check interval

The interval, in seconds, between each health check for an endpoint.

Threshold count

The number of consecutive health checks required before considering an unhealthy target healthy or
a healthy target unhealthy.

Each listener routes requests only to healthy endpoints. After you add an endpoint, it must pass a health
check to be considered healthy. After each health check is completed, the listener closes the connection
that was established for the health check.

Endpoints for standard accelerators in AWS Global

Accelerator
Endpoints for standard accelerators in AWS Global Accelerator can be Network Load Balancers,
Application Load Balancers, Amazon EC2 instances, or Elastic IP addresses. With standard accelerators,
a static IP address serves as a single point of contact for clients, and Global Accelerator then distributes
incoming traﬃc across healthy endpoints. Global Accelerator directs traﬃc to endpoints by using the
port (or port range) that you specify for the listener that the endpoint group for the endpoint belongs
to.

Each endpoint group can have multiple endpoints. You can add each endpoint to multiple endpoint
groups, but the endpoint groups must be associated with diﬀerent listeners. A resource must be valid
and active when you add it as an endpoint.

Global Accelerator continually monitors the health of all endpoints that are included in a standard
endpoint group. It routes traffic only to the active endpoints that are healthy. If Global Accelerator
doesn’t have any healthy endpoints to route traffic to, it routes traffic to all endpoints.

Be aware of the following for speciﬁc types of Global Accelerator standard endpoints:

Application Load Balancer endpoints

• An Application Load Balancer endpoint can be internet-facing or internal.
Network Load Balancer endpoints
• A Network Load Balancer endpoint must be internet-facing. For Network Load Balancer endpoints,
we recommend that you disable cross-zone traﬃc for the load balancers to avoid connection
collisions, which can result in increased TCP connection time. For more information, see TCP
Connection Delays in the Network Load Balancers User Guide.
Amazon EC2 instance endpoints
• An EC2 instance endpoint (for both standard and custom routing accelerators) can't be one of the
following types: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1, HS1, M1, M2, M3, or T1.
• EC2 instances are supported as endpoints in only some AWS Regions. For a list of supported
Regions, see Supported AWS Regions for client IP address preservation (p. 63).
• We recommend that you remove an EC2 instance from Global Accelerator endpoint groups
before you terminate the instance. If you terminate an EC2 instance before you remove it from an
endpoint group in Global Accelerator, and then you create another instance in the same VPC with
the same private IP address, and health checks pass, Global Accelerator will route traﬃc to the
new endpoint.

Topics

32
AWS Global Accelerator Developer Guide
Adding, editing, or removing a standard endpoint

• Adding, editing, or removing a standard endpoint (p. 33)

• Endpoint weights (p. 34)
• Adding endpoints with client IP address preservation (p. 35)
• Transitioning endpoints to use client IP address preservation (p. 36)

Adding, editing, or removing a standard endpoint

You add endpoints to endpoint groups so that traffic can be directed to your resources. You can edit a
standard endpoint to change the weight for the endpoint. Or you can remove an endpoint from your
accelerator by removing it from an endpoint group. Removing an endpoint doesn't affect the endpoint
itself, but Global Accelerator can no longer direct traffic to that resource.

Endpoints in Global Accelerator can be Network Load Balancers, Application Load Balancers, Amazon
EC2 instances, or Elastic IP addresses. You must create one of those resources ﬁrst, and then you can
add it as an endpoint in Global Accelerator. A resource must be valid and active when you add it as an
endpoint.

You can add or remove endpoints from endpoint groups based on usage. For example, if demand on
your application increases, you can create more resources and then add more endpoints to one or
more endpoint groups to handle the increased traffic. Global Accelerator starts routing requests to an
endpoint as soon as you add it and the endpoint passes the initial health checks. You can manage traffic
to endpoints by adjusting the weights on an endpoint, to send proportionally more or less traffic to the
endpoint.

If you're adding an endpoint with client IP address preservation, ﬁrst review the information in
Supported AWS Regions for client IP address preservation (p. 63) and Preserve client IP addresses in
AWS Global Accelerator (p. 59).

You can remove endpoints from your endpoint groups, for example, if you need to service your
endpoints. Removing an endpoint takes it out of the endpoint group, but does not affect the endpoint
otherwise. Global Accelerator stops directing traffic to an endpoint as soon as you remove it from an
endpoint group. The endpoint goes into a state where it waits for all current requests to be completed
so there's no interruption for client traffic that is in progress. You can add the endpoint back to the
endpoint group when you’re ready for it to resume receiving requests.

This section explains how to work with endpoints on the AWS Global Accelerator console. If you want to
use API operations with AWS Global Accelerator, see the AWS Global Accelerator API Reference.

To add a standard endpoint

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the accelerators page, choose an accelerator.
3. In the Listeners section, for Listener ID, choose the ID of a listener.
4. In the Endpoint groups section, for Endpoint group ID, choose the ID of the endpoint group that
you want to add an endpoint to.
5. In the Endpoints section, choose Add endpoint.
6. On the Add endpoints page, choose a resource from the dropdown list.

If you don't have any AWS resources, there aren't any items in the list. To continue, create AWS
resources such as load balancers, Amazon EC2 instances, or Elastic IP addresses. Then come back to
the steps here, and choose a resource from the list.
7. Optionally, for Weight, enter a number from 0 to 255 to set a weight for routing traffic to this
endpoint. When you add weights to endpoints, you configure Global Accelerator to route traffic
based on proportions that you specify. By default, all endpoints have a weight of 128. For more
information, see Endpoint weights (p. 34).

33
AWS Global Accelerator Developer Guide
Endpoint weights

8. Optionally, enable client IP address preservation for an internet-facing Application Load Balancer
endpoint. Under Preserve client IP address, select Preserve address.

This option is always selected for internal Application Load Balancer and EC2 instance endpoints,
and never selected for Network Load Balancer and Elastic IP address endpoints. For more
information, see Preserve client IP addresses in AWS Global Accelerator (p. 59).
Note
Before you add and begin to route traﬃc to endpoints that preserve the client IP address,
make sure that all your required security conﬁgurations, for example, security groups, are
updated to include the user client IP address on allow lists.
9. Choose Add endpoint.

To edit a standard endpoint

You can edit an endpoint conﬁguration to change the weight. For more information, see Endpoint
weights (p. 34).

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the accelerators page, choose an accelerator.
3. In the Listeners section, for Listener ID, choose the ID of a listener.
4. In the Endpoint groups section, for Endpoint group ID, choose the ID of the endpoint group.
5. Choose Edit endpoint.
6. On the Edit endpoint page, make updates, and then choose Save.

To remove an endpoint

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the accelerators page, choose an accelerator.
3. In the Listeners section, for Listener ID, choose the ID of a listener.
4. In the Endpoint groups section, for Endpoint group ID, choose the ID of the endpoint group.
5. Choose Remove endpoint.
6. In the conﬁrmation dialog box, choose Remove.

Endpoint weights
A weight is a value that determines the proportion of traﬃc that Global Accelerator directs to an
endpoint in a standard accelerator. Endpoints can be Network Load Balancers, Application Load
Balancers, Amazon EC2 instances, or Elastic IP addresses. Global Accelerator calculates the sum of the
weights for the endpoints in an endpoint group, and then directs traﬃc to the endpoints based on the
ratio of each endpoint's weight to the total.

Weighted routing lets you choose how much traﬃc is routed to a resource in an endpoint group. This can
be useful in several ways, including load balancing and testing new versions of an application.

How endpoint weights work

To use weights, you assign each endpoint in an endpoint group a relative weight that corresponds with
how much traﬃc that you want to send to it. By default, the weight for an endpoint is 128—that is, half
of the maximum value for a weight, 255. Global Accelerator sends traﬃc to an endpoint based on the
weight that you assign to it as a proportion of the total weight for all endpoints in the group:

34
AWS Global Accelerator Developer Guide
Adding endpoints with client IP address preservation

For example, if you want to send a tiny portion of your traffic to one endpoint and the rest to another
endpoint, you might specify weights of 1 and 255. The endpoint with a weight of 1 gets 1/256 of the
traffic (1/1+255), and the other endpoint gets 255/256 (255/1+255). You can gradually change the
balance by changing the weights. If you want Global Accelerator to stop sending traffic to an endpoint,
you can change the weight for that resource to 0.

Failover for unhealthy endpoints

If there are no healthy endpoints in an endpoint group that have a weight greater than zero, Global
Accelerator tries to failover to a healthy endpoint with a weight greater than zero in another endpoint
group. For this failover, Global Accelerator ignores the traﬃc dial setting. So if, for example, an endpoint
group has a traﬃc dial set to zero, Global Accelerator still includes that endpoint group in the failover
attempt.

If Global Accelerator doesn't ﬁnd a healthy endpoint with a weight greater than zero after trying three
additional endpoint groups (that is, three AWS Regions), it routes traﬃc to a random endpoint in the
endpoint group that is closest to the client. That is, it fails open.

Note the following:

• The endpoint group chosen for failover might be one that has a traﬃc dial set to zero.
• The nearest endpoint group might not be the original endpoint group. This is because Global
Accelerator considers account traﬃc dial settings when it chooses the original endpoint group.

For example, let's say your configuration has two endpoints, one healthy and one unhealthy, and you've
set the weight for each of them to be greater than zero. In this case, Global Accelerator routes traffic to
the healthy endpoint. However, now say you set the weight of the only healthy endpoint to zero. Global
Accelerator then tries three additional endpoint groups to find a healthy endpoint with a weight greater
than zero. If it doesn't find one, Global Accelerator routes traffic to a random endpoint in the endpoint
group that is closest to the client.

Adding endpoints with client IP address preservation

A feature that you can use with some endpoint types—in some Regions— is client IP address
preservation. With this feature, you preserve the source IP address of the original client for packets that
arrive at the endpoint. You can use this feature with Application Load Balancer and Amazon EC2 instance
endpoints. Endpoints on custom routing accelerators always have the client IP address preserved. For
more information, see Preserve client IP addresses in AWS Global Accelerator (p. 59).

If you intend to use the client IP address preservation feature, be aware of the following when you add
endpoints to Global Accelerator:

Elastic network interfaces

To support client IP address preservation, Global Accelerator creates elastic network interfaces in
your AWS account—one for each subnet where an endpoint is present. For more information about
how Global Accelerator works with elastic network interfaces, see Best practices for client IP address
preservation (p. 61).
Endpoints in private subnets

You can target an Application Load Balancer or an EC2 instance in a private subnet using AWS Global
Accelerator but you must have an internet gateway attached to the VPC that contains the endpoints.
For more information, see Secure VPC connections in AWS Global Accelerator (p. 108).

35
AWS Global Accelerator Developer Guide
Transitioning endpoints to use
client IP address preservation

Add the client IP address to the allow list

Before you add and begin to route traffic to endpoints that preserve the client IP address, make sure
that all your required security configurations, for example, security groups, are updated to include
the user client IP address on the allow list. Network access control lists (ACLs) only apply to egress
(outbound) traffic. If you need to filter ingress (inbound) traffic, you must use security groups.
Configure network access control lists (ACLs)

Network ACLs associated with your VPC subnets apply to egress (outbound) traffic when client
IP address preservation is enabled on your accelerator. However, for traffic to be allowed to exit
through Global Accelerator, you must configure the ACL as both an inbound and outbound rule.

For example, to allow TCP and UDP clients using an ephemeral source port to connect to your
endpoint through Global Accelerator, associate the subnet of your endpoint with a Network ACL
that allows outbound traffic destined to an ephemeral TCP or UDP port (port range 1024-65535,
destination 0.0.0.0/0). In addition, create a matching inbound rule (port range 1024-65535, source
0.0.0.0/0).
Note
Security group and AWS WAF rules are an additional set of capabilities that you can apply to
protect your resources. For example, the inbound security group rules associated with your
Amazon EC2 instances and Application Load Balancers allow you to control the destination
ports that clients can connect to through Global Accelerator, such as port 80 for HTTP or
port 443 for HTTPS. Note that Amazon EC2 instance security groups apply to any traffic
that arrives to your instances, including traffic from Global Accelerator and any public or
Elastic IP address that is assigned to your instance. As a best practice, use private subnets if
you want to ensure that traffic is delivered only by Global Accelerator. Also make sure that
the inbound security group rules are configured appropriately to correctly allow or deny
traffic for your applications.

Transitioning endpoints to use client IP address

preservation
Follow the guidance in this section to transition one or more endpoints in your accelerator to endpoints
that preserve the user’s client IP address. You can optionally choose to transition an Application Load
Balancer endpoint or an Elastic IP address endpoint to a corresponding endpoint—an Application Load
Balancer or an EC2 instance—that has client IP address preservation. For more information, see Preserve
client IP addresses in AWS Global Accelerator (p. 59).

We recommend that you transition to using client IP address preservation slowly. First, add new
Application Load Balancer or EC2 instance endpoints that you enable to preserve the client IP address.
Then slowly move traffic from existing endpoints to the new endpoints by configuring weights on the
endpoints.
Important
Before you begin to route traffic to endpoints that preserve the client IP address, make sure that
all the configurations in which you’ve included Global Accelerator client IP addresses on allow
lists are updated to include the user client IP address instead.

Client IP address preservation is available only in speciﬁc AWS Regions. For more information, see
Supported AWS Regions for client IP address preservation (p. 63).

This section explains how to work with endpoint groups on the AWS Global Accelerator console. If you
want to use API operations with Global Accelerator, see the AWS Global Accelerator API Reference.

After you move a small amount of traffic to the new endpoint with client IP address preservation, test to
make sure that your configuration is working as you expect it to. Then gradually increase the proportion
of traffic to the new endpoint by adjusting the weights on the corresponding endpoints.

36
AWS Global Accelerator Developer Guide
Transitioning endpoints to use
client IP address preservation

To transition to endpoints that preserve client IP addresses, start by following the steps here to add a
new endpoint and, for internet-facing Application Load Balancer endpoints, enable client IP address
preservation. (The client IP address preservation option is always selected for internal Application Load
Balancers and EC2 instances.)

To add an endpoint with client IP address preservation

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the accelerators page, choose an accelerator.
3. In the Listeners section, choose a listener.
4. In the Endpoint group section, choose an endpoint group.
5. In the Endpoints section, choose Add endpoint.
6. On the Add endpoints page, in the Endpoints dropdown list, choose an Application Load Balancer
endpoint or an EC2 instance endpoint.
7. In the Weight ﬁeld, choose a low number compared to the weights that are set for your existing
endpoints. For example, if the weight for a corresponding Application Load Balancer is 255, you
could enter a weight of 5 for the new Application Load Balancer, to start with. For more information,
see Endpoint weights (p. 34).
8. For a new external-facing Application Load Balancer endpoint, under Preserve client IP address,
select Preserve address. (This option is always selected for internal Application Load Balancers and
EC2 instances.)
9. Choose Save changes.

Next, follow the steps here to edit the corresponding existing endpoints (that you're replacing with the
new endpoints with client IP address preservation) to reduce the weights for existing endpoints so that
less traﬃc goes to them.

To reduce traﬃc for the existing endpoints

1. On the Endpoint group page, choose an existing endpoint that doesn't have client IP address
preservation.
2. Choose Edit.
3. On the Edit endpoint page, in the Weight ﬁeld, enter a lower number than the current number. For
example, if the weight for an existing endpoint is 255, you could enter a weight of 220 for the new
endpoint (with client IP address preservation).
4. Choose Save changes.

After you’ve tested with a small portion of the original traﬃc by setting the weight for the new endpoint
to a low number, you can slowly transition all the traﬃc by continuing to adjust the weights for the
original and new endpoints.

For example, say you start with an existing Application Load Balancer with a weight set to 200, and you
add a new Application Load Balancer endpoint with client IP address preservation enabled with a weight
set to 5. Gradually shift traﬃc from the original Application Load Balancer to the new Application Load
Balancer by increasing the weight for the new Application Load Balancer and decreasing the weight for
the original Application Load Balancer. For example:

• Original weight 190/new weight 10

• Original weight 180/new weight 20
• Original weight 170/new weight 30, and so on.

When you have decreased the weight to 0 for the original endpoint, all traﬃc (in this example scenario)
goes to the new Application Load Balancer endpoint, which includes client IP address preservation.

37
AWS Global Accelerator Developer Guide
Transitioning endpoints to use
client IP address preservation

If you have additional endpoints—Application Load Balancers or EC2 instances—that you want to
transition to use client IP address preservation, repeat the steps in this section to transition them.

If you need to revert your conﬁguration for an endpoint so that traﬃc to the endpoint doesn't preserve
the client IP address, you can do that at any time: increase the weight for the endpoint that does not
have client IP address preservation to the original value, and decrease the weight for the endpoint with
client IP address preservation to 0.

38
AWS Global Accelerator Developer Guide

Work with custom routing

accelerators in AWS Global
Accelerator
This chapter includes procedures and recommendations for creating custom routing accelerators in AWS
Global Accelerator. A custom routing accelerator lets you use application logic to directly map one or
more users to a specific Amazon EC2 instance among many destinations, while gaining the performance
improvements of routing your traffic through Global Accelerator. This is useful when you have an
application that requires a group of users to interact with each other on the same session running on a
specific EC2 instance and port, such as gaming applications or Voice over IP (VoIP) sessions.

Endpoints for custom routing accelerators must be virtual private cloud (VPC) subnets, and a custom
routing accelerator can only route traﬃc to Amazon EC2 instances in those subnets. When you create
a custom routing accelerator, you can include thousands of Amazon EC2 instances running in a single
or multiple VPC subnets. To learn more, see How custom routing accelerators work in AWS Global
Accelerator (p. 40).

If instead you want Global Accelerator to automatically choose the closest healthy endpoint to your
clients, create a standard accelerator. For more information, see Work with standard accelerators in AWS
Global Accelerator (p. 22).

To set up custom routing accelerator, you do the following:

1. Review the guidelines and requirements for creating a custom routing accelerator. See Guidelines and
restrictions for custom routing accelerators (p. 42).
2. Create a VPC subnet. You can add EC2 instances to the subnet at any time after adding the subnet to
Global Accelerator.
3. Create an accelerator, and select the option for a custom routing accelerator.
4. Add a listener and specify a range of ports for Global Accelerator to listen on. Make sure that you
include a large range with enough ports for Global Accelerator to map to all the destinations that you
expect to have. These ports are distinct from destination ports, which you specify in the next step. For
more information about listener port requirements, see Guidelines and restrictions for custom routing
accelerators (p. 42).
5. Add one or more endpoint groups for AWS Regions in which you have VPC subnets. You specify the
following for each endpoint group:
• An endpoint port range, which represents the ports on your destination EC2 instances that will be
able to receive traﬃc.
• The protocol for each destination port range: UDP, TCP, or both UDP and TCP.
6. For the endpoint subnet, select a subnet ID. You can add multiple subnets in each endpoint group and
subnets can be diﬀerent sizes (up to /17).

The following sections step through working with custom routing accelerators, listeners, endpoint
groups, and endpoints.

Topics
• How custom routing accelerators work in AWS Global Accelerator (p. 40)
• Guidelines and restrictions for custom routing accelerators (p. 42)
• Custom routing accelerators in AWS Global Accelerator (p. 44)

39
AWS Global Accelerator Developer Guide
How custom routing accelerators work

• Listeners for custom routing accelerators in AWS Global Accelerator (p. 46)
• Endpoint groups for custom routing accelerators in AWS Global Accelerator (p. 47)
• VPC subnet endpoints for custom routing accelerators in AWS Global Accelerator (p. 49)

How custom routing accelerators work in AWS

Global Accelerator
By using a custom routing accelerator in AWS Global Accelerator, you can use application logic to
directly map one or more users to a specific destination among many destinations while still gaining
the performance benefits of Global Accelerator. A custom routing accelerator maps listener port ranges
to EC2 instance destinations in virtual private cloud (VPC) subnets. This allows Global Accelerator to
deterministically route traffic to a specific Amazon EC2 private IP address and port destination in your
subnet.

For example, you can use a custom routing accelerator with an online real-time gaming application in
which you assign multiple players to a single session on an Amazon EC2 game server based on factors
that you choose, such as geographic location, player skill, and game mode. Or you might have a VoIP
or social media application that assigns multiple users to a speciﬁc media server to for voice, video, and
messaging sessions.

Your application can call a Global Accelerator API and receive a full static mapping of Global Accelerator
ports and their associated destination IP addresses and ports. You can save that static mapping, and then
your matchmaking service use it to route users to speciﬁc destination EC2 instances. You don't have to
make any modiﬁcations to your client software to start using Global Accelerator with your application.

To conﬁgure a custom routing accelerator, you select a VPC subnet endpoint. Then you deﬁne a
destination port range that incoming connections will be mapped to, so your software can listen on
the same set of ports across all instances. Global Accelerator creates a static mapping that allows your
matchmaking service to translate a destination IP address and port number for a session to an external
IP address and port that you give to users.

Your application’s network stack might operate over a single transport protocol, or you might use UDP
for fast delivery and TCP for reliable delivery. You can set UDP, TCP, or both UDP and TCP for each
destination port range, to give you maximum flexibility without having to duplicate your configuration
for each protocol.
Note
By default, all VPC subnet destinations in a custom routing accelerator aren't allowed to receive
traffic. This is to be secure by default, and also to give you granular control over which private
EC2 instance destinations in your subnet are allowed to receive traffic. You can allow or deny
traffic to the subnet, or to specific IP address and port combinations (destination sockets). For
more information, see Adding, editing, or removing a VPC subnet endpoint (p. 49). You
can also specify destinations by using the Global Accelerator API. For more information, see
AllowCustomRoutingTraffic and DenyCustomRoutingTraffic.

Example of how custom routing works in Global

Accelerator
As an example, let's say that you want to support 10,000 sessions where groups of users interact, such as
gaming sessions or VoIP call sessions, across 1,000 Amazon EC2 instances behind Global Accelerator. In
this example, we'll specify a listener port range of 10001–20040 and a destination port range of 81–90.
We'll say that we have the four VPC subnets in us-east-1: subnet-1, subnet-2, subnet-3, and subnet-4.

In our example conﬁguration, each VPC subnet has a block size of /24 so it can support 251 Amazon
EC2 instances. (Five addresses are reserved and unavailable from each subnet, and these addresses are

40
AWS Global Accelerator Developer Guide
Example of how custom routing
works in Global Accelerator

not mapped.) Each server running on each EC2 instance serves the following 10 ports, that we speciﬁed
for the destination ports in our endpoint group: 81-90. This means that we have 2510 ports (10 x 251)
associated with each subnet. Each port can be associated with a session.

Because we've specified 10 destination ports on each EC2 instance in our subnet, Global Accelerator
internally associates them with 10 listener ports that you can use to access EC2 instances. To illustrate
this simply, we'll say that there's a block of listener ports that starts with the first IP address of the
endpoint subnet for the first set of 10, and then moves to the next IP address for the next set of 10
listener ports.
Note
The mapping is actually not predictable like this, but we're using a sequential mapping here
to help to show how the port mapping works. To determine the actual mapping for your
listener port ranges, use the following API operations: ListCustomRoutingPortMappings and
ListCustomRoutingPortMappingsByDestination.

In our example, the first listener port is 10001. That port is associated with the first subnet IP address,
192.0.2.4, and the first EC2 port, 81. The next listener port, 10002, is associated with the first subnet
IP address, 192.0.2.4, and the second EC2 port, 82. The following table illustrates how this example
mapping continues through the last IP address of the first VPC subnet, and then on to the first IP address
of the second VPC subnet.

Global Accelerator listener port VPC subnet EC2 instance port

10001 192.0.2.4 81

10002 192.0.2.4 82

10003 192.0.2.4 83

10004 192.0.2.4 84

10005 192.0.2.4 85

10006 192.0.2.4 86

10007 192.0.2.4 87

10008 192.0.2.4 88

10009 192.0.2.4 89

10010 192.0.2.4 90

10011 192.0.2.5 81

10012 192.0.2.5 82

10013 192.0.2.5 83

10014 192.0.2.5 84

10015 192.0.2.5 85

10016 192.0.2.5 86

10017 192.0.2.5 87

10018 192.0.2.5 88

10019 192.0.2.5 89

41
AWS Global Accelerator Developer Guide
Guidelines and restrictions for custom routing accelerators

Global Accelerator listener port VPC subnet EC2 instance port

10020 192.0.2.5 90

... ... ...

12501 192.0.2.244 81

12502 192.0.2.244 82

12503 192.0.2.244 83

12504 192.0.2.244 84

12505 192.0.2.244 85

12506 192.0.2.244 86

12507 192.0.2.244 87

12508 192.0.2.244 88

12509 192.0.2.244 89

12510 192.0.2.244 90

12511 192.0.3.4 81

12512 192.0.3.4 82

12513 192.0.3.4 83

12514 192.0.3.4 84

12515 192.0.3.4 85

12516 192.0.3.4 86

12517 192.0.3.4 87

12518 192.0.3.4 88

12519 192.0.3.4 89

12520 192.0.3.4 90

Guidelines and restrictions for custom routing

accelerators
When you create and work with custom routing accelerators in AWS Global Accelerator, keep the
following guidelines and restrictions in mind.

Amazon EC2 instance destinations

The virtual public cloud (VPC) subnet endpoints in a custom routing accelerator can only include EC2
instances. No other resources, such as load balancers, are supported for custom routing accelerator.

The types of EC2 instances that are supported with Global Accelerator are listed in Endpoints for
standard accelerators in AWS Global Accelerator (p. 32).

42
AWS Global Accelerator Developer Guide
Guidelines and restrictions for custom routing accelerators

Port mappings

When you add a VPC subnet, Global Accelerator creates a static port mapping of listener port ranges
to the port ranges supported by the subnet. The port mapping for a speciﬁc subnet never changes.

You can view the port mapping list for a custom routing accelerator programmatically. For more
information, see ListCustomRoutingPortMappings.
VPC subnet size

VPC subnets that you add to a custom routing accelerator must be a minimum of /28 and a
maximum of /17.
Listener port ranges

You must specify enough listener ports, by specifying listener port ranges, to accommodate the
number of destinations included in the subnets that you plan to add to your custom routing
accelerator. The range that you specify when you create a listener determines how many listener
port and destination IP address combinations that you can use with your custom routing accelerator.
For maximum ﬂexibility and to reduce the possibility of getting an error that you don't have enough
listener ports available, we recommend that you specify a large port range.

Global Accelerator allocates port ranges in blocks when you add a subnet to a custom routing
accelerator. We recommend that you allocate listener port ranges linearly and make the ranges large
enough to support the number of destination ports that you intend to have. That is, the number of
ports you should allocate should be at least the subnet size times the number of destination ports
and protocols (destination conﬁgurations) that you will have in the subnet.
Note
The algorithm that Global Accelerator uses to allocate port mappings might require you to
add more listener ports, beyond this total.

After you create a listener, you can edit it to add additional port ranges and associated protocols,
but you can't decrease existing port ranges. For example, if you have a listener port range of 5,000–
10,000, you can't change the port range to be 5900–10,000 and you can't change the port range to
be 5,000–9,900.

Each listener port range must include a minimum of 16 ports. Listeners support ports 1-65535.
Destination port ranges

There are two places that you specify port ranges for a custom routing accelerator: the port ranges
that you specify when you add a listener and the destination port ranges and protocols that you
specify for an endpoint group.
• Listener port ranges: The listener ports on the Global Accelerator static IP addresses that your
clients connect to. Global Accelerator maps each port to a unique destination IP address and port
on a VPC subnet behind the accelerator.
• Destination port ranges: The sets of destination port ranges that you specify for an endpoint
group (also called the destination configurations) are the EC2 instance ports that receive traffic. To
receive traffic on destination ports, the Security Groups associated with your EC2 instances must
permit traffic on them.
Health checks and failover

Global Accelerator does not perform health checks for custom routing accelerators and does not
failover to healthy endpoints. Traﬃc for custom routing accelerators is routed deterministically,
regardless of the health of a destination resource.
All traﬃc is denied by default

By default, traffic directed through a custom routing accelerator is denied to all destinations in your
subnet. To enable destination instances to receive traffic, you must specifically allow all traffic to the
subnet or, alternatively, allow traffic to specific instance IP addresses and ports in the subnet.

43
AWS Global Accelerator Developer Guide
Custom routing accelerators

Updating a subnet or speciﬁc destination to allow or deny traﬃc takes time to

propagate across the internet. To determine if a change has propagated, you can call the
DescribeCustomRoutingAccelerator API action to check the accelerator status. For more
information, see DescribeCustomRoutingAccelerator.
AWS CloudFormation is not supported

AWS CloudFormation is not supported for custom routing accelerators.

Custom routing accelerators in AWS Global

Accelerator
A custom routing accelerator in AWS Global Accelerator lets you use custom application logic to direct
one or more users to a speciﬁc destination among many destinations, while using the AWS global
network to improve the availability and performance of your application.

A custom routing accelerator routes traﬃc only to ports on Amazon EC2 instances that are running in
virtual private cloud (VPC) subnets. With a custom routing accelerator, Global Accelerator does not route
traﬃc based on the geoproximity or health of the endpoint. To learn more, see How custom routing
accelerators work in AWS Global Accelerator (p. 40).

When you create an accelerator, by default, Global Accelerator provides you with a set of two static
IP addresses. If you bring your own IP address range to AWS (BYOIP), you can instead assign static IP
addresses from your own pool to use with your accelerator. For more information, see Bring your own IP
addresses (BYOIP) in AWS Global Accelerator (p. 53).
Important
The IP addresses are assigned to your accelerator for as long as it exists, even if you disable the
accelerator and it no longer accepts or routes traﬃc. However, when you delete an accelerator,
you lose the Global Accelerator static IP addresses that are assigned to the accelerator, so you
can no longer route traﬃc by using them. As a best practice, ensure that you have permissions
in place to avoid inadvertently deleting accelerators. You can use IAM policies such as tag-
based permissions with Global Accelerator to limit the users who have permissions to delete an
accelerator. For more information, see Tag-based policies (p. 90).

This section explains how to create, edit, or delete a custom routing accelerator on the Global Accelerator
console. To learn about using API operations with Global Accelerator, see the AWS Global Accelerator API
Reference.

Topics
• Creating or updating a custom routing accelerator (p. 44)
• Viewing your custom routing accelerators (p. 45)
• Deleting a custom routing accelerator (p. 45)

Creating or updating a custom routing accelerator

To create a custom routing accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. Choose Create accelerator.
3. Provide a name for your accelerator.
4. For Accelerator type, select Custom routing.

44
AWS Global Accelerator Developer Guide
Viewing your custom routing accelerators

5. Optionally, if you have brought your own IP address range to AWS (BYOIP), you can specify static IP
addresses for your accelerator from that address pool. Make this choice for each of the two static IP
addresses for your accelerator.

• For each static IP address, choose the IP address pool to use.

• If you chose your own IP address pool, also choose a speciﬁc IP address from the pool. If you
chose the default Amazon IP address pool, Global Accelerator assigns a speciﬁc IP address to your
accelerator.
6. Optionally, add one or more tags to help you identify your accelerator resources.
7. Choose Next to go to the next pages in the wizard to add listeners, endpoint groups, and VPC
subnet endpoints.

To edit a custom routing accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. In the list of custom routing accelerators, choose one, and then choose Edit.
3. On the Edit accelerator page, make any changes that you like. For example, you can disable the
accelerator so that you can delete it.
4. Choose Save.

Viewing your custom routing accelerators

You can view information about your custom routing accelerators on the console. To see descriptions
of your custom routing accelerators programmatically, see ListCustomRoutingAccelerator and
DescribeCustomRoutingAccelerator in the AWS Global Accelerator API Reference.

To view information your custom routing accelerators

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. To see details about an accelerator, choose an accelerator, and then choose View.

Deleting a custom routing accelerator

If you created a custom routing accelerator as a test, or if you're no longer using an accelerator, you can
delete it. On the console, disable the accelerator, and then you can delete it. You don't have to remove
listeners and endpoint groups from the accelerator.

To delete a custom routing accelerator by using an API operation instead of the console, you must ﬁrst
remove all listeners and endpoint groups that are associated with the accelerator, and then disable it. For
more information, see the DeleteAccelerator operation in the AWS Global Accelerator API Reference.

To disable a custom routing accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. In the list, choose an accelerator that you want to disable.
3. Choose Edit.
4. Choose Disable accelerator, and then choose Save.

To delete a custom routing accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

45
AWS Global Accelerator Developer Guide
Listeners for custom routing accelerators

2. In the list, choose an accelerator that you want to delete.

3. Choose Delete.
Note
If you haven't disabled the accelerator, Delete is unavailable. To disable the accelerator, see
the previous procedure.
4. In the conﬁrmation dialog box, choose Delete.
Important
When you delete an accelerator, you lose the static IP addresses that are assigned to the
accelerator, so you can no longer route traﬃc by using them.

Listeners for custom routing accelerators in AWS

Global Accelerator
For a custom routing accelerator in AWS Global Accelerator, you configure a listener that specifies a
range of listener ports with associated protocols that Global Accelerator maps to specific destination
Amazon EC2 instances in your VPC subnet endpoints. When you add a VPC subnet endpoint, Global
Accelerator creates a static port mapping between the port ranges that you define for your listener and
the destination IP addresses and ports in the subnet. Then you can use the port mapping to specify your
accelerator static IP addresses together with a listener port and protocol to direct user traffic to specific
destination Amazon EC2 instance IP addresses and ports in your VPC subnet.

You deﬁne a listener when you create your custom routing accelerator, and you can add more listeners
at any time. Each listener can have one or more endpoint groups, one for each AWS Region in which
you have VPC subnet endpoints. A listener in a custom routing accelerator supports both TCP and UDP
protocols. You specify the protocol or protocols for each destination port range that you deﬁne: UDP,
TCP, or both UDP and TCP.

For more information, see How custom routing accelerators work in AWS Global Accelerator (p. 40).

Adding, editing, or removing a custom routing

listener
This section explains how to work with custom routing listeners on the AWS Global Accelerator console.
To learn about using API operations with AWS Global Accelerator, see the AWS Global Accelerator API
Reference.

To add a listener for a custom routing accelerator

The range that you specify when you create a listener deﬁnes how many listener port and destination IP
address combinations that you can use with your custom routing accelerator. For maximum ﬂexibility, we
recommend that you specify a large port range. Each listener port range that you specify must include a
minimum of 16 ports.
Note
After you create a listener, you can edit it to add additional port ranges and associated
protocols, but you can't decrease existing port ranges.

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose a custom routing accelerator.
3. Choose Add listener.

46
AWS Global Accelerator Developer Guide
Endpoint groups for custom routing accelerators

4. On the Add listener page, enter the listener port range that you want to associate with the
accelerator.

Listeners support ports 1-65535. For maximum ﬂexibility with a custom routing accelerator, we
recommend that you specify a large port range.
5. Choose Add listener.

To edit a listener for a custom routing accelerator

When you edit a listener for a custom routing accelerator, be aware that you can add additional port
ranges and associated protocols, increase existing port ranges, or change protocols, but you can't
decrease existing port ranges.

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose an accelerator.
3. Choose a listener, and then choose Edit listener.
4. On the Edit listener page, make the changes that you want to existing port ranges or protocols, or
add new port ranges.

Be aware that you cannot decrease the range of an existing port range.
5. Choose Save.

To remove a listener

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose an accelerator.
3. Choose a listener, and then choose Remove.
4. In the conﬁrmation dialog box, choose Remove.

Endpoint groups for custom routing accelerators in

AWS Global Accelerator
With a custom routing accelerator in AWS Global Accelerator, an endpoint group deﬁnes the ports and
protocols that destination Amazon EC2 instances in your virtual private cloud (VPC) subnets accept
traﬃc on.

You create an endpoint group for your custom routing accelerator for each AWS Region in which your
VPC subnets and EC2 instances are located. Each endpoint group in a custom routing accelerator can
have multiple VPC subnet endpoints. Similarly, you can add each VPC to multiple endpoint groups, but
the endpoint groups must be associated with diﬀerent listeners.

For each endpoint group, you specify a set of one or more port ranges that include the ports that you
want to direct traffic to on the EC2 instances in the Region. For each endpoint group port range, you
specify the protocol to use: UDP, TCP, or both UDP and TCP. This provides maximum flexibility for you,
without having to duplicate sets of port ranges for each protocol. For example, you might have a game
server with gaming traffic running over UDP on ports 8080-8090 while you also have a server listening
for chat messages over TCP on port 80.

To learn more, see How custom routing accelerators work in AWS Global Accelerator (p. 40).

47
AWS Global Accelerator Developer Guide
Adding, editing, or removing an endpoint group

Adding, editing, or removing an endpoint group for a

custom routing accelerator
You work with an endpoint group for your custom routing accelerator on the AWS Global Accelerator
console or by using an API operation. You can add or remove VPC subnet endpoints from an endpoint
group at any time.

This section explains how to work with endpoint groups for your custom routing accelerator on the AWS
Global Accelerator console. To learn about using API operations with Global Accelerator, see the AWS
Global Accelerator API Reference.

To add an endpoint group for a custom routing accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose a custom routing accelerator.
3. In the Listeners section, for Listener ID, choose the ID of the listener that you want to add an
endpoint group to.
4. Choose Add endpoint group.
5. In the section for a listener, specify a Region for the endpoint group.
6. For Ports and protocols sets, enter port ranges and protocols for your Amazon EC2 instances.

• Enter a From port and a To port to specify a range of ports.

• For each port range, specify the protocol or protocols for that range.

The port range doesn't have to be a subset of your listener port range, but there must be enough
total ports in the listener port range to support the total number of ports that you specify for the
endpoint groups in your custom routing accelerator.
7. Choose Save.
8. Optionally, choose Add endpoint group to add additional endpoint groups for this listener. You can
also choose another listener and add endpoint groups.
9. Choose Add endpoint group.

To edit an endpoint group for a custom routing accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose a custom routing accelerator.
3. In the Listeners section, for Listener ID, choose the ID of the listener that the endpoint group is
associated with.
4. Choose Edit endpoint group.
5. On the Edit endpoint group page, change the Region, the range of ports, or the protocol for a range
of ports.
6. Choose Save.

To remove a custom routing accelerator

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose an accelerator.
3. In the Listeners section, choose a listener, and then choose Remove.
4. In the Endpoint groups section, choose an endpoint group, and then choose Remove.
5. On the conﬁrmation dialog box, choose Remove.

48
AWS Global Accelerator Developer Guide
VPC subnet endpoints for custom routing accelerators

VPC subnet endpoints for custom routing

accelerators in AWS Global Accelerator
Endpoints for custom routing accelerators are virtual private cloud (VPC) subnets that can receive
traﬃc through an accelerator. Each subnet can contain one or many Amazon EC2 instance destinations.
When you add a subnet endpoint, Global Accelerator generates new port mapping. Then you can use
the Global Accelerator API to get a static list of all the port mappings for the subnet, which you can
use to route traﬃc to destination EC2 instance IP addresses in the subnet. For more information, see
ListCustomRoutingPortMappings.

You can only direct traﬃc to EC2 instances in the subnets, not other resources like load balancers (in
contrast to standard accelerators). The EC2 instance types that are supported are listed in Endpoints for
standard accelerators in AWS Global Accelerator (p. 32).

To learn more, see How custom routing accelerators work in AWS Global Accelerator (p. 40).

Be aware of the following when you add VPC subnets for your custom routing accelerator:

• By default, traffic directed through a custom routing accelerator can't arrive at any destinations in your
subnet. To enable destination instances to receive traffic, you must choose to allow all traffic to the
subnet or, alternatively, enable traffic to specific instance IP addresses and ports (destination sockets)
in the subnet.
Important
Updating a subnet or specific destination to allow or deny traffic takes time to
propagate across the internet. To determine if a change has propagated, you can call the
DescribeCustomRoutingAccelerator API action to check the accelerator status. For more
information, see DescribeCustomRoutingAccelerator.
• Because VPC subnets preserve the client IP address, you should review the relevant security and
configuration information when you add subnets as endpoints for custom routing accelerators. For
more information, see Adding endpoints with client IP address preservation (p. 35).

Adding, editing, or removing a VPC subnet endpoint

You add virtual private cloud (VPC) subnet endpoints to endpoint groups in your custom routing
accelerators so that you can direct user traﬃc to destination Amazon EC2 instances in the subnet.

When you add and remove EC2 instances from the subnet, or enable or disable traﬃc to EC2
destinations, you change whether those destinations can receive traﬃc. However the Global Accelerator
port mapping doesn't change.

To allow traﬃc to some destinations in the subnet, but not all, enter IP addresses for each EC2 instance
that you want to allow, along with the ports on the instance that you want to receive traﬃc. The IP
addresses that you specify must be for EC2 instances in the subnet. You can specify a port or range of
ports, from the ports that are mapped for the subnet.

You can remove the VPC subnet from your accelerator by removing it from an endpoint group. Removing
a subnet doesn't aﬀect the subnet itself, but Global Accelerator can no longer direct traﬃc to the subnet
or to the Amazon EC2 instances in it. In addition, Global Accelerator will reclaim the port mapping for
the VPC subnet to potentially use them for new subnets that you add.

The steps in this section explain how to add, edit, or remove VPC subnet endpoints on the AWS Global
Accelerator console. To learn about using API operations with AWS Global Accelerator, see the AWS
Global Accelerator API Reference.

49
AWS Global Accelerator Developer Guide
Adding, editing, or removing a VPC subnet endpoint

To add a VPC subnet endpoint

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose a custom routing accelerator.
3. In the Listeners section, for Listener ID, choose the ID of a listener.
4. In the Endpoint groups section, for Endpoint group ID, choose the ID of the endpoint group (AWS
Region) that you want to add the VPC subnet endpoint to.
5. In the Endpoints section, choose Add endpoint.
6. On the Add endpoints page, for Endpoint, choose a VPC subnet.

If you don't have any VPCs, there aren't any items in the list. To continue, add at least one VPC, then
come back to the steps here, and choose a VPC from the list.
7. For VPC subnet endpoint that you add, you can choose to allow or deny traffic to all destinations in
the subnet, or you can allow traffic to only specific EC2 instances and ports. The default is to deny
traffic to all destinations in the subnet.
8. Choose Add endpoint.

To allow or deny traﬃc to speciﬁc destinations

You can edit the VPC subnet port mapping for an endpoint to allow or deny traﬃc to speciﬁc EC2
instances and ports (destination sockets) in a subnet.

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose a custom routing accelerator.
3. In the Listeners section, for Listener ID, choose the ID of a listener.
4. In the Endpoint groups section, for Endpoint group ID, choose the ID of the endpoint group (AWS
Region) of the VPC subnet endpoint that you want to edit.
5. Choose an endpoint subnet, and then choose View details.
6. On the Endpoint page, under Port mappings, choose an IP address, and then choose Edit.
7. Enter the ports that you want to enable traﬃc for, and then choose Allow these destinations.

To allow or deny ALL traﬃc to a subnet

You can update an endpoint to allow or deny traﬃc to all destinations in the VPC subnet.

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose a custom routing accelerator.
3. In the Listeners section, for Listener ID, choose the ID of a listener.
4. In the Endpoint groups section, for Endpoint group ID, choose the ID of the endpoint group (AWS
Region) of the VPC subnet endpoint that you want to update.
5. Choose Allow/Deny all traffic.
6. Choose an option, to allow all traffic or deny all traffic, and then choose Save.

To remove an endpoint

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

50
AWS Global Accelerator Developer Guide
Adding, editing, or removing a VPC subnet endpoint

5. Choose Remove endpoint.

6. In the conﬁrmation dialog box, choose Remove.

51
AWS Global Accelerator Developer Guide
Support for DNS addressing in Global Accelerator

DNS addressing and custom domains

in AWS Global Accelerator
This chapter explains how AWS Global Accelerator does DNS routing and includes information about
using a custom domain with Global Accelerator.

Topics
• Support for DNS addressing in Global Accelerator (p. 52)
• Route custom domain traﬃc to your accelerator (p. 52)
• Bring your own IP addresses (BYOIP) in AWS Global Accelerator (p. 53)

Support for DNS addressing in Global Accelerator

When you create a custom routing or standard accelerator, Global Accelerator provisions two static IP
addresses for you. It also assigns a default Domain Name System (DNS) name to your accelerator, similar
to a1234567890abcdef.awsglobalaccelerator.com, that points to the static IP addresses. The
static IP addresses are advertised globally using anycast from the AWS edge network to your endpoints.
You can use your accelerator's static IP addresses or DNS name to route traffic to your accelerator. DNS
servers and DNS resolvers use a round robin to resolve the DNS name for an accelerator, so the name
resolves to the static IP addresses for the accelerator, returned by Amazon Route 53 in random order.
Clients typically use the first IP address that is returned.
Note
Global Accelerator creates two Pointer (PTR) records that map an accelerator’s static IP
addresses to the corresponding DNS name generated by Global Accelerator, to support reverse
DNS lookup. This is also known as a reverse hosted zone. Be aware that the DNS name that
Global Accelerator generates for you isn't configurable, and you can't create PTR records that
point to your custom domain name. Global Accelerator also does not create PTR records for
static IP addresses from an IP address range that you bring to AWS (BYOIP).

Route custom domain traﬃc to your accelerator

In most scenarios, you can conﬁgure DNS to use your custom domain name (such as www.example.com)
with your accelerator, instead of using the assigned static IP addresses or the default DNS name. First,
using Amazon Route 53 or another DNS provider, create a domain name, and then add or update DNS
records with your Global Accelerator IP addresses. Or you can associate your custom domain name
with the DNS name for your accelerator. Complete the DNS conﬁguration and wait for the changes to
propagate over the internet. Now when a client makes a request using your custom domain name, the
DNS server resolves it to the IP addresses, in random order, or to the DNS name for your accelerator.

To use your custom domain name with Global Accelerator when you use Route 53 as your DNS service,
you create an alias record that points your custom domain name to the DNS name assigned to your
accelerator. An alias record is a Route 53 extension to DNS. It's similar to a CNAME record, but you can
create an alias record both for the root domain, such as example.com, and for subdomains, such as
www.example.com. For more information, see Choosing Between Alias and Non-Alias Records in the
Amazon Route 53 Developer Guide.

52
AWS Global Accelerator Developer Guide
Bring your own IP addresses

To set up Route 53 with an alias record for an accelerator, follow the guidance included in the following
topic: Alias Target in the Amazon Route 53 Developer Guide. To see the information for Global
Accelerator, scroll down on the Alias Target page.

Bring your own IP addresses (BYOIP) in AWS Global

Accelerator
AWS Global Accelerator uses static IP addresses as entry points for your accelerators. These IP addresses
are anycast from AWS edge locations. By default, Global Accelerator provides static IP addresses from
the Amazon IP address pool. Instead of using the IP addresses that Global Accelerator provides, you can
conﬁgure these entry points to be IPv4 addresses from your own address ranges. This topic explains how
to use your own IP address ranges with Global Accelerator.

You can bring part or all of your public IPv4 address ranges from your on-premises network to your AWS
account to use with Global Accelerator. You continue to own the address ranges, but AWS advertises
them on the internet.

You can't use the IP addresses that you bring to AWS for one AWS service with another service. The steps
in this chapter describe how to bring your own IP address range for use in AWS Global Accelerator only.
For steps to bring your own IP address range for use in Amazon EC2, see Bring your own IP addresses
(BYOIP) in the Amazon EC2 User Guide.
Important
You must stop advertising your IP address range from other locations before you advertise it
through AWS. If an IP address range is multihomed (that is, the range is advertised by multiple
service providers at the same time), we can't guarantee that traﬃc to the address range will
enter our network or that your BYOIP advertising workﬂow will complete successfully.

After you bring an address range to AWS, it appears in your account as an address pool. When you create
an accelerator, you can assign one IP address from your range to it. Global Accelerator assigns you a
second static IP address from an Amazon IP address range. If you bring two IP address ranges to AWS,
you can assign one IP address from each range to your accelerator. This restriction is because Global
Accelerator assigns each address range to a diﬀerent network zone, for high availability.

To use your own IP address range with Global Accelerator, review the requirements, and then follow the
steps provided in this topic.

Topics
• Requirements (p. 53)
• Prepare to bring your IP address range to your AWS account: Authorization (p. 54)
• Provision the address range for use with AWS Global Accelerator (p. 56)
• Advertise the address range through AWS (p. 57)
• Deprovision the address range (p. 58)
• Create an accelerator with your IP addresses (p. 58)

Requirements
You can bring up to two qualifying IP address ranges to AWS Global Accelerator per AWS account.

To qualify, your IP address range must meet the following requirements:

• The IP address range must be registered with one of the following regional internet registries (RIRs):
the American Registry for Internet Numbers (ARIN), Réseaux IP Européens Network Coordination

53
AWS Global Accelerator Developer Guide
IP address range authorization

Centre (RIPE), or Asia-Pacific Network Information Centre (APNIC). The address range must be
registered to a business or institutional entity. It can’t be registered to an individual.
• The most specific address range that you can bring is /24. The first 24 bits of the IP address specify the
network number. For example, 198.51.100 is the network number for IP address 198.51.100.0.
• The IP addresses in the address range must have a clean history. That is, they can’t have a poor
reputation or be associated with malicious behavior. We reserve the right to reject the IP address range
if we investigate the reputation of the IP address range and find that it contains an IP address that
doesn’t have a clean history.

Also, we require the following allocation and assignment network types or statuses, depending on where
you registered your IP address range:

• ARIN: Direct Allocation and Direct Assignment network types

• RIPE: ALLOCATED PA, LEGACY, and ASSIGNED PI allocation statuses
• APNIC: ALLOCATED PORTABLE and ASSIGNED PORTABLE allocation statuses

Prepare to bring your IP address range to your AWS

account: Authorization
To ensure that only you can bring your IP address space to Amazon, we require two authorizations:

• You must authorize Amazon to advertise the IP address range.

• You must provide proof that you own the IP address range and so have the authority to bring it to
AWS.
Note
When you use BYOIP to bring an IP address range to AWS, you can't transfer ownership of
that address range to a diﬀerent account or company while we're advertising it. You also can't
directly transfer an IP address range from one AWS account to another account. To transfer
ownership or to transfer between AWS accounts, you must deprovision the address range, and
then the new owner must follow the steps to add the address range to their AWS account.

To authorize Amazon to advertise the IP address range, you provide Amazon with a signed authorization
message. Use a Route Origin Authorization (ROA) to provide this authorization. A ROA is a cryptographic
statement about your route announcements that you create through your Regional Internet Registry
(RIR). A ROA contains the IP address range, the Autonomous System Numbers (ASN) that are allowed to
advertise the IP address range, and an expiration date. The ROA authorizes Amazon to advertise an IP
address range under a speciﬁc Autonomous System (AS).

A ROA does not authorize your AWS account to bring the IP address range to AWS. To provide this
authorization, you must publish a self-signed X.509 certiﬁcate in the Registry Data Access Protocol
(RDAP) remarks for the IP address range. The certiﬁcate contains a public key, which AWS uses to verify
the authorization-context signature that you provide. Keep your private key secure and use it to sign the
authorization-context message.

The following sections provide detailed steps for completing these authorization tasks. The commands
in these steps are supported on Linux. If you use Windows, you can access the Windows Subsystem for
Linux to run Linux commands.

Steps to provide authorization

• Step 1: Create a ROA object (p. 55)

54
AWS Global Accelerator Developer Guide
IP address range authorization

• Step 2: Create a self-signed X.509 certiﬁcate (p. 55)

• Step 3: Create a signed authorization message (p. 56)

Step 1: Create a ROA object

Create a ROA object to authorize Amazon ASN 16509 to advertise your IP address range as well as the
ASNs that are currently authorized to advertise the IP address range. The ROA must contain the /24 IP
address that you want to bring to AWS and you must set the maximum length to /24.

For more information about creating a ROA request, see the following sections, depending on where you
registered your IP address range:

• ARIN: ROA Requests

• RIPE: Managing ROAs
• APNIC: Route Management

Step 2: Create a self-signed X.509 certiﬁcate

Create a key pair and a self-signed X.509 certiﬁcate, and then add the certiﬁcate to the RDAP record for
your RIR. The following steps describe how to perform these tasks.
Note
The openssl commands in these steps require OpenSSL version 1.0.2 or later.

To create and add an X.509 certiﬁcate

1. Generate an RSA 2048-bit key pair using the following command.

openssl genrsa -out private.key 2048

2. Create a public X.509 certiﬁcate from the key pair using the following command.

openssl req -new -x509 -key private.key -days 365 | tr -d "\n" > publickey.cer

In this example, the certiﬁcate expires in 365 days, after which time it can’t be trusted. When you
run the command, make sure that you set the –days option to the desired value for the correct
expiration. When you're prompted for other information, you can accept the default values.
3. Update the RDAP record for your RIR with the X.509 certiﬁcate by using the following steps,
depending on your RIR.

1. View your certiﬁcate using the following command.

cat publickey.cer

2. Add the certiﬁcate by doing the following:

Important
Make sure to include the -----BEGIN CERTIFICATE----- and -----END
CERTIFICATE----- from the certificate.
• For ARIN, add the certificate in the Public Comments section for your IP address range.
• For RIPE, add the certificate as a new descr field for your IP address range.
• For APNIC, send the public key in email to [email protected], the APNIC authorized
contact for the IP addresses, to request that they manually add it to the remarks field.

55
AWS Global Accelerator Developer Guide
Provision the address range for
use with AWS Global Accelerator

Step 3: Create a signed authorization message

Create the signed authorization message to allow Amazon to advertise your IP address range.

The format of the message is as follows, where the YYYYMMDD date is the expiration date of the message.

1|aws|aws-account|address-range|YYYYMMDD|SHA256|RSAPSS

To create the signed authorization message

1. Create a plaintext authorization message and store it in a variable named text_message, as the
following example shows. Replace the example account number, IP address range, and expiration
date with your own values.

text_message="1|aws|123456789012|203.0.113.0/24|20191201|SHA256|RSAPSS"

2. Sign the authorization message in text_message using the key pair that you created in the
previous section.
3. Store the message in a variable named signed_message, as the following example shows.

signed_message=$(echo $text_message | tr -d "\n" | openssl dgst -sha256 -sigopt

rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private.key -keyform PEM |
openssl base64 |
tr -- '+=/' '-_~' | tr -d "\n")

Provision the address range for use with AWS Global

Accelerator
When you provision an address range for use with AWS, you are conﬁrming that you own the address
range and authorize Amazon to advertise it. We'll verify that you own the address range.

You must provision your address range using the CLI or Global Accelerator API operations. This
functionality is not available in the AWS console.

To provision the address range, use the following ProvisionByoipCidr command. The --cidr-
authorization-context parameter uses the variables that you created in the previous section, not
the ROA message.

aws globalaccelerator provision-byoip-cidr --cidr address-range --cidr-authorization-

context Message="$text_message",Signature="$signed_message"

The following is an example of provisioning an address range.

aws globalaccelerator provision-byoip-cidr

--cidr 203.0.113.25/24
--cidr-authorization-context Message="$text_message",Signature="$signed_message"

Provisioning an address range is an asynchronous operation, so the call returns immediately. However,
the address range is not ready to use until its state changes from PENDING_PROVISIONING to READY. It
can take up to 3 weeks to complete the provisioning process. To monitor the state of the address ranges
that you've provisioned, use the following ListByoipCidrs command:

aws globalaccelerator list-byoip-cidrs

56
AWS Global Accelerator Developer Guide
Advertise the address range through AWS

To see a list of the states for an IP address range, see ByoipCidr.

When your IP address range is provisioned, the State returned by list-byoip-cidrs is READY. For
example:

{
"ByoipCidrs": [
{
"Cidr": "203.0.113.0/24",
"State": "READY"
}
]
}

Advertise the address range through AWS

After the address range is provisioned, it's ready to be advertised. You must advertise the exact address
range that you provisioned. You can't advertise only a portion of the provisioned address range. In
addition, you must stop advertising your IP address range from other locations before you advertise it
through AWS.

You must advertise (or stop advertising) your address range using the CLI or Global Accelerator API
operations. This functionality is not available in the AWS console.
Important
Make sure that your IP address range is advertised by AWS before you use an IP address from
your pool with Global Accelerator.

To advertise the address range, use the following AdvertiseByoipCidr command.

aws globalaccelerator advertise-byoip-cidr --cidr address-range

The following is an example of requesting Global Accelerator to advertise an address range.

aws globalaccelerator advertise-byoip-cidr --cidr 203.0.113.0/24

To monitor the state of the address ranges that you've advertised, use the following ListByoipCidrs
command.

aws globalaccelerator list-byoip-cidrs

When your IP address range is advertised, the State returned by list-byoip-cidrs is ADVERTISING.
For example:

{
"ByoipCidrs": [
{
"Cidr": "203.0.113.0/24",
"State": "ADVERTISING"
}
]
}

To stop advertising the address range, use the following withdraw-byoip-cidr command.

57
AWS Global Accelerator Developer Guide
Deprovision the address range

Important
To stop advertising your address range, you ﬁrst must remove any accelerators that have static
IP addresses that are allocated from the address pool. To delete an accelerator using the console
or using API operations, see Deleting an accelerator (p. 24).

aws globalaccelerator withdraw-byoip-cidr --cidr address-range

The following is an example of requesting Global Accelerator to withdraw an address range.

aws globalaccelerator withdraw-byoip-cidr

--cidr 203.0.113.25/24

Deprovision the address range

To stop using your address range with AWS, you ﬁrst must remove any accelerators that have static IP
addresses that are allocated from the address pool and stop advertising your address range. After you
complete those steps, you can deprovision the address range.

You must stop advertising and deprovision your address range using the CLI or Global Accelerator API
operations. This functionality is not available in the AWS console.

Step 1: Delete any associated accelerators. To delete an accelerator using the console or using API
operations, see Deleting an accelerator (p. 24).

Step 2. Stop advertising the address range. To stop advertising the range, use the following
WithdrawByoipCidr command.

aws globalaccelerator withdraw-byoip-cidr --cidr address-range

Step 3. Deprovision the address range. To deprovision the range, use the following
DeprovisionByoipCidr command.

aws globalaccelerator deprovision-byoip-cidr --cidr address-range

Create an accelerator with your IP addresses

Now you can create an accelerator with your IP addresses. If you brought one address range to AWS, you
can assign one IP address to your accelerator. If you brought two address ranges, you can assign one IP
address from each address range to your accelerator.

You have several options for creating an accelerator using your own IP addresses for the static IP
addresses:

• Use Global Accelerator console to create an accelerator. For more information, see Creating or
updating a standard accelerator (p. 23) and Creating or updating a custom routing accelerator (p. 44).
• Use the Global Accelerator API to create an accelerator. For more information, including examples
of using the CLI, see CreateAccelerator and CreateCustomRoutingAccelerator in the AWS Global
Accelerator API Reference.

58
AWS Global Accelerator Developer Guide
How to enable client IP address preservation

Preserve client IP addresses in AWS

Global Accelerator
Your options for preserving and accessing the client IP address for AWS Global Accelerator depend
on the endpoints that you've set up with your accelerator. There are two types of endpoints that can
preserve the source IP address of the client in incoming packets: Application Load Balancers and Amazon
EC2 instances.

• When you use an internet-facing Application Load Balancer as an endpoint with Global Accelerator,
client IP address preservation is enabled by default for new accelerators. This means that the source IP
address of the original client is preserved for packets that arrive at the load balancer. You can choose
to disable the option when you create the accelerator or by editing the accelerator later.
• When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the
endpoint always has client IP address preservation enabled.

Note
Global Accelerator does not support client IP address preservation for Network Load Balancer
and Elastic IP address endpoints.

When you plan for adding client IP address preservation, be aware of the following:

• Before you add and begin to route traffic to endpoints that preserve the client IP address, make sure
that all your required security configurations, for example, security groups, are updated to include the
user client IP address on allow lists.
• Client IP address preservation is supported only in specific AWS Regions. For more information, see
Supported AWS Regions for client IP address preservation (p. 63).

Topics
• How to enable client IP address preservation (p. 59)
• Beneﬁts of client IP address preservation (p. 60)
• How the client IP address is preserved in AWS Global Accelerator (p. 61)
• Best practices for client IP address preservation (p. 61)
• Supported AWS Regions for client IP address preservation (p. 63)

How to enable client IP address preservation

When you create a new accelerator, client IP address preservation is enabled, by default, for supported
endpoints.

Be aware of the following:

• Internal Application Load Balancers and EC2 instances always have client IP address preservation
enabled. You can't disable the option for these endpoints.

59
AWS Global Accelerator Developer Guide
Beneﬁts of client IP address preservation

• When you use the AWS console to create a new accelerator, the option for client IP address
preservation is enabled by default for Application Load Balancer endpoints. You can disable the option
at any time if you don't want client IP address preservation for an internet-facing Application Load
Balancer endpoint.
• When you use the AWS CLI or an API action to create a new accelerator and you don't specify the
option for client IP address preservation, internet-facing Application Load Balancer endpoints have
client IP address preservation enabled by default.
• Global Accelerator does not support client IP address preservation for Network Load Balancer and
Elastic IP address endpoints.

For existing accelerators, you can transition endpoints without client IP address preservation to
endpoints that do preserve the client IP address. Existing Application Load Balancer endpoints can be
transitioned to new Application Load Balancer endpoints, and existing Elastic IP address endpoints
can be transitioned to EC2 instance endpoints. (Network Load Balancer endpoints don't support client
IP address preservation.) To transition to the new endpoints, we recommend that you move traﬃc
slowly from an existing endpoint to a new endpoint that has client IP address preservation by doing the
following:

• For existing Application Load Balancer endpoints, first add to Global Accelerator a duplicate
Application Load Balancer endpoint that targets the same backends and, if it's an internet-facing
Application Load Balancer, enable client IP address preservation for it. Then adjust the weights on
the endpoints to slowly move traffic from the load balancer that does not have client IP address
preservation enabled to the load balancer with client IP address preservation.
• For an existing Elastic IP address endpoint, you can move traffic to an EC2 instance endpoint with
client IP address preservation. First add an EC2 instance endpoint to Global Accelerator, and then
adjust the weights on the endpoints to slowly move traffic from the Elastic IP address endpoint to the
EC2 instance endpoint.

For step-by-step transition guidance, see Transitioning endpoints to use client IP address
preservation (p. 36).

Beneﬁts of client IP address preservation

For endpoints that don’t have client IP address preservation enabled, the IP addresses used by the Global
Accelerator service at the edge network replace the requesting user's IP address as the source address
in the arriving packets. The original client's connection information—such as the IP address of the client
and the client's port—is not preserved as traﬃc travels to systems behind an accelerator. This works ﬁne
for many applications, especially those that are available to all users such as public websites.

However, for other applications you might want to access the original client IP address by using
endpoints with client IP address preservation. For example, when you have the client IP address, you can
gather statistics based on client IP addresses. You can also use IP-address-based filters such as security
groups on Application Load Balancers to filter traffic. You can apply logic that is specific to a user's IP
address in your applications that run on the web tier servers behind that Application Load Balancer
endpoint by using the load balancer's X-Forwarded-For header, which contains the original client IP
address information. You can also use client IP address preservation in security group rules in the security
groups associated with your Application Load Balancer. For more information, see How the client IP
address is preserved in AWS Global Accelerator (p. 61). For EC2 instance endpoints, the original client
IP address is preserved.

For endpoints that don't have client IP address preservation, you can filter for the source IP address
that Global Accelerator uses when it forwards traffic from the edge. You can see information about
the source IP addresses (which are also client IP addresses, when client IP address preservation is
enabled) of incoming packets by reviewing your Global Accelerator flow logs. For more information, see

60
AWS Global Accelerator Developer Guide
How the client IP address is preserved

Location and IP address ranges of Global Accelerator edge servers (p. 7) and Flow logs in AWS Global
Accelerator (p. 64).

How the client IP address is preserved in AWS

Global Accelerator
AWS Global Accelerator preserves the source IP address of the client diﬀerently for Amazon EC2
instances and Application Load Balancers:

• For an EC2 instance endpoint, the client’s IP address is preserved for all traﬃc.
• For an Application Load Balancer endpoint with client IP address preservation, Global Accelerator
works together with the Application Load Balancer to provide an X-Forwarded header, X-
Forwarded-For, that includes the IP address of the original client so that your web tier can access it.

HTTP requests and HTTP responses use header fields to send information about the HTTP messages.
Header fields are colon-separated name-value pairs that are separated by a carriage return (CR) and a
line feed (LF). A standard set of HTTP header fields is defined in RFC 2616, Message Headers. There are
also non-standard HTTP headers available that are widely used by the applications. Some of the non-
standard HTTP headers have an X-Forwarded prefix.

Because an Application Load Balancer terminates incoming TCP connections and creates new
connections to your backend targets, it does not preserve client IP addresses all the way to your target
code (such as instances, containers, or Lambda code). The source IP address that your targets see in the
TCP packet is the IP address of the Application Load Balancer. However, an Application Load Balancer
does preserve the original client IP address by removing it from the original packet’s reply address and
inserting it into an HTTP header before it sends the request to your backend over a new TCP connection.

The X-Forwarded-For request header is formatted like this:

X-Forwarded-For: client-ip-address

The following example shows an X-Forwarded-For request header for a client with an IP address of
203.0.113.7.

X-Forwarded-For: 203.0.113.7

Best practices for client IP address preservation

When you use client IP address preservation in AWS Global Accelerator, keep in mind the information
and best practices in this section for elastic network interfaces and security groups.

To support client IP address preservation, Global Accelerator creates elastic network interfaces in your
AWS account—one for each subnet where an endpoint is present. An elastic network interface is a
logical networking component in a VPC that represents a virtual network card. Global Accelerator uses
these elastic network interfaces to route traffic to the endpoints configured behind an accelerator. The
supported endpoints for routing traffic this way are Application Load Balancers (internal and internet-
facing) and Amazon EC2 instances.
Note
When you add an internal Application Load Balancer or an EC2 instance endpoint in Global
Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual

61
AWS Global Accelerator Developer Guide
Best practices for client IP address preservation

Private Clouds (VPCs) by targeting it in a private subnet. For more information, see Secure VPC
connections in AWS Global Accelerator (p. 108).

How Global Accelerator uses elastic network interfaces

When you have an Application Load Balancer with client IP address preservation enabled, the
number of subnets that the load balancer is in determines the number of elastic network interfaces
that Global Accelerator creates in your account. Global Accelerator creates one elastic network
interface for each subnet that has at least one elastic network interface of the Application Load
Balancer in it that is fronted by an accelerator in your account.

The following examples illustrate how this works:

• Example 1: If an Application Load Balancer has elastic network interfaces in subnet A and subnet
B, and then you add the load balancer as an accelerator endpoint, Global Accelerator creates two
elastic network interfaces, one in each subnet.
• Example 2: If you add, for example, an ALB1 that has elastic network interfaces in subnetA and
subnetB to Accelerator1, and then add an ALB2 with elastic network interfaces in subnet A and
subnet B to Accelerator2, Global Accelerator creates only two elastic network interfaces: one in
subnetA and one in subnetB.
• Example 3: If you add an ALB1 that has elastic network interfaces in subnetA and subnetB to
Accelerator1, and then add an ALB2 with elastic network interfaces in subnetA and subnetC to
Accelerator2, Global Accelerator creates three elastic network interfaces: one in subnetA, one in
subnetB, and one in subnetC. The elastic network interface in subnetA delivers traﬃc on for both
Accelerator1 and Accelerator2.

As shown in Example 3, elastic network interfaces are reused across accelerators if endpoints in the
same subnet are placed behind multiple accelerators.

The logical elastic network interfaces that Global Accelerator creates do not represent a single
host, a throughput bottleneck, or a single point of failure. Like other AWS services that appear as a
single elastic network interface in an Availability Zone or subnet—services like a network address
translation (NAT) gateway or a Network Load Balancer—Global Accelerator is implemented as a
horizontally scaled, highly available service.

Evaluate the number of subnets that are used by endpoints in your accelerators to determine
the number of elastic network interfaces that Global Accelerator will create. Before you create
an accelerator, make sure that you have enough IP address space capacity for the required elastic
network interfaces, at least one free IP address per relevant subnet. If you don't have enough free
IP address space, you must create or use a subnet that has adequate free IP address space for your
Application Load Balancer and associated Global Accelerator elastic network interfaces.

When Global Accelerator determines that an elastic network interface is not being used by any of
the endpoints in accelerators in your account, Global Accelerator deletes the interface.
Security groups created by Global Accelerator

Review the following information and best practices when you work with Global Accelerator and
security groups.
• Global Accelerator creates security groups that are associated with its elastic network interfaces.
Although the system doesn't prevent you from doing so, you shouldn't edit any of the security
group settings for these groups.
• Global Accelerator doesn't delete security groups that it creates. However, Global Accelerator does
delete an elastic network interface if it isn't being used by any of the endpoints in accelerators in
your account.
• You can use the security groups created by Global Accelerator as a source group in other security
groups that you maintain, but Global Accelerator only forwards traﬃc to the targets that you
specify in your VPC.

62
AWS Global Accelerator Developer Guide
Supported AWS Regions for client IP address preservation

• If you modify the security group rules created by Global Accelerator, the endpoint might become
unhealthy. If that happens, contact AWS Support for assistance.
• Global Accelerator creates a speciﬁc security group for each VPC. Elastic network interfaces that
are created for the endpoints within a speciﬁc VPC all use the same security group, no matter
which subnet an elastic network interface is associated with.

Supported AWS Regions for client IP address

preservation
You can enable client IP address preservation for AWS Global Accelerator in the following AWS Regions.

Region Name Region

US East (Ohio) us-east-2

US East (N. Virginia) us-east-1

US West (N. California) us-west-1 (except AZ usw1-az2)

US West (Oregon) us-west-2

Africa (Cape Town) af-south-1

Asia Paciﬁc (Hong Kong) ap-east-1

Asia Paciﬁc (Mumbai) ap-south-1

Asia Paciﬁc (Osaka) ap-northeast-3

Asia Paciﬁc (Singapore) ap-southeast-1

Asia Paciﬁc (Sydney) ap-southeast-2

Asia Paciﬁc (Tokyo) ap-northeast-1 (except AZ apne1-az3)

Asia Paciﬁc (Seoul) ap-northeast-2

Canada (Central) ca-central-1 (except AZ cac1-az3)

Europe (Frankfurt) eu-central-1

Europe (Ireland) eu-west-1

Europe (London) eu-west-2

Europe (Milan) eu-south-1

Europe (Paris) eu-west-3

Europe (Stockholm) eu-north-1

Middle East (Bahrain) me-south-1

South America (São Paulo) sa-east-1

63
AWS Global Accelerator Developer Guide
Flow logs

Logging and monitoring in AWS

Global Accelerator
You can use ﬂow logs and AWS CloudTrail to monitor your accelerator in AWS Global Accelerator, analyze
traﬃc patterns, and troubleshoot issues with your listeners and endpoints.

Topics
• Flow logs in AWS Global Accelerator (p. 64)
• Using Amazon CloudWatch with AWS Global Accelerator (p. 70)
• Using AWS CloudTrail to log AWS Global Accelerator API calls (p. 75)

Flow logs in AWS Global Accelerator

Flow logs enable you to capture information about the IP address traﬃc going to and from network
interfaces in your accelerator in AWS Global Accelerator. Flow log data is published to Amazon S3, where
you can retrieve and view your data after you've created a ﬂow log.

Flow logs can help you with a number of tasks. For example, you can troubleshoot why specific traffic is
not reaching an endpoint, which in turn helps you diagnose overly restrictive security group rules. You
can also use flow logs as a security tool to monitor the traffic that is reaching your endpoints.

A flow log record represents a network flow in your flow log. Each record captures the network flow for
a specific 5-tuple, for a specific capture window. A 5-tuple is a set of five different values that specify the
source, destination, and protocol for an IP flow. The capture window is a duration of time during which
the flow logs service aggregates data before publishing flow log records. The capture window is up to 1
minute.

CloudWatch Logs charges apply when using flow logs, even when logs are published directly to Amazon
S3. For more information, see Deliver Logs to S3 at Amazon CloudWatch Pricing.
Tip
Using Amazon Athena and Amazon QuickSight with your Global Accelerator flow log data can
help you troubleshoot reachability issues for your application, identify security vulnerabilities,
and get an overview of how users access your application. To learn more, see the following AWS
blog post: Analyzing and visualizing AWS Global Accelerator flow logs using Amazon Athena
and Amazon QuickSight.

Topics
• Publishing ﬂow logs to Amazon S3 (p. 64)
• Timing of log ﬁle delivery (p. 68)
• Flow log record syntax (p. 68)

Publishing ﬂow logs to Amazon S3

Flow logs for AWS Global Accelerator are published to Amazon S3 to an existing S3 bucket that you
specify. Flow log records are published to a series of log ﬁle objects that are stored in the bucket.

64
AWS Global Accelerator Developer Guide
Publishing to Amazon S3

To create an Amazon S3 bucket for use with ﬂow logs, see Create a Bucket in the Amazon Simple Storage
Service User Guide.

Flow logs ﬁles

Flow logs collect flow log records, consolidate them into log files, and then publish the log files to the
Amazon S3 bucket at 5-minute intervals. Each log file contains flow log records for the IP address traffic
recorded in the previous five minutes.

The maximum file size for a log file is 75 MB. If the log file reaches the file size limit within the 5-minute
period, the flow log stops adding flow log records to it, publishes it to the Amazon S3 bucket, and then
creates a new log file.

Log files are saved to the specified Amazon S3 bucket using a folder structure that is determined by
the flow log's ID, Region, and the date on which they are created. The bucket folder structure uses the
following format:

s3-bucket_name/s3-bucket-prefix/AWSLogs/aws_account_id/globalaccelerator/region/yyyy/mm/dd/

Similarly, the log ﬁle name is determined by the ﬂow log's ID, Region, and the date and time it was
created. File names use the following format:

aws_account_id_globalaccelerator_accelerator_id_flow_log_id_timestamp_hash.log.gz

Note the following about the folder and ﬁle name structure for log ﬁles:

• The timestamp uses the YYYYMMDDTHHmmZ format.

• If you specify slash (/) for the S3 bucket preﬁx, the log ﬁle bucket folder structure will include a double
slash (//), like the following:

s3-bucket_name//AWSLogs/aws_account_id

The following example shows the folder structure and file name of a log file for a flow log
created by AWS account 123456789012 for an accelerator with an ID of 1234abcd-abcd-1234-
abcd-1234abcdefgh, on November 23, 2018 at 00:05 UTC:

my-s3-bucket/prefix1/AWSLogs/123456789012/globalaccelerator/us-
west-2/2018/11/23/123456789012_globalaccelerator_1234abcd-abcd-1234-
abcd-1234abcdefgh_20181123T0005Z_1fb1234.log.gz

A single flow log file contains interleaved entries with multiple 5-tuple records; that is, client_ip,
client_port, accelerator_ip, accelerator_port, protocol. To see all the flow log files for your
accelerator, look for entries aggregated by the accelerator_id and your account_id.

IAM roles for publishing ﬂow logs to Amazon S3

An IAM principal, such as an IAM user, must have suﬃcient permissions to publish ﬂow logs to the
Amazon S3 bucket. The IAM policy must include the following permissions:

{
"Version": "2012-10-17",
"Statement": [
{

65
AWS Global Accelerator Developer Guide
Publishing to Amazon S3

"Sid": "DeliverLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:DeleteLogDelivery"
],
"Resource": "*"
},
{
"Sid": "AllowGlobalAcceleratorService",
"Effect": "Allow",
"Action": [
"globalaccelerator:*"
],
"Resource": "*"
},
{
"Sid": "s3Perms",
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:PutBucketPolicy"
],
"Resource": "*"
}
]
}

Amazon S3 bucket permissions for ﬂow logs

By default, Amazon S3 buckets and the objects that they contain are private. Only the bucket owner
can access the bucket and the objects stored in it. The bucket owner, however, can grant access to other
resources and users by writing an access policy.

If the user creating the ﬂow log owns the bucket, the service automatically attaches the following policy
to the bucket to give the ﬂow log permission to publish logs to it:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket_name/optional_folder/AWSLogs/account_id/*",
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket_name"
}
]
}

If the user creating the flow log does not own the bucket, or does not have the GetBucketPolicy and
PutBucketPolicy permissions for the bucket, the flow log creation fails. In this case, the bucket owner
must manually add the preceding policy to the bucket and specify the flow log creator's AWS account
ID. For more information, see How Do I Add an S3 Bucket Policy? in the Amazon Simple Storage Service

66
AWS Global Accelerator Developer Guide
Publishing to Amazon S3

User Guide. If the bucket receives ﬂow logs from multiple accounts, add a Resource element entry to
the AWSLogDeliveryWrite policy statement for each account.

For example, the following bucket policy allows AWS accounts 123123123123 and 456456456456 to
publish ﬂow logs to a folder named flow-logs in a bucket named log-bucket:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::log-bucket/flow-logs/AWSLogs/123123123123/*",
"arn:aws:s3:::log-bucket/flow-logs/AWSLogs/456456456456/*"
],
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::log-bucket"
}
]
}

Note
We recommend that you grant the AWSLogDeliveryAclCheck and AWSLogDeliveryWrite
permissions to the log delivery service principal instead of individual AWS account ARNs.

Required CMK key policy for use with SSE-KMS buckets

If you enabled server-side encryption for your Amazon S3 bucket using AWS KMS-managed keys (SSE-
KMS) with a customer-managed customer master key (CMK), you must add the following to the key
policy for your CMK so that ﬂow logs can write log ﬁles to the bucket:

{
"Sid": "Allow AWS Global Accelerator Flow Logs to use the key",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": "kms:GenerateDataKey*",
"Resource": "*"
}

Amazon S3 log ﬁle permissions

In addition to the required bucket policies, Amazon S3 uses access control lists (ACLs) to manage access
to the log files created by a flow log. By default, the bucket owner has FULL_CONTROL permissions on
each log file. The log delivery owner, if different from the bucket owner, has no permissions. The log
delivery account has READ and WRITE permissions. For more information, see Access Control List (ACL)
Overview in the Amazon Simple Storage Service User Guide.

67
AWS Global Accelerator Developer Guide
Timing of log ﬁle delivery

Enable publishing ﬂow logs to Amazon S3

To enable ﬂow logs in AWS Global Accelerator, follow the steps in this procedure.

To enable ﬂow logs in AWS Global Accelerator

1. Create an Amazon S3 bucket for your flow logs in your AWS account.
2. Add the required IAM policy for the AWS user who is enabling the flow logs. For more information,
see IAM roles for publishing flow logs to Amazon S3 (p. 65).
3. Run the following AWS CLI command, with the Amazon S3 bucket name and prefix that you want to
use for your log files:

aws globalaccelerator update-accelerator-attributes

--accelerator-arn arn:aws:globalaccelerator::012345678901:accelerator/1234abcd-
abcd-1234-abcd-1234abcdefgh
--region us-west-2
--flow-logs-enabled
--flow-logs-s3-bucket s3-bucket-name
--flow-logs-s3-prefix s3-bucket-prefix

Processing ﬂow log records in Amazon S3

The log files are compressed. If you open the log files using the Amazon S3 console, they are
decompressed and the flow log records are displayed. If you download the files, you must decompress
them to view the flow log records.

Timing of log ﬁle delivery

AWS Global Accelerator delivers log files for your configured accelerator up to several times an hour.
In general, a log file contains information about the requests that your accelerator received during a
given time period. Global Accelerator usually delivers the log file for that time period to your Amazon S3
bucket within an hour of the events that appear in the log. Some or all log file entries for a time period
can sometimes be delayed by up to 24 hours. When log entries are delayed, Global Accelerator saves
them in a log file for which the file name includes the date and time of the period in which the requests
occurred, not the date and time when the file was delivered.

When creating a log ﬁle, Global Accelerator consolidates information for your accelerator from all the
edge locations that received requests during the time period that the log ﬁle covers.

Global Accelerator begins to reliably deliver log files about four hours after you enable logging. You
might get a few log files before that time.
Note
If no users connect to your accelerator during the time period, you don't receive any log files for
that period.

Flow log record syntax

A ﬂow log record is a space-separated string that has the following format:

<version> <aws_account_id> <accelerator_id> <client_ip> <client_port>

<accelerator_ip> <accelerator_port> <endpoint_ip> <endpoint_port> <protocol>
<ip_address_type> <packets> <bytes> <start_time> <end_time> <action> <log-
status> <globalaccelerator_source_ip> <globalaccelerator_source_port>
<endpoint_region> <globalaccelerator_region> <direction> <vpc_id>

68
AWS Global Accelerator Developer Guide
Flow log record syntax

The Version 1.0 format does not include the VPC identiﬁer, vpc_id. The Version 2.0 format, which
includes vpc_id, is generated when Global Accelerator sends traﬃc to an endpoint with client IP
address preservation.

The following table describes the ﬁelds of a ﬂow log record.

Field Description

version The ﬂow logs version.

aws_account_id The AWS account ID for the ﬂow log.

accelerator_id The ID of the accelerator for which the traﬃc is recorded.

client_ip The source IPv4 address.

client_port The source port.

accelerator_ip The accelerator's IP address.

accelerator_portThe accelerator's port.

endpoint_ip The destination IP address of the traﬃc.

endpoint_port The destination port of the traﬃc.

protocol The IANA protocol number of the traﬃc. For more information, see Assigned
Internet Protocol Numbers.

ip_address_type IPv4.

packets The number of packets transferred during the capture window.

bytes The number of bytes transferred during the capture window.

start_time The time, in Unix seconds, of the start of the capture window.

end_time The time, in Unix seconds, of the end of the capture window.

action The action associated with the traﬃc:

• ACCEPT: The recorded traﬃc was permitted by the security groups or network
ACLs. The value is currently always ACCEPT.

log-status The logging status of the ﬂow log:

• OK: Data is logging normally to the chosen destinations.

• NODATA: There was no network traﬃc to or from the network interface during
the capture window.
• SKIPDATA: Some ﬂow log records were skipped during the capture window.
This can be because of an internal capacity constraint, or an internal error.

The IP address used by the Global Accelerator network interface.

globalaccelerator_source_ip

The port used by the Global Accelerator network interface.

globalaccelerator_source_port

endpoint_region The AWS Region where the endpoint is located.

The edge location (point of presence) that served the request. Each edge
globalaccelerator_region
location has a three-letter code and an arbitrarily assigned number, for example,
DFW3. The three-letter code typically corresponds with the International Air

69
AWS Global Accelerator Developer Guide
CloudWatch monitoring

Field Description
Transport Association airport code for an airport near the edge location. (These
abbreviations might change in the future.)

direction The direction of the traﬃc. Denotes traﬃc coming into the Global Accelerator
network (INGRESS) or returning to the client (EGRESS).

vpc_id The VPC identifier. Included with Version 2.0 flow logs when Global Accelerator
sends traffic to an endpoint with client IP address preservation.

If a ﬁeld does not apply for a speciﬁc record, the record displays a '-' symbol for that entry.

Using Amazon CloudWatch with AWS Global

Accelerator
AWS Global Accelerator publishes data points to Amazon CloudWatch for your accelerators. CloudWatch
enables you to retrieve statistics about those data points as an ordered set of time-series data, known as
metrics. Think of a metric as a variable to monitor, and the data points as the values of that variable over
time. For example, you can monitor traﬃc through an accelerator over a speciﬁed time period. Each data
point has an associated time stamp and an optional unit of measurement.

You can use metrics to verify that your system is performing as expected. For example, you can create a
CloudWatch alarm to monitor a speciﬁed metric and initiate an action (such as sending a notiﬁcation to
an email address) if the metric goes outside what you consider an acceptable range.

Global Accelerator reports metrics to CloudWatch only when requests are flowing through the
accelerator. If requests are flowing through the accelerator, Global Accelerator measures and sends its
metrics in 60-second intervals. If there are no requests flowing through the accelerator or there is no
data for a metric, the metric is not reported.

For more information, see the Amazon CloudWatch User Guide.

Contents
• Global Accelerator metrics (p. 70)
• Metric dimensions for accelerators (p. 72)
• Statistics for Global Accelerator metrics (p. 73)
• View CloudWatch metrics for your accelerators (p. 74)

Global Accelerator metrics

The AWS/GlobalAccelerator namespace includes the following metrics.

Metric Description

NewFlowCount The total number of new TCP and UDP ﬂows (or connections)
established from clients to endpoints in the time period.

Reporting criteria: There is a nonzero value.

Statistics: The only useful statistic is Sum.

70
AWS Global Accelerator Developer Guide
Global Accelerator metrics

Metric Description
Dimensions

• Accelerator
• Accelerator, Listener
• Accelerator, Listener, EndpointGroup
• Accelerator, SourceRegion
• Accelerator, DestinationEdge
• Accelerator, TransportProtocol
• Accelerator, AcceleratorIPAddress

ProcessedBytesIn The total number of incoming bytes processed by the accelerator,

including TCP/IP headers. This count includes all traﬃc to endpoints.

Reporting criteria: There is a nonzero value.

Statistics: The only useful statistic is Sum.

Dimensions

ProcessedBytesOut The total number of outgoing bytes processed by the accelerator,

including TCP/IP headers. This count includes traﬃc from endpoints,
minus health check traﬃc.

Reporting criteria: There is a nonzero value.

Statistics: The only useful statistic is Sum.

Dimensions

71
AWS Global Accelerator Developer Guide
Metric dimensions for accelerators

Metric Description

HealthyEndpointCount The total number of endpoints that are considered healthy. Global
Accelerator regularly checks the status of endpoints on standard
accelerators. These health checks run automatically. How and when
these health checks run depend on the type of endpoint and the health
check options for the endpoint. To learn more, see Changing health
check options (p. 31).

Reporting criteria: Reported for accelerators that are conﬁgured and

enabled.

Statistics: The most useful statistics are Minimum and Maximum.

Dimensions

• Accelerator
• Accelerator, Listener
• Accelerator, Listener, EndpointGroup

UnhealthyEndpointCount The total number of endpoints that are considered unhealthy. Global
Accelerator regularly checks the status of endpoints on standard
accelerators. These health checks run automatically. How and when
these health checks run depend on the type of endpoint and the health
check options for the endpoint. To learn more, see Changing health
check options (p. 31).

Reporting criteria: Reported for accelerators that are conﬁgured and

enabled.

Statistics: The most useful statistics are Minimum and Maximum.

Dimensions

• Accelerator
• Accelerator, Listener
• Accelerator, Listener, EndpointGroup

Metric dimensions for accelerators

To ﬁlter the metrics for your accelerator, use the following dimensions.

Dimension Description

Accelerator Filters the metric data by accelerator. Specify the

accelerator by the accelerator id (the ﬁnal portion
of the accelerator ARN). For example, if the ARN is
arn:aws:globalaccelerator::012345678901:accelerator/1234abcd-
abcd-1234-abcd-1234abcdefgh, you specify the following: 1234abcd-
abcd-1234-abcd-1234abcdefgh.

Listener Filters the metric data by listener. Specify the listener by the listener
id (the ﬁnal portion of the listener ARN). For example, if the ARN is
arn:aws:globalaccelerator::012345678901:accelerator/1234abcd-

72
AWS Global Accelerator Developer Guide
Statistics for Global Accelerator metrics

Dimension Description
abcd-1234-abcd-1234abcdefgh/listener/0123wxyz, you specify the
following: 0123wxyz.

EndpointGroup Filters the metric data by endpoint group. Specify the endpoint group by the
AWS Region, for example, us-east-1 (all lowercase).

SourceRegion Filters the metric data by source region, which is the geographic area of the
AWS Regions where your application endpoints are running. Source region is
one of the following:

• NA – United States and Canada

• EU – Europe
• AP – Asia Paciﬁc*
• KR – South Korea
• IN – India
• AU – Australia
• ME – Middle East
• SA – South America
• ZA – South Africa

*Excluding South Korea and India

DestinationEdge Filters the metric data by destination edge, which is the geographic area of
the AWS edge locations that serve your client traﬃc. Destination edge is one
of the following:

• NA – United States and Canada

• EU – Europe
• AP – Asia Paciﬁc*
• KR – South Korea
• IN – India
• AU – Australia
• ME – Middle East
• SA – South America
• ZA – South Africa

*Excluding South Korea and India

TransportProtocol Filters the metric data by transport protocol: UDP or TCP.

AcceleratorIPAddressFilters the metric data by the IP address of the accelerator: that is, one of the
static IP addresses assigned to an accelerator.

Statistics for Global Accelerator metrics

CloudWatch provides statistics based on the metric data points published by Global Accelerator.
Statistics are aggregations of metric data over a specified period of time. When you request statistics, the
returned data stream is identified by the metric name and dimension. A dimension is a name/value pair
that uniquely identifies a metric. For example, you can request the processed bytes out for an accelerator
where the bytes are served from AWS edge locations in Europe (destination edge is "EU").

73
AWS Global Accelerator Developer Guide
View CloudWatch metrics for your accelerators

The following are examples of metric/dimension combinations that you might ﬁnd useful:

• View the amount of traffic served (such as ProcessedBytesOut) by each of your two accelerator IP
addresses to validate that your DNS configuration is correct.
• View the geographical distribution of your user traffic and monitor how much of it is local (for
example, North America to North America) or global (for example, Australia or India to North America).
To determine this, view the metrics ProcessedBytesIn or ProcessedBytesOut with the dimensions
DestinationEdge and SourceRegion set to specific values.
• View the number of unhealthy endpoints across your accelerator, and determine which endpoint
groups they belong to. If you have a large number of endpoint groups, this is espeically useful to help
you quickly find endpoint groups with endpoints that are experiencing issues. To determine this, view
the metric UnhealthyEndpointCount with the dimensions Accelerator, Listener, and EndpointGroup.

View CloudWatch metrics for your accelerators

You can view the CloudWatch metrics for your accelerators using the CloudWatch console or the AWS
CLI. In the console, metrics are displayed as monitoring graphs. The monitoring graphs show data points
only if the accelerator is active and receiving requests.

You must view CloudWatch metrics for Global Accelerator in the US West (Oregon) Region, both in the
console or when using the AWS CLI. When you use the AWS CLI, specify the US West (Oregon) Region for
your command by including the following parameter: --region us-west-2.

To view metrics using the CloudWatch console

1. Open the CloudWatch console at https://us-west-2.console.aws.amazon.com/cloudwatch/home?

region=us-west-2.
2. In the navigation pane, choose Metrics.
3. Select the GlobalAccelerator namespace.
4. (Optional) To view a metric across all dimensions, type its name in the search ﬁeld.

To view metrics using the AWS CLI

Use the following list-metrics command to list the available metrics:

aws cloudwatch list-metrics --namespace AWS/GlobalAccelerator --region us-west-2

To get the statistics for a metric using the AWS CLI

Use the following get-metric-statistics command to get statistics for a speciﬁed metric and dimension.
Note that CloudWatch treats each unique combination of dimensions as a separate metric. You can't
retrieve statistics using combinations of dimensions that were not speciﬁcally published. You must
specify the same dimensions that were used when the metrics were created.

The following example lists the total processed bytes in, per minute, for your accelerator serving from
the North America (NA) destination edge.

aws cloudwatch get-metric-statistics --namespace AWS/GlobalAccelerator \

--metric-name ProcessedBytesIn \
--region us-west-2 \
--statistics Sum --period 60 \
--dimensions Name=Accelerator,Value=1234abcd-abcd-1234-abcd-1234abcdefgh
Name=DestinationEdge,Value=NA \
--start-time 2019-12-18T20:00:00Z --end-time 2019-12-18T21:00:00Z

74
AWS Global Accelerator Developer Guide
CloudTrail logging

The following is example output from the command:

{
"Label": "ProcessedBytesIn",
"Datapoints": [
{
"Timestamp": "2019-12-18T20:45:00Z",
"Sum": 2410870.0,
"Unit": "Bytes"
},
{
"Timestamp": "2019-12-18T20:47:00Z",
"Sum": 0.0,
"Unit": "Bytes"
},
{
"Timestamp": "2019-12-18T20:46:00Z",
"Sum": 0.0,
"Unit": "Bytes"
},
{
"Timestamp": "2019-12-18T20:42:00Z",
"Sum": 1560.0,
"Unit": "Bytes"
},
{
"Timestamp": "2019-12-18T20:48:00Z",
"Sum": 0.0,
"Unit": "Bytes"
},
{
"Timestamp": "2019-12-18T20:43:00Z",
"Sum": 1343.0,
"Unit": "Bytes"
},
{
"Timestamp": "2019-12-18T20:49:00Z",
"Sum": 0.0,
"Unit": "Bytes"
},
{
"Timestamp": "2019-12-18T20:44:00Z",
"Sum": 35791560.0,
"Unit": "Bytes"
}
]
}

Using AWS CloudTrail to log AWS Global

Accelerator API calls
AWS Global Accelerator is integrated with AWS CloudTrail, a service that provides a record of actions
taken by a user, role, or an AWS service in Global Accelerator. CloudTrail captures all API calls for Global
Accelerator as events, including calls from the Global Accelerator console and from code calls to the
Global Accelerator API. If you create a trail, you can enable continuous delivery of CloudTrail events to
an Amazon S3 bucket, including events for Global Accelerator. If you don't conﬁgure a trail, you can still
view the most recent events in the CloudTrail console in Event history.

To learn more about CloudTrail, see the AWS CloudTrail User Guide.

75
AWS Global Accelerator Developer Guide
Global Accelerator information in CloudTrail

Global Accelerator information in CloudTrail

CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Global
Accelerator, that activity is recorded in a CloudTrail event along with other AWS service events in Event
history. You can view, search, and download recent events in your AWS account. For more information,
see Viewing Events with CloudTrail Event History.

For an ongoing record of events in your AWS account, including events for Global Accelerator, create a
trail. A trail enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create
a trail in the console, the trail applies to all regions. The trail logs events from all regions in the AWS
partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can
configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs.
For more information, see the following topics:

• Overview for Creating a Trail

• CloudTrail Supported Services and Integrations
• Conﬁguring Amazon SNS Notiﬁcations for CloudTrail
• Receiving CloudTrail Log Files from Multiple Regions and Receiving CloudTrail Log Files from Multiple
Accounts

All Global Accelerator actions are logged by CloudTrail and are documented in the AWS Global
Accelerator API Reference. For example, calls to the CreateAccelerator, ListAccelerators and
UpdateAccelerator operations generate entries in the CloudTrail log ﬁles.

Every event or log entry contains information about who generated the request. The identity
information helps you determine the following:

• Whether the request was made with root or IAM user credentials
• Whether the request was made with temporary security credentials for a role or federated user
• Whether the request was made by another AWS service

For more information, see the CloudTrail userIdentity Element.

Understanding Global Accelerator log ﬁle entries

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you
specify. Each JSON-formatted CloudTrail log file can contain one or more log entries. A log entry
represents a single request from any source and includes information about the requested action,
including any parameters, the date and time of the action, and so on. The log entries are not guaranteed
to be in any particular order; they are not an ordered stack trace of API calls.

The following example shows a CloudTrail log entry that includes these Global Accelerator actions:

• Listing the accelerators for an account: eventName is ListAccelerators.

• Creating a listener: eventName is CreateListener.
• Updating a listener: eventName is UpdateListener.
• Describing a listener: eventName is DescribeListener.
• Listing the listeners for an account: eventName is ListListeners.
• Deleting a listener: eventName is DeleteListener.

{
"Records": [
{

76
AWS Global Accelerator Developer Guide
Understanding Global Accelerator log ﬁle entries

"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-17T21:02:36Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"userName": "smithj"
}
}
},
"eventTime": "2018-11-17T21:03:14Z",
"eventSource": "globalaccelerator.amazonaws.com",
"eventName": "ListAccelerators",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.50",
"userAgent": "aws-cli/1.16.34 Python/2.7.10 Darwin/16.7.0 botocore/1.12.24",
"requestParameters": null,
"responseElements": null,
"requestID": "083cae81-28ab-4a66-862f-096e1example",
"eventID": "fe8b1c13-8757-4c73-b842-fe2a3example",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-17T21:02:36Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"userName": "smithj"
}
}
},
"eventTime": "2018-11-17T21:04:49Z",
"eventSource": "globalaccelerator.amazonaws.com",
"eventName": "CreateListener",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.50",
"userAgent": "aws-cli/1.16.34 Python/2.7.10 Darwin/16.7.0 botocore/1.12.24",
"requestParameters": {
"acceleratorArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample",
"portRanges": [

77
AWS Global Accelerator Developer Guide
Understanding Global Accelerator log ﬁle entries

{
"fromPort": 80,
"toPort": 80
}
],
"protocol": "TCP"
},
"responseElements": {
"listener": {
"listenerArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample/
listener/abcde1234",
"portRanges": [
{
"fromPort": 80,
"toPort": 80
}
],
"protocol": "TCP",
"clientAffinity": "NONE"
}
},
"requestID": "6090509a-5a97-4be6-8e6a-7d73example",
"eventID": "9cab44ef-0777-41e6-838f-f249example",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-17T21:02:36Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"userName": "smithj"
}
}
},
"eventTime": "2018-11-17T21:03:52Z",
"eventSource": "globalaccelerator.amazonaws.com",
"eventName": "CreateAccelerator",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.50",
"userAgent": "aws-cli/1.16.34 Python/2.7.10 Darwin/16.7.0 botocore/1.12.24",
"requestParameters": {
"name": "cloudTrailTest"
},
"responseElements": {
"accelerator": {
"acceleratorArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample",
"name": "cloudTrailTest",
"ipAddressType": "IPV4",
"enabled": true,
"ipSets": [

78
AWS Global Accelerator Developer Guide
Understanding Global Accelerator log ﬁle entries

{
"ipFamily": "IPv4",
"ipAddresses": [
"192.0.2.213",
"192.0.2.200"
]
}
],
"status": "IN_PROGRESS",
"createdTime": "Nov 17, 2018 9:03:52 PM",
"lastModifiedTime": "Nov 17, 2018 9:03:52 PM"
}
},
"requestID": "d2d7f300-2f0b-4bda-aa2d-e67d6e4example",
"eventID": "11f9a762-8c00-4fcc-80f9-848a29example",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-17T21:02:36Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"userName": "smithj"
}
}
},
"eventTime": "2018-11-17T21:05:27Z",
"eventSource": "globalaccelerator.amazonaws.com",
"eventName": "UpdateListener",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.50",
"userAgent": "aws-cli/1.16.34 Python/2.7.10 Darwin/16.7.0 botocore/1.12.24",
"requestParameters": {
"listenerArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample/
listener/abcde1234",
"portRanges": [
{
"fromPort": 80,
"toPort": 80
},
{
"fromPort": 81,
"toPort": 81
}
]
},
"responseElements": {
"listener": {
"listenerArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample/
listener/abcde1234",

79
AWS Global Accelerator Developer Guide
Understanding Global Accelerator log ﬁle entries

"portRanges": [
{
"fromPort": 80,
"toPort": 80
},
{
"fromPort": 81,
"toPort": 81
}
],
"protocol": "TCP",
"clientAffinity": "NONE"
}
},
"requestID": "008ef93c-b3a3-44b4-afb3-768example",
"eventID": "85958f0d-63ff-4a2c-99e3-6ffbexample",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-17T21:02:36Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"userName": "smithj"
}
}
},
"eventTime": "2018-11-17T21:06:05Z",
"eventSource": "globalaccelerator.amazonaws.com",
"eventName": "DescribeListener",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.50",
"userAgent": "aws-cli/1.16.34 Python/2.7.10 Darwin/16.7.0 botocore/1.12.24",
"requestParameters": {
"listenerArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample/
listener/abcde1234"
},
"responseElements": null,
"requestID": "9980e368-82fa-40da-95a3-4b0example",
"eventID": "885a02e9-2a60-4626-b1ba-57285example",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",

80
AWS Global Accelerator Developer Guide
Understanding Global Accelerator log ﬁle entries

"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-17T21:02:36Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"userName": "smithj"
}
}
},
"eventTime": "2018-11-17T21:05:47Z",
"eventSource": "globalaccelerator.amazonaws.com",
"eventName": "ListListeners",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.50",
"userAgent": "aws-cli/1.16.34 Python/2.7.10 Darwin/16.7.0 botocore/1.12.24",
"requestParameters": {
"acceleratorArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample"
},
"responseElements": null,
"requestID": "08e4b0f7-689b-4c84-af2d-47619example",
"eventID": "f4fb8e41-ed21-404d-af9d-037c4example",
"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
},
{
"eventVersion": "1.05",
"userIdentity": {
"type": "IAMUser",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-17T21:02:36Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "A1B2C3D4E5F6G7EXAMPLE",
"arn": "arn:aws:iam::111122223333:user/smithj",
"accountId": "111122223333",
"userName": "smithj"
}
}
},
"eventTime": "2018-11-17T21:06:24Z",
"eventSource": "globalaccelerator.amazonaws.com",
"eventName": "DeleteListener",
"awsRegion": "us-west-2",
"sourceIPAddress": "192.0.2.50",
"userAgent": "aws-cli/1.16.34 Python/2.7.10 Darwin/16.7.0 botocore/1.12.24",
"requestParameters": {
"listenerArn":
"arn:aws:globalaccelerator::111122223333:accelerator/0339bfd6-13bc-4d45-a114-5d7fexample/
listener/abcde1234"
},
"responseElements": null,
"requestID": "04d37bf9-3e50-41d9-9932-6112example",
"eventID": "afedb874-2e21-4ada-b1b0-2ddb2example",

81
AWS Global Accelerator Developer Guide
Understanding Global Accelerator log ﬁle entries

"eventType": "AwsApiCall",
"recipientAccountId": "111122223333"
}
]
}

82
AWS Global Accelerator Developer Guide
Identity and access management

Security in AWS Global Accelerator

Cloud security at AWS is the highest priority. As an AWS customer, you beneﬁt from data centers
and network architectures that are built to meet the requirements of the most security-sensitive
organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this
as security of the cloud and security in the cloud:

• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in
the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors
regularly test and verify the eﬀectiveness of our security as part of the AWS Compliance Programs. To
learn about the compliance programs that apply to AWS Global Accelerator, see AWS Services in Scope
by Compliance Program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also
responsible for other factors including the sensitivity of your data, your company’s requirements, and
applicable laws and regulations.

This documentation helps you understand how to apply the shared responsibility model when using
Global Accelerator. The following topics show you how to conﬁgure Global Accelerator to meet your
security and compliance objectives. You also learn how to use other AWS services that help you to
monitor and secure your Global Accelerator resources.

Topics
• Identity and access management for AWS Global Accelerator (p. 83)
• Secure VPC connections in AWS Global Accelerator (p. 108)
• Logging and monitoring in AWS Global Accelerator (p. 108)
• Compliance validation for AWS Global Accelerator (p. 109)
• Resilience in AWS Global Accelerator (p. 109)
• Infrastructure security in AWS Global Accelerator (p. 110)

Identity and access management for AWS Global

Accelerator
AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely
control access to AWS resources, including AWS Global Accelerator resources. Administrators use IAM
to control who is authenticated (signed in) and authorized (has permissions) to use Global Accelerator
resources. IAM is a feature included with your AWS account at no additional charge.
Important
If you're not familiar with IAM, review the introductory information on this page, and then see
Getting started with IAM (p. 101). Optionally, you can learn more about authentication and
access control by viewing What is authentication? (p. 94), What is access control? (p. 96),
and What are policies? (p. 98).

Topics

• Concepts and terms (p. 84)

• Permissions required for console access, authentication management, and access control (p. 85)

83
AWS Global Accelerator Developer Guide
Concepts and terms

• Understanding how Global Accelerator works with IAM (p. 88)

• Troubleshooting authentication and access control (p. 89)

Concepts and terms

Authentication – To sign in to AWS, you must use one of the following: root user credentials (not
recommended), IAM user credentials, or temporary credentials using IAM roles. To learn more about
these entities, see What is authentication? (p. 94).

Access control – AWS administrators use policies to control access to AWS resources, such as
accelerators in Global Accelerator. To learn more, see What is access control? (p. 96) and What are
policies? (p. 98).
Important
All resources in an account are owned by the account, regardless of who created those resources.
You must be granted access to create a resource. However, just because you created a resource
doesn't mean that you automatically have full access to that resource. An administrator must
explicitly grant permissions for each action that you want to perform. That administrator can
also revoke your permissions at any time.

To help you understand the basics of how IAM works, review the following terms:

Resources

AWS services, such as Global Accelerator and IAM, typically include objects called resources. In most
cases, you can create, manage, and delete these resources from the service. IAM resources include
users, groups, roles, and policies:
Users

An IAM user represents the person or application who uses its credentials to interact with AWS.
A user consists of a name, a password to sign in to the AWS Management Console, and up to
two access keys that can be used with the AWS CLI or AWS API.
Groups

An IAM group is a collection of IAM users. Administrators can use groups to specify permissions
for member users. This makes it easier for an administrator to manage permissions for multiple
users.
Roles

An IAM role does not have any long-term credentials (password or access keys) associated
with it. A role can be assumed by anyone who needs it and has permissions. An IAM user can
assume a role to temporarily take on diﬀerent permissions for a speciﬁc task. Federated users
can assume a role by using an external identity provider that is mapped to the role. Some AWS
services can assume a service role to access AWS resources on your behalf.
Policies

Policies are JSON documents that deﬁne the permissions for the object to which they are
attached. AWS supports identity-based policies that you attach to identities (users, groups, or
roles). Some AWS services allow you to attach resource-based policies to resources to control
what a principal (person or application) can do to that resource. Global Accelerator does not
support resource-based policies.
Identities

Identities are IAM resources for which you can deﬁne permissions. These include users, groups, and
roles.
Entities

Entities are IAM resources that you use for authentication. These include users and roles.

84
AWS Global Accelerator Developer Guide
Permissions required for console access,
authentication management, and access control

Principals

In AWS, a principal is a person or application that uses an entity to sign in and make requests
to AWS. As a principal, you can use the AWS Management Console, the AWS CLI, or the AWS
API to perform an operation (such as deleting an accelerator). This creates a request for that
operation. Your request speciﬁes the action, resource, principal, principal account, and any additional
information about your request. All of this information provides AWS with context for your request.
AWS checks all the policies that apply to the context of your request. AWS authorizes the request
only if each part of your request is allowed by the policies.

To view a diagram of the authentication and access control process, see Understanding How IAM Works
in the IAM User Guide. For details about how AWS determines whether a request is allowed, see Policy
Evaluation Logic in the IAM User Guide.

Permissions required for console access,

authentication management, and access control
To use Global Accelerator or to manage authorization and access control for yourself or others, you must
have the correct permissions.

Permissions required to create a Global Accelerator accelerator

To create a AWS Global Accelerator accelerator, users must have permission to create service-linked roles
that are associated with Global Accelerator.

To ensure that users have the correct permissions to create accelerators in Global Accelerator, attach a
policy to the user such as the following.
Note
If you create an identity-based permissions policy that is more restrictive, users with that policy
won't be able to create an accelerator.

{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "globalaccelerator.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": "arn:aws:iam::*:role/aws-service-role/globalaccelerator.amazonaws.com/
AWSServiceRoleForGlobalAccelerator*"
}

Permissions required to use the Global Accelerator console

To access the AWS Global Accelerator console, you must have a minimum set of permissions that allows
you to list and view details about the Global Accelerator resources in your AWS account. If you create an
identity-based permissions policy that is more restrictive than the minimum required permissions, the
console won't function as intended for entities with that policy.

85
AWS Global Accelerator Developer Guide
Permissions required for console access,
authentication management, and access control

To ensure that those entities can still use the Global Accelerator console or API actions, also attach one
of the following AWS managed policies to the user, as described in Creating Policies on the JSON Tab:

GlobalAcceleratorReadOnlyAccess
GlobalAcceleratorFullAccess

Attach the ﬁrst policy, GlobalAcceleratorReadOnlyAccess, if users only need to view information in
the console or make calls to the AWS CLI or the API that use List* or Describe* operations.

Attach the second policy, GlobalAcceleratorFullAccess, to users who need to create or make
updates to accelerators. The full access policy includes full permissions for Global Accelerator as well as
describe permissions for Amazon EC2 and Elastic Load Balancing.
Note
If you create an identity-based permissions policy that does not include the required
permissions for Amazon EC2 and Elastic Load Balancing, users with that policy will not be able
to add Amazon EC2 and Elastic Load Balancing resources to accelerators.

The following is the full access policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"globalaccelerator:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeSubnets",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteSecurityGroup",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AWSServiceName": "GlobalAccelerator"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",

86
AWS Global Accelerator Developer Guide
Permissions required for console access,
authentication management, and access control

"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:network-interface/*"
]
}
]
}

Permissions required for authentication management

To manage your own credentials, such as your password, access keys, and multi-factor authentication
(MFA) devices, your administrator must grant you the required permissions. To view the policy that
includes these permissions, see Allow users to self-manage their credentials (p. 104).

As an AWS administrator, you need full access to IAM so that you can create and manage users, groups,
roles, and policies in IAM. You should use the AdministratorAccess AWS managed policy that includes full
access to all of AWS. This policy doesn't provide access to the AWS Billing and Cost Management console
or allow tasks that require AWS account root user credentials. For more information, see AWS Tasks That
Require AWS account root user Credentials in the AWS General Reference.
Warning
Only an administrator user should have full access to AWS. Anyone with this policy has
permission to fully manage authentication and access control, in addition to modifying every
resource in AWS. To learn how to create this user, see Create your IAM admin user (p. 101).

Permissions required for access control

If your administrator provided you with IAM user credentials, they attached policies to your IAM user to
control what resources you can access. To view the policies that are attached to your user identity in the
AWS Management Console, you must have the following permissions:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ViewOwnUserInfo",
"Effect": "Allow",
"Action": [
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAttachedUserPolicies",
"iam:ListUserPolicies",
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "ListUsersViewGroupsAndPolicies",
"Effect": "Allow",
"Action": [
"iam:GetGroupPolicy",
"iam:GetPolicyVersion",
"iam:GetPolicy",
"iam:ListAttachedGroupPolicies",

87
AWS Global Accelerator Developer Guide
How Global Accelerator works with IAM

"iam:ListGroupPolicies",
"iam:ListPolicyVersions",
"iam:ListPolicies",
"iam:ListUsers"
],
"Resource": "*"
}
]
}

If you need additional permissions, ask your administrator to update your policies to allow you to access
the actions that you require.

Understanding how Global Accelerator works with

IAM
Services can work with IAM in several ways:

Actions

Global Accelerator supports using actions in a policy. This allows an administrator to control whether
an entity can complete an operation in Global Accelerator. For example, to allow an entity to call the
GetPolicy AWS API operation to view a policy, an administrator must attach a policy that allows
the iam:GetPolicy action.

The following example policy allows a user to perform the CreateAccelerator operation to
programmatically create an accelerator for your AWS account:

{
"Version": "2018-08-08",
"Statement": [
{
"Effect": "Allow",
"Action": [
"globalaccelerator:CreateAccelerator"
],
"Resource":"*"
}
]
}

Resource-level permissions

Global Accelerator supports resource-level permissions. Resource-level permissions allow you to use
ARNs to specify individual resources in the policy.
Resource-based policies

Global Accelerator does not support resource-based policies. With resource-based policies, you
can attach a policy to a resource within the service. Resource-based policies include a Principal
element to specify which IAM identities can access that resource.
Authorization based on tags

Global Accelerator supports authorization-based tags. This feature allows you to use resource tags in
the condition of a policy.
Temporary credentials

Global Accelerator supports temporary credentials. With temporary credentials, you can sign in
with federation, assume an IAM role, or assume a cross-account role. You obtain temporary security
credentials by calling AWS STS API operations such as AssumeRole or GetFederationToken.

88
AWS Global Accelerator Developer Guide
Troubleshooting authentication and access control

Service-linked roles

Global Accelerator supports service-linked roles. This feature allows a service to assume a service-
linked role on your behalf. This role allows the service to access resources in other services to
complete an action on your behalf. Service-linked roles appear in your IAM account, and are owned
by the service. An IAM administrator can view but not edit the permissions for service-linked roles.
Service roles

Global Accelerator does not support service roles. This feature allows a service to assume a service
role on your behalf. This role allows the service to access resources in other services to complete an
action on your behalf. Service roles appear in your IAM account and are owned by the account. This
means that an IAM administrator can change the permissions for this role. However, this might break
the functionality of the service.

Troubleshooting authentication and access control

Use the following information to help you diagnose and ﬁx common issues that you might encounter
when working with IAM.

Topics
• I am not authorized to perform an action in Global Accelerator (p. 89)
• I'm an administrator and want to allow others to access Global Accelerator (p. 89)
• I want to understand IAM without becoming an expert (p. 89)

I am not authorized to perform an action in Global Accelerator

If the AWS Management Console tells you that you're not authorized to perform an action, you must
contact the administrator who provided you with your user name and password.

The following example occurs when an IAM user named my-user-name tries to use the console to
perform the globalaccelerator:CreateAccelerator action but does not have permissions:

User: arn:aws:iam::123456789012:user/my-user-name is not authorized to perform: aws-

globalaccelerator:CreateAccelerator on resource: my-example-accelerator

In this case, ask your administrator to update your policies to allow you to access the my-example-
accelerator resource using the aws-globalaccelerator:CreateAccelerator action.

I'm an administrator and want to allow others to access Global

Accelerator
To allow others to access Global Accelerator, you must create an IAM entity (user or role) for the person
or application that needs access. They will use the credentials for that entity to access AWS. You must
then attach a policy to the entity that grants them the correct permissions in Global Accelerator.

To get started right away, see Getting started with IAM (p. 101).

I want to understand IAM without becoming an expert

To learn more about IAM terms, concepts, and procedures, see the following topics:

• What is authentication? (p. 94)

• What is access control? (p. 96)
• What are policies? (p. 98)

89
AWS Global Accelerator Developer Guide
Tag-based policies

Tag-based policies
When you design IAM policies, you might set granular permissions by granting access to speciﬁc
resources. As the number of resources that you manage grows, this task becomes more diﬃcult. Tagging
accelerators and using tags in policy statement conditions can make this task easier. You grant access in
bulk to any accelerator with a certain tag. Then you repeatedly apply this tag to relevant accelerators,
when you create the accelerator or by updating the accelerator later.
Note
Using tags in conditions is one way to control access to resources and requests. For information
about tagging in Global Accelerator, see Tagging in AWS Global Accelerator (p. 9).

Tags can be attached to a resource or passed in the request to services that support tagging. In Global
Accelerator, only accelerators can include tags. When you create an IAM policy, you can use tag condition
keys to control:

• Which users can perform actions on an accelerator, based on tags that it already has.
• What tags can be passed in an action's request.
• Whether speciﬁc tag keys can be used in a request.

For the complete syntax and semantics of tag condition keys, see Control access using IAM tags in the
IAM User Guide.

For example, the Global Accelerator GlobalAcceleratorFullAccess managed user policy gives users
unlimited permission to perform any Global Accelerator action on any resource. The following policy
limits this power and denies unauthorized users permission to perform any Global Accelerator action on
any production accelerators. A customer's administrator must attach this IAM policy to unauthorized IAM
users, in addition to the managed user policy.

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Deny",
"Action":"*",
"Resource":"*",
"Condition":{
"ForAnyValue:StringEquals":{
"aws:RequestTag/stage":"prod"
}
}
},
{
"Effect":"Deny",
"Action":"*",
"Resource":"*",
"Condition":{
"ForAnyValue:StringEquals":{
"aws:ResourceTag/stage":"prod"
}
}
}
]
}

Service-linked role for Global Accelerator

AWS Global Accelerator uses an AWS Identity and Access Management (IAM) service-linked role. A
service-linked role is a unique type of IAM role that is linked directly to a service. Service-linked roles are

90
AWS Global Accelerator Developer Guide
Service-linked role for Global Accelerator

predeﬁned by the service and include all of the permissions that the service requires to call other AWS
services on your behalf.

Global Accelerator uses the following IAM service-linked role:

• AWSServiceRoleForGlobalAccelerator–Global Accelerator uses this role to allow Global Accelerator to

create and manage resources required for client IP address preservation.

Global Accelerator automatically creates a role named AWSServiceRoleForGlobalAccelerator

when the role is ﬁrst required to support a Global Accelerator API operation. The
AWSServiceRoleForGlobalAccelerator role allows Global Accelerator create and manage resources
necessary for client IP address preservation. This role is required for using accelerators in Global
Accelerator. The ARN for the AWSServiceRoleForGlobalAccelerator role looks like this:

arn:aws:iam::123456789012:role/aws-service-role/
globalaccelerator.amazonaws.com/AWSServiceRoleForGlobalAccelerator

A service-linked role makes setting up and using Global Accelerator easier because you don’t have to
manually add the necessary permissions. Global Accelerator deﬁnes the permissions of its service-linked
role, and only Global Accelerator can assume the roles. The deﬁned permissions include the trust policy
and the permissions policy. The permissions policy cannot be attached to any other IAM entity.

You must remove any associated Global Accelerator resources before you can delete a service-linked role.
This helps protect your Global Accelerator resources by making sure that you don't remove a service-
linked role that is still required to access active resources.

For information about other services that support service-linked roles, see AWS services that work with
IAM and look for the services that have Yes in the Service-linked role column.

Service-linked role permissions for Global Accelerator

Global Accelerator uses a service-linked role named AWSServiceRoleForGlobalAccelerator. The
following sections describe the permissions for the role.

Service-linked role permissions

This service-linked role allows Global Accelerator to manage EC2 Elastic Network Interfaces and security
groups, and to help diagnose errors.

The AWSServiceRoleForGlobalAccelerator service-linked role trusts the following service to assume the
role:

• globalaccelerator.amazonaws.com

The role permissions policy allows Global Accelerator to complete the following actions on the speciﬁed
resources, as shown in the policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",

91
AWS Global Accelerator Developer Guide
Service-linked role for Global Accelerator

"ec2:DescribeSubnets",
"ec2:DescribeRegions",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup",
"ec2:AssignIpv6Addresses",
"ec2:UnassignIpv6Addresses"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/AWSServiceName": "GlobalAccelerator"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:DescribeLoadBalancers",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:network-interface/*"
]
}
]
}

You must conﬁgure permissions to allow an IAM entity (such as a user, group, or role) to delete the
Global Accelerator service-linked role. For more information, see Service-Linked Role Permissions in the
IAM User Guide.

Creating the service-linked role for Global Accelerator

You don't manually create the service-linked role for Global Accelerator. The service creates the role for
you automatically the ﬁrst time that you create an accelerator. If you remove your Global Accelerator
resources and delete the service-linked role, the service creates the role again automatically when you
create a new accelerator.

Editing the Global Accelerator service-linked role

Global Accelerator does not allow you to edit the AWSServiceRoleForGlobalAccelerator service-linked
role. After the service has created a service-linked role, you cannot change the name of the role because
various entities might reference the role. However, you can edit the description of a role by using IAM.
For more information, see Editing a Service-Linked Role in the IAM User Guide.

92
AWS Global Accelerator Developer Guide
Service-linked role for Global Accelerator

Deleting the Global Accelerator service-linked role

If you no longer need to use Global Accelerator, we recommend that you delete the service-linked role.
That way you don’t have unused entities that are not actively monitored or maintained. However, you
must clean up the Global Accelerator resources in your account before you can manually delete the roles.

After you have disabled and deleted your accelerators, then you can delete the service-linked role. For
more information about deleting accelerators, see Creating or updating a standard accelerator (p. 23).
Note
If you have disabled and deleted your accelerators but Global Accelerator hasn't ﬁnished
updating, service-linked role deletion might fail. If that happens, wait for a few minutes, and
then try the service-linked role deletion steps again.

To manually delete the AWSServiceRoleForGlobalAccelerator service-linked role

1. Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.
2. In the navigation pane of the IAM console, choose Roles. Then select the check box next to the role
name that you want to delete, not the name or row itself.
3. For Role actions at the top of the page, choose Delete role.
4. In the confirmation dialog box, review the service last accessed data, which shows when each of the
selected roles last accessed an AWS service. This helps you to confirm whether the role is currently
active. If you want to proceed, choose Yes, Delete to submit the service-linked role for deletion.
5. Watch the IAM console notifications to monitor the progress of the service-linked role deletion.
Because the IAM service-linked role deletion is asynchronous, after you submit the role for deletion,
the deletion task can succeed or fail. For more information, see Deleting a service-linked role in the
IAM User Guide.

Updates to the policy for the Global Accelerator service-linked

role (an AWS managed policy)
View details about updates to AWSGlobalAcceleratorSLRPolicy, the AWS managed policy for the
Global Accelerator service-linked role. The following table lists updates since this service began tracking
changes to the policy. For automatic alerts about changes to this page, subscribe to the RSS feed on the
AWS Global Accelerator Document history (p. 115) page.

Change Description Date

AWSGlobalAcceleratorSLRPolicy Global Accelerator added new November 15, 2021

– Updated policy permissions to support IPv6
addresses.

Global Accelerator uses

ec2:AssignIpv6Addresses
to update the GlobalAccelerator
ENI on a customer subnet with
an IPv6 address for sending and
receiving IPv6 traﬃc, and uses
UnassignIpv6Addresses to
remove the IPv6 address when
it's no longer needed.

AWSGlobalAcceleratorSLRPolicy Global Accelerator added a May 18, 2021

– Updated policy new permission to help Global
Accelerator to diagnose errors.

93
AWS Global Accelerator Developer Guide
Overview of access and authentication

Change Description Date

Global Accelerator uses
ec2:DescribeRegions to
determine the AWS Region
that a customer is in, which
can help Global Accelerator to
troubleshoot errors.

Global Accelerator started Global Accelerator started May 18, 2021

tracking changes tracking changes for its AWS
managed policies.

Supported Regions for Global Accelerator service-linked roles

Global Accelerator supports using service-linked roles in AWS Regions where Global Accelerator is
supported.

For a list of the AWS Regions where Global Accelerator and other services are currently supported, see
the AWS Region Table.

Overview of access and authentication

If you're new to IAM, read the following topics to get started with authorization and access in AWS.

Topics
• What is authentication? (p. 94)
• What is access control? (p. 96)
• What are policies? (p. 98)
• Getting started with IAM (p. 101)

What is authentication?
Authentication is how you sign in to AWS using your credentials.
Note
To get started quickly, you can ignore this section. First, review the introductory information on
Identity and access management for AWS Global Accelerator (p. 83), and then see Getting
started with IAM (p. 101).

As a principal, you must be authenticated (signed in to AWS) using an entity (root user, IAM user, or
IAM role) to send a request to AWS. An IAM user can have long-term credentials such as a user name
and password or a set of access keys. When you assume an IAM role, you are given temporary security
credentials.

To get authenticated from the AWS Management Console as a user, you must sign in with your user
name and password. To get authenticated from the AWS CLI or AWS API, you must provide your access
key and secret key or temporary credentials. AWS provides SDK and CLI tools to cryptographically sign
your request using your credentials. If you don’t use AWS tools, you must sign the request yourself.
Regardless of the authentication method that you use, you might also be required to provide additional
security information. For example, AWS recommends that you use multi-factor authentication (MFA) to
increase the security of your account.

As a principal, you can sign in to AWS using the following entities (users or roles):

94
AWS Global Accelerator Developer Guide
Overview of access and authentication

AWS account root user

When you ﬁrst create an AWS account, you begin with a single sign-in identity that has complete
access to all AWS services and resources in the account. This identity is called the AWS account root
user and is accessed by signing in with the email address and password that you used to create the
account. We strongly recommend that you do not use the root user for your everyday tasks, even the
administrative ones. Instead, adhere to the best practice of using the root user only to create your
ﬁrst IAM user. Then securely lock away the root user credentials and use them to perform only a few
account and service management tasks.
IAM user

An IAM user is an entity within your AWS account that has speciﬁc permissions. Global Accelerator
supports Signature Version 4, a protocol for authenticating inbound API requests. For more
information about authenticating requests, see Signature Version 4 Signing Process in the AWS
General Reference.
IAM role

An IAM role is an IAM identity that you can create in your account that has speciﬁc permissions.
An IAM role is similar to an IAM user in that it is an AWS identity with permissions policies that
determine what the identity can and cannot do in AWS. However, instead of being uniquely
associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role
does not have standard long-term credentials such as a password or access keys associated with it.
Instead, when you assume a role, it provides you with temporary security credentials for your role
session. IAM roles with temporary credentials are useful in the following situations:
Federated user access

Instead of creating an IAM user, you can use existing identities from AWS Directory Service, your
enterprise user directory, or a web identity provider. These are known as federated users. AWS
assigns a role to a federated user when access is requested through an identity provider. For
more information about federated users, see Federated users and roles in the IAM User Guide.
Temporary user permissions

An IAM user can assume a role temporarily to take on diﬀerent permissions for a speciﬁc task.
Cross-account access

You can use an IAM role to allow a trusted principal in a diﬀerent account to access resources
in your account. Roles are the primary way to grant cross-account access. However, with some
AWS services, you can attach a policy directly to a resource (instead of using a role as a proxy).
Global Accelerator does not support these resource-based policies. For more information about
choosing whether to use a role or a resource-based policy to allow cross-account access, see
Controlling access to Principals in a diﬀerent account (p. 97).
AWS service access

A service role is an IAM role that a service assumes to perform actions on your behalf. An
IAM administrator can create, modify, and delete a service role from within IAM. For more
information, see Creating a role to delegate permissions to an AWS service in the IAM User
Guide.
Applications running on Amazon EC2

You can use an IAM role to manage temporary credentials for applications that are running on
an EC2 instance and making AWS CLI or AWS API requests. This is preferable to storing access
keys within the EC2 instance. To assign an AWS role to an EC2 instance and make it available to
all of its applications, you create an instance proﬁle that is attached to the instance. An instance
proﬁle contains the role and enables programs that are running on the EC2 instance to get
temporary credentials. For more information, see Using an IAM role to grant permissions to
applications running on Amazon EC2 instances in the IAM User Guide.

95
AWS Global Accelerator Developer Guide
Overview of access and authentication

What is access control?

After you sign in (are authenticated) to AWS, your access to AWS resources and operations is governed by
policies. Access control is also known as authorization.
Note
To get started quickly, you can ignore this page. First, review the introductory information on
Identity and access management for AWS Global Accelerator (p. 83), and then see Getting
started with IAM (p. 101).

During authorization, AWS uses values from the request context to check for policies that apply. It
then uses the policies to determine whether to allow or deny the request. Most policies are stored
in AWS as JSON documents and specify the permissions that are allowed or denied for principals.
For more information about the structure and contents of JSON policy documents, see What are
policies? (p. 98).

Policies let an administrator specify who has access to AWS resources and what actions they can perform
on those resources. Every IAM entity (user or role) starts with no permissions. In other words, by default,
users can do nothing, not even view their own access keys. To give a user permission to do something,
an administrator must attach a permissions policy to a user. Or they can add the user to a group that
has the intended permissions. When an administrator then gives permissions to a group, all users in that
group get those permissions.

You might have valid credentials to authenticate your requests, but unless an administrator grants you
permissions you cannot create or access AWS Global Accelerator resources. For example, you must have
explicit permissions to create an AWS Global Accelerator accelerator.

As an administrator, you can write a policy to control access to the following:

• Principals (p. 96) – Control what the person or application making the request (the principal) is
allowed to do.
• IAM identities (p. 96) – Control which IAM identities (groups, users, and roles) can be accessed and
how.
• IAM policies (p. 97) – Control who can create, edit, and delete customer managed policies, and who
can attach and detach all managed policies.
• AWS resources (p. 97) – Control who has access to resources using an identity-based policy or a
resource-based policy.
• AWS accounts (p. 97) – Control whether a request is allowed only for members of a speciﬁc
account.

Controlling access for principals

Permissions policies control what you, as a principal, are allowed to do. An administrator must attach an
identity-based permissions policy to the identity (user, group, or role) that provides your permissions.
Permissions policies allow or deny access to AWS. Administrators can also set a permissions boundary
for an IAM entity (user or role) to deﬁne the maximum permissions that the entity can have. Permissions
boundaries are an advanced IAM feature. For more information about permissions boundaries, see
Permissions boundaries for IAM identities in the IAM User Guide.

For more information and an example of how to control AWS access for principals, see Controlling access
for principals in the IAM User Guide.

Controlling access to identities

Administrators control what you can do to an IAM identity (user, group, or role) by creating a policy that
limits what can be done to an identity or who can access it. Then they attach that policy to the identity
that provides your permissions.

96
AWS Global Accelerator Developer Guide
Overview of access and authentication

For example, an administrator might allow you to reset the password for three speciﬁc users. To do this,
they attach a policy to your IAM user that allows you to reset the password for only yourself and users
with the ARN of the three speciﬁed users. This allows you to reset the password of your team members
but not other IAM users.

For more information and an example of using a policy to control AWS access to identities, see
Controlling access to identities in the IAM User Guide.

Controlling access to policies

Administrators can control who can create, edit, and delete customer managed policies, and who can
attach and detach all managed policies. When you review a policy, you can view the policy summary
that includes a summary of the access level for each service within that policy. AWS categorizes each
service action into one of four access levels based on what each action does: List, Read, Write, or
Permissions management. You can use these access levels to determine which actions to include in
your policies. For more information, see Understanding access level summaries within policy summaries
in the IAM User Guide.
Warning
You should limit Permissions Management access-level permissions in your account.
Otherwise, your account members can create policies for themselves with more permissions
than they should have. Or they can create separate users with full access to AWS.

For more information and an example for how to control AWS access to policies, see Controlling access
to policies in the IAM User Guide.

Controlling access to resources

Administrators can control access to resources using an identity-based policy or a resource-based policy.
In an identity-based policy, you attach the policy to an identity and specify what resources that identity
can access. In a resource-based policy, you attach a policy to the resource that you want to control. In the
policy, you specify which principals can access that resource.

For more information, see Controlling Access to Resources in the IAM User Guide.

Resource creators do not automatically have permissions

All resources in an account are owned by the account, regardless of who created those resources. The
AWS account root user is the account owner, and therefore has permission to perform any action on any
resource in the account.
Important
We strongly recommend that you do not use the root user for your everyday tasks, even the
administrative ones. Instead, follow the best practice of using the root user only to create your
ﬁrst IAM user. Then securely lock away the root user credentials and use them to perform only a
few account and service management tasks. To view the tasks that require you to sign in as the
root user, see AWS tasks that require root user.

Entities (users or roles) in the AWS account must be granted access to create a resource. But just
because they create a resource doesn't mean they automatically have full access to that resource.
Administrators must explicitly grant permissions for each action. Additionally, administrators can revoke
those permissions at any time, as long as they have access to manage user and role permissions.

Controlling access to Principals in a diﬀerent account

Administrators can use AWS resource-based policies, IAM cross-account roles, or the AWS Organizations
service to allow principals in another account to access resources in your account.

For some AWS services, administrators can grant cross-account access to your resources. To do this, an
administrator attaches a policy directly to the resource that they want to share, instead of using a role as
a proxy. If the service supports this policy type, then the resource that the administrator shares must also
support resource-based policies. Unlike a user-based policy, a resource-based policy speciﬁes who (in the

97
AWS Global Accelerator Developer Guide
Overview of access and authentication

form of a list of AWS account ID numbers) can access that resource. Global Accelerator does not support
resource-based policies.

Cross-account access with a resource-based policy has some advantages over a role. With a resource
that is accessed through a resource-based policy, the principal (person or application) still works in the
trusted account and does not have to give up their user permissions in place of the role permissions.
In other words, the principal has access to resources in the trusted account and in the trusting account
at the same time. This is useful for tasks such as copying information from one account to another. For
more information about using cross-account roles, see Providing Access to an IAM User in Another AWS
Account That You Own in the IAM User Guide.

AWS Organizations oﬀers policy-based management for multiple AWS accounts that you own. With
Organizations, you can create groups of accounts, automate account creation, and apply and manage
policies for those groups. Organizations enables you to centrally manage policies across multiple
accounts, without requiring custom scripts and manual processes. Using AWS Organizations, you can
create Service Control Policies (SCPs) that centrally control AWS service use across AWS accounts. For
more information, see What Is AWS Organizations? in the AWS Organizations User Guide.

What are policies?

You control access in AWS by creating policies and attaching them to IAM identities or AWS resources.
Note
To get started quickly, you can ignore this page. First, review the introductory information on
Identity and access management for AWS Global Accelerator (p. 83), and then see Getting
started with IAM (p. 101).

A policy is an object in AWS that, when associated with an entity or resource, deﬁnes their permissions.
AWS evaluates these policies when a principal, such as a user, makes a request. Permissions in the
policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON
documents.

IAM policies deﬁne permissions for an action regardless of the method that you use to perform the
operation. For example, if a policy allows the GetUser action, then a user with that policy can get user
information from the AWS Management Console, the AWS CLI, or the AWS API. When you create an IAM
user, you can set up the user to allow console or programmatic access. The IAM user can sign in to the
console using a user name and password. Or they can use access keys to work with the CLI or API.

The following policy types, listed in order of frequency, can aﬀect whether a request is authorized. For
more details, see Policy Types in the IAM User Guide.

Identity-based policies

You can attach managed and inline policies to IAM identities (users, groups to which users belong,
and roles).
Resource-based policies

You can attach inline policies to resources in some AWS services. The most common examples of
resource-based policies are Amazon S3 bucket policies and IAM role trust policies. Global Accelerator
does not support resource-based policies.
Organizations SCPs

You can use an AWS Organizations service control policy (SCP) to apply a permissions boundary to
an AWS Organizations organization or organizational unit (OU). Those permissions are applied to all
entities within the member accounts.
Access control lists (ACLs)

You can use ACLs to control what principals can access a resource. ACLs are similar to resource-
based policies, although they are the only policy type that does not use the JSON policy document
structure. Global Accelerator supports OR does not support ACLs.

98
AWS Global Accelerator Developer Guide
Overview of access and authentication

These policies types can be categorized as permissions policies or permissions boundaries.

Permissions policies

You can attach permissions policies to a resource in AWS to deﬁne the permissions for that object.
Within a single account, AWS evaluates all permissions policies together. Permissions policies are the
most common policies. You can use the following policy types as permissions policies:
Identity-based policies

When you attach a managed or inline policy to an IAM user, group, or role, the policy deﬁnes the
permissions for that entity.
Resource-based policies

When you attach a JSON policy document to a resource, you deﬁne the permissions for that
resource. The service must support resource-based policies.
Access control lists (ACLs)

When you attach an ACL to a resource, you deﬁne a list of principals with permission to access
that resource. The resource must support ACLs.
Permissions boundaries

You can use policies to deﬁne the permissions boundary for an entity (user or role). A permissions
boundary controls the maximum permissions that an entity can have. Permissions boundaries are
an advanced AWS feature. When more than one permissions boundary applies to a request, AWS
evaluates each permissions boundary separately. You can apply a permissions boundary in the
following situations:
Organizations

You can use an AWS Organizations service control policy (SCP) to apply a permissions boundary
to an AWS Organizations organization or organizational unit (OU).
IAM users or roles

You can use a managed policy for a user's or role's permissions boundary. For more information,
see Permissions Boundaries for IAM Entities in the IAM User Guide.

Topics
• Identity-based policies (p. 99)
• Resource-based policies (p. 100)
• Policy access level classiﬁcations (p. 101)

Identity-based policies
You can attach policies to IAM identities. For example, you can do the following:

Attach a permissions policy to a user or a group in your account

To grant a user permissions to create an AWS Global Accelerator resource, such as an accelerator, you
can attach a permissions policy to a user or a group to which the user belongs.
Attach a permissions policy to a role (grant cross-account permissions)

You can attach an identity-based permissions policy to an IAM role to grant cross-account
permissions. For example, the administrator in account A can create a role to grant cross-account
permissions to another AWS account (for example, account B) or an AWS service as follows:

99
AWS Global Accelerator Developer Guide
Overview of access and authentication

1. Account A administrator creates an IAM role and attaches a permissions policy to the role that
grants permissions on resources in account A.
2. Account A administrator attaches a trust policy to the role identifying account B as the principal
who can assume the role.
3. Account B administrator can then delegate permissions to assume the role to any users in account
B. Doing this allows users in account B to create or access resources in account A. The principal
in the trust policy can also be an AWS service principal if you want to grant an AWS service
permissions to assume the role.

For more information about using IAM to delegate permissions, see Access Management in the IAM
User Guide.

For more information about users, groups, roles, and permissions, see Identities (Users, Groups, and
Roles) in the IAM User Guide.

The following are two examples of policies that you could use with Global Accelerator The ﬁrst example
policy grants a user programmatic access to all List and Describe actions for accelerators in your AWS
account:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"globalaccelerator:List*",
"globalaccelerator:Describe*"
],
"Resource": "*"
}
]
}

The following example grants programmatic access to the ListAccelerators operation:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"globalaccelerator:ListAccelerators",
],
"Resource": "*"
}
]
}

Resource-based policies
Resource-based policies are JSON policy documents that you attach to a resource. These policies
allow you to specify what actions a speciﬁed principal can perform on that resource and under what
conditions. The most common resource-based policy is for an Amazon S3 bucket. Resource-based
policies are inline policies that exist only on the resource. There are no managed resource-based policies.

Granting permissions to members of other AWS accounts using a resource-based policy has some
advantages over an IAM role. For more information, see How IAM Roles Diﬀer from Resource-based
Policies in the IAM User Guide.

100
AWS Global Accelerator Developer Guide
Overview of access and authentication

Policy access level classiﬁcations

In the IAM console, actions are grouped using the following access-level classiﬁcations:

List

Provides permission to list resources within the service to determine whether an object exists.
Actions with this level of access can list objects but cannot see the contents of a resource. Most
actions with the List access level cannot be performed on a speciﬁc resource. When you create a
policy statement with these actions, you must specify All resources ("*").
Read

Provides permission to read but not edit the contents and attributes of resources in the service. For
example, the Amazon S3 operations GetObject and GetBucketLocation have the Read access
level.
Write

Provides permission to create, delete, or modify resources in the service. For example, the Amazon
S3 operations CreateBucket, DeleteBucket, and PutObject have the Write access level.
Permissions management

Provides permission to grant or modify resource permissions in the service. For example, most IAM
and AWS Organizations policy actions have the Permissions management access level.
Tip
To improve the security of your AWS account, restrict or regularly monitor policies that
include the Permissions management access-level classiﬁcation.
Tagging

Provides permission to create, delete, or modify tags that are attached to a resource in the service.
For example, the Amazon EC2 CreateTags and DeleteTags operations have the Tagging access
level.

Getting started with IAM

AWS Identity and Access Management (IAM) is an AWS service that allows you manage access to services
and resources securely. IAM is a feature of your AWS account oﬀered at no additional charge.
Note
Before you start with IAM, review the introductory information on Identity and access
management for AWS Global Accelerator (p. 83).

When you ﬁrst create an AWS account, you begin with a single sign-in identity that has complete access
to all AWS services and resources in the account. This identity is called the AWS account root user and
is accessed by signing in with the email address and password that you used to create the account. We
strongly recommend that you do not use the root user for your everyday tasks, even the administrative
ones. Instead, adhere to the best practice of using the root user only to create your ﬁrst IAM user. Then
securely lock away the root user credentials and use them to perform only a few account and service
management tasks.

Create your IAM admin user

To create an administrator user for yourself and add the user to an administrators group
(console)

1. Sign in to the IAM console as the account owner by choosing Root user and entering your AWS
account email address. On the next page, enter your password.

101
AWS Global Accelerator Developer Guide
Overview of access and authentication

Note
We strongly recommend that you adhere to the best practice of using the Administrator
IAM user that follows and securely lock away the root user credentials. Sign in as the root
user only to perform a few account and service management tasks.
2. In the navigation pane, choose Users and then choose Add user.
3. For User name, enter Administrator.
4. Select the check box next to AWS Management Console access. Then select Custom password, and
then enter your new password in the text box.
5. (Optional) By default, AWS requires the new user to create a new password when ﬁrst signing in. You
can clear the check box next to User must create a new password at next sign-in to allow the new
user to reset their password after they sign in.
6. Choose Next: Permissions.
7. Under Set permissions, choose Add user to group.
8. Choose Create group.
9. In the Create group dialog box, for Group name enter Administrators.
10. Choose Filter policies, and then select AWS managed - job function to ﬁlter the table contents.
11. In the policy list, select the check box for AdministratorAccess. Then choose Create group.
Note
You must activate IAM user and role access to Billing before you can use the
AdministratorAccess permissions to access the AWS Billing and Cost Management
console. To do this, follow the instructions in step 1 of the tutorial about delegating access
to the billing console.
12. Back in the list of groups, select the check box for your new group. Choose Refresh if necessary to
see the group in the list.
13. Choose Next: Tags.
14. (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information
about using tags in IAM, see Tagging IAM entities in the IAM User Guide.
15. Choose Next: Review to see the list of group memberships to be added to the new user. When you
are ready to proceed, choose Create user.

You can use this same process to create more groups and users and to give your users access to your AWS
account resources. To learn about using policies that restrict user permissions to speciﬁc AWS resources,
see Access management and Example policies.

Create delegated users for Global Accelerator

To support multiple users in your AWS account, you must delegate permission to allow other people to
perform only the actions that you want to allow. To do this, create an IAM group with the permissions
those people need and then add IAM users to the necessary groups as you create them. You can use this
process to set up the groups, users, and permissions for your entire AWS account. This solution is best
used by small and medium organizations where an AWS administrator can manually manage the users
and groups. For large organizations, you can use custom IAM roles, federation, or single sign-on.

In the following procedure, you create three users named arnav, carlos, and martha and attach a
policy that grants permission to create an accelerator named my-example-accelerator, but only
within the next 30 days. You can use the steps provided here to add users with diﬀerent permissions.

To create a delegated user for someone else (console)

1. Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users, and then choose Add user.

102
AWS Global Accelerator Developer Guide
Overview of access and authentication

3. For User name, enter arnav.

4. Choose Add another user and enter carlos for the second user. Then choose Add another user
and enter martha for the third user.
5. Select the check box next to AWS Management Console access, and then select Autogenerated
password.
6. Clear the check box next to User must create a new password at next sign-in to allow the new user
to reset their password after they sign in.
7. Choose Next: Permissions.
8. Choose Attach existing policies directly. You will create a new managed policy for the users.
9. Choose Create policy.

The Create policy wizard opens in a new tab or browser window.

10. On the Visual editor tab, choose Choose a service. Then choose Global Accelerator. You can use the
search box at the top to limit the results in the list of services.

The Service section closes, and the Actions section opens automatically.
11. Choose the Global Accelerator actions that you want to allow. For example, to grants permission
to create an accelerator, enter globalaccelerator:CreateAccelerator in the Filter actions
text box. When the list of Global Accelerator actions is ﬁltered, select the check box next to
globalaccelerator:CreateAccelerator.

The Global Accelerator actions are grouped by access-level classification to make it easy for you to
quickly determine the level of access that each action provides. For more information, see Policy
access level classifications (p. 101).
12. If the actions that you selected in the preceding steps do not support choosing specific resources,
then All resources is selected for you. In that case, you cannot edit this section.

If you chose one or more actions that support resource-level permissions, then the visual editor
lists those resource types in the Resources section. Choose You chose actions that require the
accelerator resource type to choose whether you want to enter a speciﬁc accelerator for your policy.
13. If you want to allow the globalaccelerator:CreateAccelerator action for all resources,
choose All resources.

If you want to specify a resource, choose Add ARN. Specify the region and account ID (or account ID)
(or choose Any), and then enter my-example-accelerator for the resource. Then choose Add.
14. Choose Specify request conditions (optional).
15. Choose Add condition to grants permission to create an accelerator within the next 7 days. Assume
that today's date is January 1, 2019.
16. For Condition Key, choose aws:CurrentTime. This condition key checks the date
and time that the user makes the request. It returns true (and therefore allows the
globalaccelerator:CreateAccelerator action only if the date and time are within the
specified range.
17. For Qualifier, keep the default value.
18. To specify the start of the allowed date and time range, for Operator, choose DateGreaterThan.
Then for Value, enter 2019-01-01T00:00:00Z.
19. Choose Add to save your condition.
20. Choose Add another condition to specify the end date.
21. Follow similar steps to specify the end of the allowed date and time range. For Condition
Key, choose aws:CurrentTime. For Operator, choose DateLessThan. For Value, enter
2019-01-06T23:59:59Z, seven days after the first date. Then choose Add to save your condition.
22. (Optional) To see the JSON policy document for the policy that you are creating, choose the JSON
tab. You can switch between the Visual editor and JSON tabs any time. However, if you make
changes or choose Review policy in the Visual editor tab, IAM might restructure your policy to

103
AWS Global Accelerator Developer Guide
Overview of access and authentication

optimize it for the visual editor. For more information, see Policy Restructuring in the IAM User
Guide.
23. When you are ﬁnished, choose Review policy.
24. On the Review policy page, for Name, enter globalaccelerator:CreateAcceleratorPolicy.
For Description, enter Policy to grants permission to create an accelerator. Review
the policy summary to make sure that you have granted the intended permissions, and then choose
Create policy to save your new policy.
25. Return to the original tab or window, and refresh your list of policies.
26. In the search box, enter globalaccelerator:CreateAcceleratorPolicy. Select the check box
next to your new policy. Then choose Next Step.
27. Choose Next: Review to preview your new users. When you are ready to proceed, choose Create
users.
28. Download or copy the passwords for your new users and deliver them to the users securely.
Separately, provide your users with a link to your IAM user console page and the user names that
you just created.

Allow users to self-manage their credentials

You must have physical access to the hardware that will host the user's virtual MFA device in order
to configure MFA. For example, you might configure MFA for a user who will use a virtual MFA device
running on a smartphone. In that case, you must have the smartphone available in order to finish the
wizard. Because of this, you might want to let users configure and manage their own virtual MFA devices.
In that case, you must grant users the permissions to perform the necessary IAM actions.

To create a policy to allow credential self-management (console)

1. Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.
2. In the navigation pane, choose Policies, and then choose Create policy.
3. Choose the JSON tab and copy the text from the following JSON policy document. Paste this text
into the JSON text box.
Important
This example policy does not allow users to reset their password while signing in. New
users and users with an expired password might try to do so. You can allow this by
adding iam:ChangePassword and iam:CreateLoginProfile to the statement
BlockMostAccessUnlessSignedInWithMFA. However, IAM does not recommend this.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListVirtualMFADevices",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation",
"Effect": "Allow",
"Action": [

104
AWS Global Accelerator Developer Guide
Overview of access and authentication

"iam:ChangePassword",
"iam:CreateAccessKey",
"iam:CreateLoginProfile",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:GetLoginProfile",
"iam:ListAccessKeys",
"iam:UpdateAccessKey",
"iam:UpdateLoginProfile",
"iam:ListSigningCertificates",
"iam:DeleteSigningCertificate",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate",
"iam:ListSSHPublicKeys",
"iam:GetSSHPublicKey",
"iam:DeleteSSHPublicKey",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowIndividualUserToViewAndManageTheirOwnMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": [
"arn:aws:iam::*:mfa/${aws:username}",
"arn:aws:iam::*:user/${aws:username}"
],
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Sid": "BlockMostAccessUnlessSignedInWithMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:ListVirtualMFADevices",
"iam:EnableMFADevice",
"iam:ResyncMFADevice",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListSSHPublicKeys",
"iam:ListAccessKeys",
"iam:ListServiceSpecificCredentials",

105
AWS Global Accelerator Developer Guide
Overview of access and authentication

"iam:ListMFADevices",
"iam:GetAccountSummary",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}

What does this policy do?

• The AllowAllUsersToListAccounts statement enables the user to see basic information

about the account and its users in the IAM console. These permissions must be in their own
statement because they do not support or do not need to specify a specific resource ARN, and
instead specify "Resource" : "*".
• The AllowIndividualUserToSeeAndManageOnlyTheirOwnAccountInformation statement
enables the user to manage his or her own user, password, access keys, signing certificates, SSH
public keys, and MFA information in the IAM console. It also allows users to sign in for the first
time in an administrator requires them to set a first-time password. The resource ARN limits the
use of these permissions to only the user's own IAM user entity.
• The AllowIndividualUserToViewAndManageTheirOwnMFA statement enables the user to
view or manage his or her own MFA device. Notice that the resource ARNs in this statement allow
access to only an MFA device or user that has the same name as the currently signed-in user. Users
can't create or alter any MFA device other than their own.
• The AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA statement
allows the user to deactivate only his or her own MFA device, and only if the user signed in using
MFA. This prevents others with only the access keys (and not the MFA device) from deactivating
the MFA device and accessing the account.
• The BlockMostAccessUnlessSignedInWithMFA statement uses a combination of "Deny" and
"NotAction" to deny access to all but a few actions in IAM and other AWS services if the user is
not signed-in with MFA. For more information about the logic for this statement, see NotAction
with Deny in the IAM User Guide. If the user is signed-in with MFA, then the "Condition" test
fails and the final "deny" statement has no effect and other policies or statements for the user
determine the user's permissions. This statement ensures that when the user is not signed-in
with MFA, they can perform only the listed actions and only if another statement or policy allows
access to those actions.

The ...IfExists version of the Bool operator ensures that if the

aws:MultiFactorAuthPresent key is missing, the condition returns true. This means that a
user accessing an API with long-term credentials, such as an access key, is denied access to the
non-IAM API operations.
4. When you are ﬁnished, choose Review policy.
5. On the Review page, enter Force_MFA for the policy name. For the policy description, enter
This policy allows users to manage their own passwords and MFA devices but
nothing else unless they authenticate with MFA. Review the policy Summary to see
the permissions granted by your policy, and then choose Create policy to save your work.

The new policy appears in the list of managed policies and is ready to attach.

To attach the policy to a user (console)

1. In the navigation pane, choose Users.

106
AWS Global Accelerator Developer Guide
Overview of access and authentication

2. Choose the name (not the check box) of the user you want to edit.
3. On the Permissions tab, choose Add permissions.
4. Choose Attach existing policies directly.
5. In the search box, enter Force, and then select the check box next to Force_MFA in the list. Then
choose Next: Review.
6. Review your changes and choose Add permissions.

Enable MFA for your IAM user

For increased security, we recommend that all IAM users conﬁgure multi-factor authentication (MFA)
to help protect your Global Accelerator resources. MFA adds extra security because it requires users to
provide unique authentication from an AWS-supported MFA device in addition to their regular sign-in
credentials. The most secure AWS MFA device is the U2F security key. If your company already has U2F
devices, then we recommend that you enable those devices for AWS. Otherwise, you must purchase a
device for each of your users and wait for the hardware to arrive. For more information, see Enabling a
U2F Security Key in the IAM User Guide.

If you don't already have a U2F device, you can get started quickly and at a low cost by enabling a virtual
MFA device. This requires that you install a software app on an existing phone or other mobile device.
The device generates a six-digit numeric code based upon a time-synchronized one-time password
algorithm. When the user signs in to AWS, they are prompted to enter a code from the device. Each
virtual MFA device assigned to a user must be unique. A user cannot enter a code from another user's
virtual MFA device to authenticate. For a list of a few supported apps that you can use as virtual MFA
devices, see Multi-Factor Authentication.
Note
You must have physical access to the mobile device that will host the user's virtual MFA device in
order to conﬁgure MFA for an IAM user.

To enable a virtual MFA device for an IAM user (console)

1. Sign in to the AWS Management Console and open the IAM console at https://
console.aws.amazon.com/iam/.
2. In the navigation pane, choose Users.
3. In the User Name list, choose the name of the intended MFA user.
4. Choose the Security credentials tab. Next to Assigned MFA device, choose Manage.
5. In the Manage MFA Device wizard, choose Virtual MFA device, and then choose Continue.

IAM generates and displays conﬁguration information for the virtual MFA device, including a QR
code graphic. The graphic is a representation of the "secret conﬁguration key" that is available for
manual entry on devices that do not support QR codes.
6. Open your virtual MFA app.

For a list of apps that you can use for hosting virtual MFA devices, see Multi-Factor Authentication. If
the virtual MFA app supports multiple accounts (multiple virtual MFA devices), choose the option to
create a new account (a new virtual MFA device).
7. Determine whether the MFA app supports QR codes, and then do one of the following:

• From the wizard, choose Show QR code, and then use the app to scan the QR code. For example,
you might choose the camera icon or choose an option similar to Scan code, and then use the
device's camera to scan the code.
• In the Manage MFA Device wizard, choose Show secret key, and then enter the secret key into
your MFA app.

When you are ﬁnished, the virtual MFA device starts generating one-time passwords.

107
AWS Global Accelerator Developer Guide
Secure VPC connections

8. In the Manage MFA Device wizard, in the MFA code 1 box, enter the one-time password that
currently appears in the virtual MFA device. Wait up to 30 seconds for the device to generate a new
one-time password. Then enter the second one-time password into the MFA code 2 box. Choose
Assign MFA.
Important
Submit your request immediately after generating the codes. If you generate the codes
and then wait too long to submit the request, the MFA device successfully associates with
the user but the MFA device is out of sync. This happens because time-based one-time
passwords (TOTP) expire after a short period of time. If this happens, you can resync the
device. For more information, see Resynchronizing Virtual and Hardware MFA Devices in the
IAM User Guide.

The virtual MFA device is now ready for use with AWS.

Secure VPC connections in AWS Global Accelerator

When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global
Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds
(VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must
have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you
don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated
internet gateway route for the subnet.

This is different from the typical internet gateway use case in which both public IP addresses and
internet gateway routes are required for internet traffic to flow to instances or load balancers in a VPC.
Even if the elastic network interfaces of your targets are present in a public subnet (that is, a subnet
with an internet gateway route), when you use Global Accelerator for internet traffic, Global Accelerator
overrides the typical internet route and all logical connections that arrive through the Global Accelerator
also return through Global Accelerator rather than through the internet gateway.
Note
Using public IP addresses and using a public subnet for your Amazon EC2 instances are not
typical, though it’s possible to set up your configuration with them. Security groups apply to any
traffic that arrives to your instances, including traffic from Global Accelerator and any public or
Elastic IP address that is assigned to your instance ENI. Use private subnets to ensure that traffic
is delivered only by Global Accelerator.

Keep this information in mind when considering network perimeter issues and conﬁguring IAM privileges
related to internet access management. For more information about controlling internet access to your
VPC, see this service control policy example.

Logging and monitoring in AWS Global Accelerator

Monitoring is an important part of maintaining the availability and performance of Global Accelerator
and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution
so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for
monitoring your Global Accelerator resources and activity, and responding to potential incidents:

AWS Global Accelerator ﬂow logs

Server flow logs provide detailed records about traffic that flows through an accelerator to an
endpoint. Server flow logs are useful for many applications. For example, flow log information
can be useful in security and access audits. For more information, see Flow logs in AWS Global
Accelerator (p. 64).

108
AWS Global Accelerator Developer Guide
Compliance validation

Amazon CloudWatch metrics and alarms

Using CloudWatch, you can monitor, in real time, your AWS resources and the applications that you
run on AWS. CloudWatch collects and tracks metrics, which are variables that you measure over
time. You can create alarms that watch speciﬁc metrics, and then send notiﬁcations or automatically
make changes to the resources you are monitoring when the metric exceeds a certain threshold
for a period of time. For more information, see Using Amazon CloudWatch with AWS Global
Accelerator (p. 70).
AWS CloudTrail logs

CloudTrail provides a record of actions taken by a user, role, or an AWS service in Global Accelerator.
CloudTrail captures all API calls for Global Accelerator as events, including calls from the Global
Accelerator console and from code calls to the Global Accelerator API. For more information, see
Using AWS CloudTrail to log AWS Global Accelerator API calls (p. 75).

Compliance validation for AWS Global Accelerator

Third-party auditors assess the security and compliance of AWS Global Accelerator as part of multiple
AWS compliance programs. These include SOC, PCI, HIPAA, GDPR, ISO, and ENS High.

For a list of AWS services, including Global Accelerator, in scope of speciﬁc compliance programs, see
AWS services in scope by compliance Program. For general information, see AWS Compliance Programs.

You can download third-party audit reports using AWS Artifact. For more information, see Downloading
reports in AWS Artifact .

Your compliance responsibility when using Global Accelerator is determined by the sensitivity of your
data, your company's compliance objectives, and applicable laws and regulations. AWS provides the
following resources to help with compliance:

• Security and Compliance Quick Start Guides – These deployment guides discuss architectural
considerations and provide steps for deploying security- and compliance-focused baseline
environments on AWS.
• Architecting for HIPAA Security and Compliance Whitepaper – This whitepaper describes how
companies can use AWS to create HIPAA-compliant applications.
• AWS Compliance Resources – This collection of workbooks and guides might apply to your industry
and location.
• Evaluating Resources with Rules in the AWS Config Developer Guide – The AWS Config service assesses
how well your resource configurations comply with internal practices, industry guidelines, and
regulations.
• AWS Security Hub – This AWS service provides a comprehensive view of your security state within AWS
that helps you check your compliance with security industry standards and best practices.

Resilience in AWS Global Accelerator

The AWS global infrastructure is built around AWS Regions and Availability Zones. AWS Regions provide
multiple physically separated and isolated Availability Zones, which are connected with low-latency,
high-throughput, and highly redundant networking. With Availability Zones, you can design and operate
applications and databases that automatically fail over between Availability Zones without interruption.
Availability Zones are more highly available, fault tolerant, and scalable than traditional single or
multiple data center infrastructures.

For more information about AWS Regions and Availability Zones, see AWS Global Infrastructure.

109
AWS Global Accelerator Developer Guide
Infrastructure security

In addition to the support of AWS global infrastructure, Global Accelerator oﬀers the following features
that help support data resiliency:

• A network zone services the static IP addresses for your accelerator from a unique IP subnet. Similar to
an AWS Availability Zone, a network zone is an isolated unit with its own set of physical infrastructure.
When you conﬁgure an accelerator, Global Accelerator allocates two IPv4 addresses for it. If one
IP address from a network zone becomes unavailable due to IP address blocking by certain client
networks, or due to network disruptions, client applications can retry on the healthy static IP address
from the other isolated network zone.
• Global Accelerator continuously monitors the health of all endpoints. When it determines that an
active endpoint is unhealthy, Global Accelerator instantly begins directing traﬃc to another available
endpoint. This allows you to create a high-availability architecture for your applications on AWS.

Infrastructure security in AWS Global Accelerator

As a managed service, AWS Global Accelerator is protected by the AWS global network security
procedures that are described by the resources on the Best Practices for Security, Identity, & Compliance
page.

You use AWS published API calls to access Global Accelerator through the network. Clients must support
Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support
cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diﬃe-Hellman (DHE) or Elliptic Curve
Ephemeral Diﬃe-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated
with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary
security credentials to sign requests.

110
AWS Global Accelerator Developer Guide
General quotas

Quotas for AWS Global Accelerator

Your AWS account has speciﬁc quotas, also known as limits, related to AWS Global Accelerator.

The Service Quotas console provides information about Global Accelerator quotas. Along with viewing
the default quotas, you can use the Service Quotas console to request quota increases for adjustable
quotas. Note that you must be in US East (N. Virginia) when you request quota increases for Global
Accelerator.

Topics
• General quotas (p. 111)
• Quotas for endpoints per endpoint group (p. 111)
• Related quotas (p. 112)

General quotas
The following are overall quotas for Global Accelerator.

Entity Quota

Accelerators per AWS account 20

You can request a quota increase.

Listeners per accelerator 10

You can request a quota increase.

Endpoint groups per accelerator, across 42

all listeners

Port ranges per listener 10

Port overrides per endpoint group 10

You can request a quota increase.

Quotas for endpoints per endpoint group

The following are Global Accelerator quotas that apply to the number of endpoints in endpoint groups.

Entity Description Quota

Endpoint groups with more Number of endpoints in an endpoint 10

than one endpoint type group containing more than one endpoint
type.

Endpoint groups with just Number of Application Load Balancers 10

Application Load Balancers in an endpoint group containing only
Application Load Balancer endpoints.

111
AWS Global Accelerator Developer Guide
Related quotas

Entity Description Quota

Endpoint groups with just Number of Network Load Balancers in an 10

Network Load Balancers endpoint group containing only Network
Load Balancer endpoints.

Endpoint groups with just Number of EC2 instances in an endpoint 10

Amazon EC2 instances group containing only EC2 instance
endpoints. You can request a quota
increase.

Endpoint groups with just Number of Elastic IP addresses in an 10

Elastic IP addresses endpoint group containing only Elastic IP
address endpoints. You can request a quota
increase.

Endpoint groups with just Number of Amazon VPC subnets in an 10

Amazon Virtual Private endpoint group containing only subnet
Cloud subnets endpoints. You can request a quota
increase.

Related quotas
In addition to quotas in Global Accelerator, there are quotas that apply to the resources that you use as
endpoints for an accelerator. For more information, see the following:

• Elastic IP address quotas in the Amazon EC2 User Guide.

• Amazon EC2 service quotas in the Amazon EC2 User Guide.
• Quotas for your Network Load Balancers in the User Guide for Network Load Balancers.
• Quotas for your Application Load Balancers in the User Guide for Application Load Balancers.
• Amazon VPC quotas in the Amazon VPC User Guide.

112
AWS Global Accelerator Developer Guide
Additional AWS Global Accelerator documentation

AWS Global Accelerator Related

information
The information and resources listed here can help you learn more about Global Accelerator.

Topics
• Additional AWS Global Accelerator documentation (p. 113)
• Getting support (p. 113)
• Tips from the Amazon Web Services Blog (p. 113)

Additional AWS Global Accelerator documentation

The following related resources can help you as you work with this service.

• AWS Global Accelerator API Reference – Gives complete descriptions of the API actions, parameters,
and data types, and a list of errors that the service returns.
• AWS Global Accelerator product information – The primary web page for information about Global
Accelerator, including features and pricing information.
• Terms of Use – Detailed information about our copyright and trademark; your account, license, and site
access; and other topics.

Getting support
Support for Global Accelerator is available in several forms.

• Discussion forums – A community-based forum for developers to discuss technical questions related to
Global Accelerator.
• AWS Support Center – This site brings together information about your recent support cases and
results from AWS Trusted Advisor and health checks, as well as providing links to discussion forums,
technical FAQs, the service health dashboard, and information about AWS support plans.
• AWS Premium Support Information – The primary web page for information about AWS Premium
Support, a one-on-one, fast-response support channel to help you build and run applications on AWS
Infrastructure Services.
• Contact Us – Links for inquiring about your billing or account. For technical questions, use the
discussion forums or support links above.

Tips from the Amazon Web Services Blog

The AWS Blog has a number of posts to help you use AWS services. For example, see the following blog
posts about Global Accelerator:

• AWS Global Accelerator for Availability and Performance

• Traﬃc management with AWS Global Accelerator

113
AWS Global Accelerator Developer Guide
Tips from the Amazon Web Services Blog

• Analyzing and visualizing AWS Global Accelerator ﬂow logs using Amazon Athena and Amazon
QuickSight

For a complete list of AWS Global Accelerator blogs, see AWS Global Accelerator in the Networking &
Content Delivery category of AWS blog posts.

114
AWS Global Accelerator Developer Guide

Document history
The following entries describe important changes made to the AWS Global Accelerator documentation.

• API version: latest

• Latest documentation update: November 2, 2021

Change Description Date

Update to the Global Accelerator Global Accelerator November 2, 2021

existing service-linked role added new permissions,
ec2:AssignIpv6Addresses
and
ec2:UnassignIpv6Addresses,
to support IPv6 addresses. For
more information, see https://
docs.aws.amazon.com/global-
accelerator/latest/dg/security-
iam-awsmanpol-updates.html.

Added new CloudWatch metrics Global Accelerator has added October 28, 2021
two new CloudWatch metrics.
For more information, see
https://docs.aws.amazon.com/
global-accelerator/latest/dg/
cloudwatch-monitoring.html.

Update to the flow logs capture Global Accelerator has expanded July 30, 2021
window the flow log capture window
from 10 seconds to 60 seconds.
For more information, see
https://docs.aws.amazon.com/
global-accelerator/latest/
dg/monitoring-global-
accelerator.flow-logs.html.

Update to the Global Accelerator Global Accelerator May 7, 2021

existing service-linked role added a new permission,
ec2:DescribeRegions, to
allow Global Accelerator to
get AWS Region information
to help diagnose errors. For
more information, see https://
docs.aws.amazon.com/global-
accelerator/latest/dg/security-
iam-awsmanpol-updates.html.

Added custom routing Global Accelerator introduced a December 9, 2020

accelerators new type of accelerator custom
routing accelerators. Custom
routing accelerators work well
for scenarios where you want
to use custom application
logic to direct one or more

115
AWS Global Accelerator Developer Guide

Change Description Date

users to a speciﬁc destination
and port among many, while
still gaining the performance
beneﬁts of Global Accelerator.
For more information, see
https://docs.aws.amazon.com/
global-accelerator/latest/dg/
work-with-custom-routing-
accelerators.html.

Added port overrides support Global Accelerator now supports October 21, 2020
overriding the listener port used
for routing traffic to endpoints
so you can reroute traffic to
specific ports on your endpoints.
For more information, see
https://docs.aws.amazon.com/
global-accelerator/latest/dg/
about-endpoint-groups-port-
override.html.

Added two new Regions Global Accelerator now May 20, 2020
supports Africa (Cape Town)
and Europe (Milan). For more
information, see https://
docs.aws.amazon.com/global-
accelerator/latest/dg/preserve-
client-ip-address.regions.html.

Tagging and BYOIP This release adds support for February 27, 2020
adding tags to accelerators
and bringing your own IP
address to AWS Global
Accelerator (BYOIP). For more
information, see https://
docs.aws.amazon.com/global-
accelerator/latest/dg/tagging-
in-global-accelerator.html and
https://docs.aws.amazon.com/
global-accelerator/latest/dg/
using-byoip.html.

Updated Security chapter Added content for December 20, 2019

compliance, resilience, and
infrastructure security. For
more information, see https://
docs.aws.amazon.com/
global-accelerator/latest/dg/
security.html.

116
AWS Global Accelerator Developer Guide

Change Description Date

Support for EC2 instances and AWS Global Accelerator now October 29, 2019
default DNS name supports adding EC2 instances
in supported AWS Regions. In
addition, Global Accelerator
creates a default DNS name
that is mapped to the static IP
addresses for your accelerator.
For more information, see
https://docs.aws.amazon.com/
global-accelerator/latest/dg/
introduction-how-it-works-
client-ip.html and https://
docs.aws.amazon.com/global-
accelerator/latest/dg/about-
accelerators.html#about-
accelerators.dns-addressing.

Client IP address preservation You can now choose to have August 28, 2019
for Application Load Balancers AWS Global Accelerator
preserve the client IP address
for Application Load Balancers
in supported AWS Regions.
For more information, see
https://docs.aws.amazon.com/
global-accelerator/latest/dg/
introduction-how-it-works-
client-ip.html.

Release of AWS Global The AWS Global Accelerator November 26, 2018
Accelerator service Developer Guide provides
information about setting
up and using accelerators—
network layer traﬃc managers
—that improve availability and
performance for your internet
applications that have a global
audience.

117
AWS Global Accelerator Developer Guide

AWS glossary
For the latest AWS terminology, see the AWS glossary in the AWS General Reference.

118

Intrusion Detection Honeypots
From Everand
Intrusion Detection Honeypots
Chris Sanders
3/5 (2)
HP Networking Guide To Hardening Comware-Based Devices
No ratings yet
HP Networking Guide To Hardening Comware-Based Devices
40 pages
Aquaponic Design Plans Everything You Needs to Know: Everything You Need to Know from Backyard to Profitable Business
From Everand
Aquaponic Design Plans Everything You Needs to Know: Everything You Need to Know from Backyard to Profitable Business
David H Dudley
No ratings yet
Internet and Distributed Systems PDF
No ratings yet
Internet and Distributed Systems PDF
258 pages
How to Sell on Amazon and Product Research: Product Research Tips and Practical Guide on How to Find a Winning Product to Sell on Amazon Fba
From Everand
How to Sell on Amazon and Product Research: Product Research Tips and Practical Guide on How to Find a Winning Product to Sell on Amazon Fba
David L. Ross
No ratings yet
AWS Serverless Application Model
No ratings yet
AWS Serverless Application Model
189 pages
Gray Hat Hacking the Ethical Hacker's
From Everand
Gray Hat Hacking the Ethical Hacker's
Çağatay Şanlı
5/5 (1)
ChatGPT for Business: Strategies for Success
From Everand
ChatGPT for Business: Strategies for Success
Matthew C. Smith
1/5 (1)
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
From Everand
The Linux Terminal for Advanced Users - The Command Line Made Easy: First Edition
Michael Basler
No ratings yet
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
From Everand
Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language Models
Matthew C. Smith
No ratings yet
Software Patterns Made Easy
From Everand
Software Patterns Made Easy
Justice Nanhou
No ratings yet
Cybersecurity for Executives: A Guide to Protecting Your Business
From Everand
Cybersecurity for Executives: A Guide to Protecting Your Business
Matthew C. Smith
No ratings yet
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
From Everand
Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your Traffic
Jay Nans
No ratings yet
The Off-Grid Blueprint: DIY Survival Projects for Modern Self-Reliance: DIY Survival Projects for Modern Self-Reliance: DIY Survival Projects for Modern Self-Reliance
From Everand
The Off-Grid Blueprint: DIY Survival Projects for Modern Self-Reliance: DIY Survival Projects for Modern Self-Reliance: DIY Survival Projects for Modern Self-Reliance
Grant Wilder
No ratings yet
Apigateway DG
No ratings yet
Apigateway DG
842 pages
10K Blueprint
From Everand
10K Blueprint
Cian O Farrell
5/5 (2)
Web Video Business
From Everand
Web Video Business
MUHAMMAD NUR WAHID ANUAR
No ratings yet
BlockChain for Beginners
From Everand
BlockChain for Beginners
Matthew Smith
No ratings yet
As Api
No ratings yet
As Api
224 pages
A To Z of Internet: Everything You Wanted to Know
From Everand
A To Z of Internet: Everything You Wanted to Know
Bittu Kumar
No ratings yet
Unlocking Statistics for the Social Sciences
From Everand
Unlocking Statistics for the Social Sciences
Norma Sinclair
No ratings yet
Aquaponics for Profit
From Everand
Aquaponics for Profit
David H Dudley
No ratings yet
CAN Bus for Beginners: A Practical Guide to Automotive Networking
From Everand
CAN Bus for Beginners: A Practical Guide to Automotive Networking
Mohamad Charara
No ratings yet
Irish Red Setter Guide Irish Red Setter Guide Includes: Irish Red Setter Training, Diet, Socializing, Care, Grooming, and More
From Everand
Irish Red Setter Guide Irish Red Setter Guide Includes: Irish Red Setter Training, Diet, Socializing, Care, Grooming, and More
Martin David
No ratings yet
Breaking Barriers: S.T.E.M Mentorship in Business
From Everand
Breaking Barriers: S.T.E.M Mentorship in Business
Matthew C. Smith
No ratings yet
TINY SHIFTS, BIG RESULTS: How Small Habits Shape Who You Become and Transform Your Life: How Small Habits Shape Who You Become and Transform Your Life: How Small Habits Shape Who You Become and Transform Your Life
From Everand
TINY SHIFTS, BIG RESULTS: How Small Habits Shape Who You Become and Transform Your Life: How Small Habits Shape Who You Become and Transform Your Life: How Small Habits Shape Who You Become and Transform Your Life
J.T. Warren
No ratings yet
Aquaponics Design Plans, Construction, Operation, and Income: Organic Food
From Everand
Aquaponics Design Plans, Construction, Operation, and Income: Organic Food
David H Dudley
No ratings yet
Aes DG
No ratings yet
Aes DG
338 pages
Global Accelerator
No ratings yet
Global Accelerator
1 page
Content Creation Revolution with chatGPT
From Everand
Content Creation Revolution with chatGPT
Maria Cowen
No ratings yet
AmazonCloudFront DevGuide
No ratings yet
AmazonCloudFront DevGuide
493 pages
AmazonCloudFront DevGuide
100% (1)
AmazonCloudFront DevGuide
517 pages
Aquaponics How to do Everything from Backyard to Profitable Business: from BACKYARD to PROFITABLE BUSINESS
From Everand
Aquaponics How to do Everything from Backyard to Profitable Business: from BACKYARD to PROFITABLE BUSINESS
David H Dudley
No ratings yet
Amazon Cloudfront Developer Guide
100% (1)
Amazon Cloudfront Developer Guide
435 pages
Plain JavaScript: Learning the Front-End
From Everand
Plain JavaScript: Learning the Front-End
Roger Beans-Rivet
No ratings yet
Human Nature Potential in Nurture
From Everand
Human Nature Potential in Nurture
David L. Hawk
No ratings yet
Business English Writing: Effective Business Writing Tips and Will Help You Write Better and More Effectively at Work
From Everand
Business English Writing: Effective Business Writing Tips and Will Help You Write Better and More Effectively at Work
Mary G. Lewis
No ratings yet
Amazon Auto Scaling: Developer Guide API Version 2009-05-15
No ratings yet
Amazon Auto Scaling: Developer Guide API Version 2009-05-15
115 pages
Datapipeline DG
No ratings yet
Datapipeline DG
337 pages
How to Sell on Amazon Fba
From Everand
How to Sell on Amazon Fba
David L. Ross
No ratings yet
Mastering Python Advanced Concepts and Practical Applications
From Everand
Mastering Python Advanced Concepts and Practical Applications
Aissa Younes
No ratings yet
Module 1 - Migrate On Premises To The Cloud
No ratings yet
Module 1 - Migrate On Premises To The Cloud
51 pages
Amazon Workspaces: Administration Guide
No ratings yet
Amazon Workspaces: Administration Guide
75 pages
Orch UserGuide R952
No ratings yet
Orch UserGuide R952
846 pages
Serverless Application Model
No ratings yet
Serverless Application Model
302 pages
Ps VTM 17.4 Userguide
No ratings yet
Ps VTM 17.4 Userguide
502 pages
Aquaponics Construct and Operate: Instructions and Everything You Need to Know
From Everand
Aquaponics Construct and Operate: Instructions and Everything You Need to Know
PE David H. Dudley PMP
No ratings yet
AmazonCloudFront DevGuide
No ratings yet
AmazonCloudFront DevGuide
566 pages
AWS Lab Practice Guide by WWW - Server-Computer - Com - v1
100% (1)
AWS Lab Practice Guide by WWW - Server-Computer - Com - v1
86 pages
Options Trading for Income: Learn the strategies and techniques for maximizing returns and minimizing risk in the options market (2023 Guide for Beginners)
From Everand
Options Trading for Income: Learn the strategies and techniques for maximizing returns and minimizing risk in the options market (2023 Guide for Beginners)
Lane Conner
No ratings yet
AWS Marketplace Cloud-Native Ebook 2 Development Techniques FINAL
No ratings yet
AWS Marketplace Cloud-Native Ebook 2 Development Techniques FINAL
27 pages
Nutrition Essentials
From Everand
Nutrition Essentials
Allen Nissanth
No ratings yet
AWS Certified Advanced Networking Training by Hemu Sir Course Content
No ratings yet
AWS Certified Advanced Networking Training by Hemu Sir Course Content
14 pages
SmoothWall Express 3 Administrator Guide V2
No ratings yet
SmoothWall Express 3 Administrator Guide V2
86 pages
quickstartguideEntAWSv8 - Iam Roles
No ratings yet
quickstartguideEntAWSv8 - Iam Roles
48 pages
AWS Global Accelerator - AWS Cheat Sheet
No ratings yet
AWS Global Accelerator - AWS Cheat Sheet
5 pages
Journey Through The Cloud: Scalable Web Apps
No ratings yet
Journey Through The Cloud: Scalable Web Apps
63 pages
© 2020, Amazon Web Services, Inc. or Its Affiliates. All Rights Reserved. Amazon Confidential and Trademark
No ratings yet
© 2020, Amazon Web Services, Inc. or Its Affiliates. All Rights Reserved. Amazon Confidential and Trademark
50 pages
Uncovering Periodic Network Signals of Cyber Attacks: Ngoc Anh Huynh, Wee Keong NG Alex Ulmer Jörn Kohlhammer
No ratings yet
Uncovering Periodic Network Signals of Cyber Attacks: Ngoc Anh Huynh, Wee Keong NG Alex Ulmer Jörn Kohlhammer
8 pages
User Manual ATC-1000
No ratings yet
User Manual ATC-1000
5 pages
Computer Network Slide Notes Important
No ratings yet
Computer Network Slide Notes Important
77 pages
Module-I TCP-IP Overview & Ethernet PDF
No ratings yet
Module-I TCP-IP Overview & Ethernet PDF
61 pages
Reti Lezione11
No ratings yet
Reti Lezione11
17 pages
Networking Cheat Sheet - by Codelivly
No ratings yet
Networking Cheat Sheet - by Codelivly
5 pages
Vulnerabilitati
No ratings yet
Vulnerabilitati
12 pages
Chapter 1 Introduction To Data Communications: Networking in The Internet Age
No ratings yet
Chapter 1 Introduction To Data Communications: Networking in The Internet Age
48 pages
Complete Glossary of Terms For Windows XP Operating System
No ratings yet
Complete Glossary of Terms For Windows XP Operating System
38 pages
Refer.3.3.4.Article - K41305885 - BIG-IP AFM DoS Vectors
No ratings yet
Refer.3.3.4.Article - K41305885 - BIG-IP AFM DoS Vectors
13 pages
Power Management in 802.11: Presented by Sweta Sarkar June 17, 2002
No ratings yet
Power Management in 802.11: Presented by Sweta Sarkar June 17, 2002
8 pages
Network Routing Basics Understanding IP Routing in Cisco Systems
100% (1)
Network Routing Basics Understanding IP Routing in Cisco Systems
437 pages
Observeit V.7.0.0: Introduction and Installation Guide
No ratings yet
Observeit V.7.0.0: Introduction and Installation Guide
36 pages
Nmnt2nd Lec
No ratings yet
Nmnt2nd Lec
10 pages
Tie 230 Ig 0-00 En-Us
No ratings yet
Tie 230 Ig 0-00 En-Us
45 pages
Unit 1 - Web Engineering - WWW - Rgpvnotes.in
No ratings yet
Unit 1 - Web Engineering - WWW - Rgpvnotes.in
9 pages
Anonymous and Traceable Group Data Sharing in Cloud Computing
No ratings yet
Anonymous and Traceable Group Data Sharing in Cloud Computing
84 pages
Troubleshooting High CPU Caused by The BGP Scanner or BGP Router Process
No ratings yet
Troubleshooting High CPU Caused by The BGP Scanner or BGP Router Process
8 pages
Converting RRSF From APPC To TCP/IP: Southern California RACF User's Group
No ratings yet
Converting RRSF From APPC To TCP/IP: Southern California RACF User's Group
50 pages
Computer Networks Notes
No ratings yet
Computer Networks Notes
12 pages
The LNM Institute of Information Technology, Jaipur: Computer Networks Lab Lab Assignment 1 Solution
No ratings yet
The LNM Institute of Information Technology, Jaipur: Computer Networks Lab Lab Assignment 1 Solution
181 pages
Presentation of TCP
No ratings yet
Presentation of TCP
10 pages
FortiClient EMS 7.2.4 QuickStart Guide
No ratings yet
FortiClient EMS 7.2.4 QuickStart Guide
59 pages
Detailed Compiled Syllabus For Ete For All Subjects
No ratings yet
Detailed Compiled Syllabus For Ete For All Subjects
5 pages
Losses and Delays (2) PDF
No ratings yet
Losses and Delays (2) PDF
10 pages
Elastic Load Balancing FAQs - Amazon Web Services
No ratings yet
Elastic Load Balancing FAQs - Amazon Web Services
20 pages
Elfin-EG46B User Manual V1.0 (20220510)
No ratings yet
Elfin-EG46B User Manual V1.0 (20220510)
15 pages
MC55 /MC56: Release Notes
No ratings yet
MC55 /MC56: Release Notes
13 pages