AWS Global Accelerator Guide
Optimize global traffic with Global Accelerator: anycast IPs, endpoint groups, health checks, and DDoS protection.
Prerequisites
- Understanding of DNS, TCP/UDP, and load balancing concepts
- Familiarity with ALB/NLB and multi-region architectures
What Is AWS Global Accelerator?
AWS Global Accelerator is a networking service that improves the availability, performance, and security of your applications by directing traffic through the AWS global network instead of the public internet. It provides two static anycast IP addresses that serve as a fixed entry point to your application. User traffic enters the AWS network at the nearest edge location and travels over the AWS backbone to your endpoints, reducing latency, jitter, and packet loss.
Global Accelerator differs from CloudFront (which is a CDN for caching content) in that it is a Layer 4 network accelerator for TCP and UDP traffic. It does not cache content; instead, it optimizes the network path. This makes it ideal for non-HTTP workloads (gaming, IoT, VoIP), TCP-based applications that benefit from connection affinity, and multi-region active-active or failover architectures.
This guide covers Global Accelerator architecture, endpoint configuration, health checks, traffic dials, client affinity, DDoS protection, and patterns for multi-region deployments.
Pricing
Global Accelerator charges a fixed hourly fee ($0.025/hour per accelerator, approximately $18/month) plus a data transfer premium based on the AWS regions used and the direction of traffic. The data transfer premium is on top of normal EC2/ALB data transfer charges. The performance benefits typically justify the cost for latency-sensitive or globally-distributed applications.
How Global Accelerator Works
When a user connects to your application through Global Accelerator, the following happens: the user's DNS resolves to one of two static anycast IP addresses; the traffic is routed to the nearest AWS edge location (there are over 100 globally); from the edge, the traffic travels over the AWS private backbone to the optimal endpoint based on health, geography, and traffic dial settings.
Key Concepts
| Concept | Description |
|---|---|
| Accelerator | The top-level resource with two static anycast IPs |
| Listener | Processes inbound connections on specified ports and protocols (TCP/UDP) |
| Endpoint Group | Regional grouping of endpoints with traffic dial and health check settings |
| Endpoint | ALB, NLB, EC2 instance, or Elastic IP that receives traffic |
| Traffic Dial | Percentage of traffic to route to an endpoint group (0-100%) |
| Client Affinity | Sticky sessions: route a client to the same endpoint consistently |
Setting Up Global Accelerator
# Create an accelerator
aws globalaccelerator create-accelerator \
--name "myapp-accelerator" \
--ip-address-type IPV4 \
--enabled \
--region us-west-2
# Note the two static anycast IPs in the output
# e.g., 75.2.60.5 and 99.83.190.102
# Create a listener (TCP on port 443)
ACCELERATOR_ARN="arn:aws:globalaccelerator::123456789012:accelerator/abc-123"
aws globalaccelerator create-listener \
--accelerator-arn "$ACCELERATOR_ARN" \
--port-ranges '[{"FromPort": 443, "ToPort": 443}]' \
--protocol TCP \
--client-affinity NONE \
--region us-west-2
# Create endpoint groups in two regions
LISTENER_ARN="arn:aws:globalaccelerator::123456789012:accelerator/abc-123/listener/def-456"
# US East endpoint group
aws globalaccelerator create-endpoint-group \
--listener-arn "$LISTENER_ARN" \
--endpoint-group-region us-east-1 \
--traffic-dial-percentage 100 \
--health-check-port 443 \
--health-check-protocol HTTPS \
--health-check-path "/health" \
--health-check-interval-seconds 10 \
--threshold-count 3 \
--endpoint-configurations '[
{
"EndpointId": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/myapp/abc123",
"Weight": 128,
"ClientIPPreservationEnabled": true
}
]' \
--region us-west-2
# EU West endpoint group
aws globalaccelerator create-endpoint-group \
--listener-arn "$LISTENER_ARN" \
--endpoint-group-region eu-west-1 \
--traffic-dial-percentage 100 \
--health-check-port 443 \
--health-check-protocol HTTPS \
--health-check-path "/health" \
--endpoint-configurations '[
{
"EndpointId": "arn:aws:elasticloadbalancing:eu-west-1:123456789012:loadbalancer/app/myapp/def456",
"Weight": 128,
"ClientIPPreservationEnabled": true
}
]' \
--region us-west-2Terraform Configuration
resource "aws_globalaccelerator_accelerator" "main" {
name = "myapp-accelerator"
ip_address_type = "IPV4"
enabled = true
attributes {
flow_logs_enabled = true
flow_logs_s3_bucket = aws_s3_bucket.flow_logs.id
flow_logs_s3_prefix = "globalaccelerator/"
}
tags = {
Environment = "production"
}
}
resource "aws_globalaccelerator_listener" "https" {
accelerator_arn = aws_globalaccelerator_accelerator.main.id
protocol = "TCP"
client_affinity = "SOURCE_IP"
port_range {
from_port = 443
to_port = 443
}
}
resource "aws_globalaccelerator_endpoint_group" "us_east" {
listener_arn = aws_globalaccelerator_listener.https.id
endpoint_group_region = "us-east-1"
traffic_dial_percentage = 100
health_check_port = 443
health_check_protocol = "HTTPS"
health_check_path = "/health"
health_check_interval_seconds = 10
threshold_count = 3
endpoint_configuration {
endpoint_id = aws_lb.us_east.arn
weight = 128
client_ip_preservation_enabled = true
}
}
resource "aws_globalaccelerator_endpoint_group" "eu_west" {
listener_arn = aws_globalaccelerator_listener.https.id
endpoint_group_region = "eu-west-1"
traffic_dial_percentage = 100
health_check_port = 443
health_check_protocol = "HTTPS"
health_check_path = "/health"
endpoint_configuration {
endpoint_id = aws_lb.eu_west.arn
weight = 128
client_ip_preservation_enabled = true
}
}Health Checks and Failover
Global Accelerator performs health checks on endpoints within each endpoint group. If an endpoint fails health checks, traffic is automatically routed to healthy endpoints in the same group. If all endpoints in a group fail, traffic is routed to the nearest healthy endpoint group, providing automatic multi-region failover.
# Check endpoint health status
aws globalaccelerator describe-endpoint-group \
--endpoint-group-arn "arn:aws:globalaccelerator::123456789012:accelerator/abc-123/listener/def-456/endpoint-group/ghi-789" \
--region us-west-2 \
--query 'EndpointGroup.EndpointDescriptions[].{Endpoint:EndpointId, Health:HealthState, Weight:Weight}'
# Simulate failover by setting traffic dial to 0%
aws globalaccelerator update-endpoint-group \
--endpoint-group-arn "arn:aws:globalaccelerator::123456789012:accelerator/abc-123/listener/def-456/endpoint-group/ghi-789" \
--traffic-dial-percentage 0 \
--region us-west-2
# Gradually shift traffic (blue/green deployment)
# Phase 1: Send 10% to new region
aws globalaccelerator update-endpoint-group \
--endpoint-group-arn "$NEW_REGION_ARN" \
--traffic-dial-percentage 10 \
--region us-west-2
# Phase 2: Increase to 50%
# Phase 3: Shift to 100% after validationDNS Caching Consideration
Unlike Route 53 failover (which depends on DNS TTL), Global Accelerator failover is nearly instant because it uses anycast routing at the network layer. There is no DNS change during failover; the same IP addresses continue to work, but traffic is re-routed at the edge. This makes Global Accelerator superior to DNS-based failover for applications that cannot tolerate the delay of DNS TTL expiration.
Client Affinity and Sticky Sessions
Client affinity (sticky sessions) ensures that requests from the same source IP address are consistently routed to the same endpoint. This is important for applications that maintain server-side session state. Global Accelerator supports two affinity modes:NONE (default, best for stateless apps) and SOURCE_IP (routes based on source IP).
# Enable client affinity on a listener
aws globalaccelerator update-listener \
--listener-arn "$LISTENER_ARN" \
--client-affinity SOURCE_IP \
--region us-west-2
# For more granular control, use endpoint weights
# Higher weight = more traffic
aws globalaccelerator update-endpoint-group \
--endpoint-group-arn "$ENDPOINT_GROUP_ARN" \
--endpoint-configurations '[
{"EndpointId": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/primary/abc", "Weight": 200},
{"EndpointId": "arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/secondary/def", "Weight": 50}
]' \
--region us-west-2DDoS Protection and Security
Global Accelerator provides built-in DDoS protection through AWS Shield Standard at no additional cost. The static anycast IPs absorb volumetric attacks at the edge before they reach your infrastructure. For advanced DDoS protection, you can subscribe to AWS Shield Advanced, which provides real-time attack notifications, DDoS Response Team (DRT) support, and cost protection for scaling during attacks.
# Enable flow logs for security monitoring
aws globalaccelerator update-accelerator-attributes \
--accelerator-arn "$ACCELERATOR_ARN" \
--flow-logs-enabled \
--flow-logs-s3-bucket "my-flow-logs-bucket" \
--flow-logs-s3-prefix "globalaccelerator/" \
--region us-west-2
# Flow log fields include:
# client_ip, client_port, accelerator_ip, accelerator_port,
# endpoint_ip, endpoint_port, protocol, packets, bytes,
# start_time, end_time, action (ACCEPT/REJECT)
# Associate with Shield Advanced (if subscribed)
aws shield create-protection \
--name "accelerator-protection" \
--resource-arn "$ACCELERATOR_ARN"Global Accelerator vs CloudFront vs Route 53
| Feature | Global Accelerator | CloudFront | Route 53 |
|---|---|---|---|
| Layer | L4 (TCP/UDP) | L7 (HTTP/HTTPS) | DNS |
| Caching | No | Yes (edge caching) | N/A |
| Static IPs | Yes (2 anycast IPs) | No (uses DNS names) | No |
| Failover Speed | Instant (network-level) | Origin failover (seconds) | DNS TTL dependent (60s+) |
| Non-HTTP Support | Yes (TCP, UDP) | No (HTTP/WebSocket only) | N/A (routing only) |
| Best For | TCP/UDP apps, gaming, IoT | Web content, APIs, streaming | DNS routing, health checks |
Monitoring and Troubleshooting
# View accelerator CloudWatch metrics
aws cloudwatch list-metrics \
--namespace "AWS/GlobalAccelerator" \
--dimensions Name=Accelerator,Value=abc-123
# Key metrics:
# ProcessedBytesIn / ProcessedBytesOut - Traffic volume
# NewFlowCount - New TCP/UDP connections
# HealthyEndpointCount - Endpoints passing health checks
# Monitor healthy endpoint count
aws cloudwatch put-metric-alarm \
--alarm-name "ga-unhealthy-endpoints" \
--namespace "AWS/GlobalAccelerator" \
--metric-name "HealthyEndpointCount" \
--dimensions Name=Accelerator,Value=abc-123 Name=Listener,Value=def-456 Name=EndpointGroup,Value=ghi-789 \
--statistic Minimum \
--period 60 \
--evaluation-periods 3 \
--threshold 1 \
--comparison-operator LessThanThreshold \
--alarm-actions "arn:aws:sns:us-east-1:123456789012:ops-alerts"
# Test connectivity from different regions using curl
# curl -s -o /dev/null -w "HTTP %{http_code} in %{time_total}s\n" https://75.2.60.5/healthCombine with CloudFront
Global Accelerator and CloudFront are complementary. Use CloudFront for cacheable HTTP content (static assets, APIs with GET responses) and Global Accelerator for non-cacheable TCP/UDP traffic (WebSockets, gaming, VoIP) or when you need static IP addresses for firewall allowlisting. Some architectures use both: CloudFront for the web application and Global Accelerator for the backend API.
Key Takeaways
- 1Global Accelerator provides two static anycast IPs that route traffic through the AWS backbone.
- 2Traffic dials enable gradual traffic shifting for blue/green and canary deployments.
- 3Health checks provide automatic multi-region failover without DNS TTL delays.
- 4Built-in AWS Shield Standard DDoS protection absorbs volumetric attacks at the edge.
Frequently Asked Questions
How is Global Accelerator different from CloudFront?
How much does Global Accelerator cost?
Written by CloudToolStack Team
Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.
Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.