Questions tagged with AWS Global Accelerator

I have a public ALB with a WAF firewall attached to it and a Global Accelerator endpoint which forwards traffic to this ALB. Now, I'd like to limit direct access to the ALB to IP Range of the AWS Global Accelerator range - so to start with, none can access directly the ALB if not via the GA endpoint. I have created an AWS Lambda as per https://aws.amazon.com/blogs/security/automatically-update-aws-waf-ip-sets-with-aws-ip-ranges/ which downloads the https://ip-ranges.amazonaws.com/ip-ranges.json file and adds automatically all the IP Subnets that matches "service": "GLOBALACCELERATOR" to the WAF IPset for both IPv4 and IPv6. The process works and the Lambda can successfully add the IP address range to the WAF IPSet, though when I configure a rule to Match/Count this IPSet, I'm not seeing any hits that matches these subnets. The only way I got this to match was to add all the IP ranges which matches "service": "AMAZON" rather then "service": "GLOBALACCELERATOR". This makes me believe that the https://ip-ranges.amazonaws.com/ip-ranges.json list is not updated with the correct IP Ranges for the GLOBALACCELERATOR.

I can add an endpoint to a group using `aws globalaccelerator update-endpoint-group`, but how do I remove an endpoint from an endpoint group?? Closest thing I can find is `remove-custom-routing-endpoints` but I'm using a Standard GA, not an custom one.

I have an S3 bucket set up for "Static Website Hosting", a CloudFront distribution with our own SSL certificate and allowing Host header, a Global Accelerator IP address attached to an Application Load Balancer. The Application Load Balancer does a 301 redirect to the S3 bucket. I know that you can set an EC2 instance as a target group and forward to that to preserve the original URL. Can you also preserve the original URL using this method of 301 redirect to a Cloudfront distribution tied to an S3 bucket?

Currently AWS Cognito stores users in one region. This causes all of client network requests go to this specific region, which can cause significant latency. (Imagine a scenario when Cognito region is US-east and client is in Australia) Global solve issues like that (Backend service operate in region A, but clients can connect to GlobalAccelelator locations which reduce latency) **It there any simple way** of integrating Cognito and Global Accelerator in such a way that GlobalAccelelator will just 'proxy' all traffic to Cognito region?

The University that I work for has its own DNS servers. They are older and need an IP address to point to for the zone apex record. DNS migration is not an option. We have a site in AWS Amplify. We want to use the Amplify website for our root domain, "example.edu". RFC 1034 says that the zone apex must be an A Record, and not a CNAME. According to the article at https://aws.amazon.com/blogs/networking-and-content-delivery/solving-dns-zone-apex-challenges-with-third-party-dns-providers-using-aws/, there are three options: Route53, Elastic IPs with EC2 instances, and Global Accelerator. Since we are using AWS Amplify, we can't do the EC2 option. The Route53 option won't work with our old DNS server, which only works with IP addresses. The third option is to use AWS Global Accelerator and an Application Load Balancer (ALB) which does a 301 redirect to our Cloudfront distribution that has the custom SSL cert for our Amplify instance. When we point our DNS at the IP associated with AWS Global Accelerator, the redirect is working, but the URL is showing the Cloudfront distribution instead of example.com. I was told that whitelisting the Host header would fix this, but it just returns a 403 error saying that the request could not be satisfied. I am not sure if I am on the right track and need some adjustment somewhere, or if I need to do something completely different.

We are building a global application that consists of regional API Gateways that should be accessible from a global.example.com domain with Active-active failover between regions. We are constrained to follow a pattern of using a different account per region and can possibly need to use the same regions (For eg uswest-2 in AccA, uswest-2 in accB and useast2 in acc C). Two approaches we are considering for the failover is: 1. In region/account A, Make the APIGateways private with vpc endpoint and front them with an ALB. We can use a Global Accelerator pointing to this to get static IPs and finally create global.example.com pointing to this accelerator. However, for region/account B, we cannot use the accelerator in A to add an endpoint in region/account B since cross acccount resouces isn't supported. Is there a workaround for this? 2. Another approach is to use the same custom domain in both regions like above, but keep the APIgateway public and use a route53 record to point global.example.com to use CNAMEs of the public APIGateway in multiple regions/accounts. Will this work as described? Which approach would be the recommended one given our priority is to maximize the Availability and minimize time for failure routing.

We're on the Business support tier because "Enterprise On-Ramp" would be about a 50% increase in our monthly costs. And we've had a support ticket open for 6 months (related to Global Accelerator). They've agreed it's a problem, but it's "engineering is working on it". Support said that engineering would provide an estimated timeline and ETA last week, but that didn't happen. First level support seems to be trying, but they apparently can't get anything done either. Meanwhile I have a customer eagerly awaiting the fix. So the question is, do we have any recourse such as talking to some sort of account rep or some such? Or is it simply, "sorry no additional help for you without more money"? (Not that I know that an account rep could make engineering fix the problem but in my experience in past jobs with dealing with large vendors, the account managers were generally of some help with at least finding a real status on such problems.)

The Global Accelerator currently does not support client IP preservation for Network Load Balancer endpoints. Is anyone aware of the reason behind this and if AWS plans to support it?

Today my global accelerator in one of my accounts disabled itself. It give us access denied when we try to re-enable it, and if we try to create a new one it says we have exceeded the maximum number of them. We only have a single accelerator. We've tried with the root account as well, and still get access denied. I was able to detach my listener in an attempt to create a new accelerator, but i cannot. Is this an AWS bug?? How can i fix this?? https://imgur.com/lidRFkt

I am trying to setup a Global Accelerator using Custom Routing, but running into issues. I keep getting the following error: **There are not enough accelerator ports remaining to support the requested endpoint.** After looking into it, this part of the documentation catches me off guard: _**Listener port ranges** - We recommend that you allocate listener port ranges linearly and make the ranges large enough to support the number of destination ports that you intend to have. That is, the number of ports you should allocate should be **at least the subnet size times the number of destination ports and protocols** (destination configurations) that you will have in the subnet._ This is what strikes me as odd, or possibly I am trying to set it up the wrong way. This is what I hope to achieve: - I have a number of game servers running in us-west-2, lets say 2 EC2 instances. Each of these instances will be hosting one or more game sessions. I have configured it so that server1 will use ports 1000-1999, and server2 will user ports 2000-2999. - In the client, I want to be able to point to the Global Accelerator IP address, using a port from 1000-2999, and have it end up at either server1 or server2 depending on which port number is used. So I set it up a custom accelerator, and add my first listener. **Listener port range**: 1000-1999. **Endpoint Groups**: One entry - us-west-2, Port range 1000-1999, Protocols TCP & UDP. **Endpoints**: One entry - Subnet <my-subnet-us-west-2a>, Allow traffic to specific destination socket addresses, IP Address <server1 - 172.31.123.123 >, Ports 1000-1999. After clicking save, I get the error: _There are not enough accelerator ports remaining to support the requested endpoint._ Am I going about this the wrong way entirely? I am a bit confused at the endpoint stage also, since I can just choose the entire subnet and leave it at 'Allow traffic' but what EC2 instance would it go to? Pick a random IP in that range and hope it maps to an active EC2 server? Or is this where the documentation note comes into play - in that it is doing something like port 1000-1999 will be mapped to the first valid IP in the subnet. 2000-2999 would be mapped to the second valid IP, and so on and so forth, therefore needing a huge number of initial listener port ranges.

In the [Global Accelerator documention](https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html) it states that Application Load Balancers can be on private subnets. Is this also true for NLB - can the customer NLB be on a private subnet as well?

If I want to use BYOIP and I have a /24, can I use that /24 for provisioning elastic IPs and also for Global Accelerator? Or do I need a seperate /24 for each of those services? It is unclear, other than the documentation that shows Global Accelerator example using a /24.

Looking at the global list of AWS IPs https://ip-ranges.amazonaws.com/ip-ranges.json There is an eu-west-2 Global Accelerator ip range. My home region is eu-west-2, but I can only create a GA in us-west-2 and that&#39;s where the static IPs are from. I would like a UK IP address for our predominately UK websites, otherwise ranking is negatively affected. Is this possible?

Hi! I was wondering if there are plans to get metrics on throughput or health checks for my GA listeners and endpoints. I'm currently using EC2 instances as the targets of my GA Endpoints, but I want health check and other data to know how things are going. Yes, I can use canaries and the like to verify my service is running, but I'd love to know if, for example, only 1 of my 5 instances is serving traffic - canaries couldn't detect this. I know I can use NLBs/ELBs as the Endpoint, and put my instances behind that, but it seems that I would just add to my cost. Thanks!!

Hi I have been benchmarking CloudFront (without cache) and Global Accelerator and I don't really understand results of the latter one. **Setup** # Web application in Ireland, delivering static content for testing (jpeg, js, html...) on EC2. # Application Load Balancer in front. **CloudFront test** I created a global CloudFront distribution without any caching in order to utilize private AWS backbone network. The goal was to decrease network latency between Ireland (server) and Japan/US (client). I compared file download times with and without CloudFront. I.e., direct connection from Japan/US to Ireland via public Internet vs. via CloudFront. Results were good, on average file (js, jpeg, html...) download duration was ~50 % via CloudFront vs. direct connection to ALB in Ireland. **Global Accelerator test** I performed equal test to CloudFront test but by using Global Accelerator and two static IP addresses. I expected to see similar improvements in download speeds but I was wrong. Duration of file download was just slightly decreased when downloading via either GA IP. In contrast, in Europe area it was slower to download files via GA than it was via direct connection to ALB. I checked traceroute resulsts from Japan and US to web app (Ireland/ALB) with and without GA. I did verify that with GA there are much less hops as it is jumping into AWS network via edge node. Do I have understood something wrong in GA, or why it is not improving download performance in way CloudFront does? Is it related to the implementation of CloudFront where it keeps TCP connections warm/open from edge to backend and GA is not doing that?

Just wondering if there's a rough ETA on IPv6 availability. I'm assuming it's either planned or was tentatively-planned at some point as there's a disabled drop-down box with IPv4 pre-selected. Use case is typical websites: since some clients send an AAAA request 25ms or so before attempting an A record, IPv6 would be nice to have. Ideally the set-up here would provide at least a couple public-facing Anycast IPv6 addresses within the accelerator, and simply route them through to the IPv4 elastic IPs. For flexibility though I suppose 3 options in the dropdown might be useful: IPv4, IPv6, IPv4+IPv6. Thanks.

Hi Having recently migrated from eu-west-1 (Ireland) to eu-west-2 (London) we don't seem to be able to select eu-west-2 as an endpoint. Is it coming online soon please? Thanks Derek Edited by: Media Storehouse on Mar 27, 2019 5:16 AM

Hi, I have a Global Accelerator endpoint that routes traffic through a Network Load Balancer to a group of EC2 instances. Since I only want to accept traffic from Global Accelerator I want to whitelist the Global Accelerator source IPs as described in https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-ip-ranges.html and block everything else. I have, however, noted that there are incoming requests to the EC2 instances from Global Accelerator in the in interval of 13.248.100.0/24 that is not tagged with GLOBALACCELERATOR in the aforementioned document. Could it be an error in https://ip-ranges.amazonaws.com/ip-ranges.json? Thanks, Anders

It is my understanding that CloudFront can also be used (with caching fully disabled) to improve TCP connection "strength" between EC2 instances and far-away users on weak internet connections by letting users connect to one of many closer points of presence with lower latency. Does Global Accelerator share points of presence with CloudFront? In other words, does Global Accelerator have edge servers in all of the AWS Edge Locations listed in CloudFront's marketing materials, or only in AWS Regions?