Adding or updating endpoints with client IP address preservation

A feature that you can use with some endpoint types is client IP address preservation. With this feature, AWS Global Accelerator preserves the source IP address of the original client for packets that arrive at the endpoint.

You can use this feature with endpoints that are Application Load Balancers, Network Load Balancers with security groups, and Amazon EC2 instances, subject to the additional requirements described in this section. Endpoints on custom routing accelerators always have the client IP address preserved.

This section provides information that is specific to endpoints that you want to add with client IP address preservation enabled. For information about overall requirements for endpoints, see Requirements for resources added as accelerator endpoints.

In addition, for more information about best practices with client IP address preservation, see Best practices for client IP address preservation.

About adding endpoints with client IP address preservation

If you intend to use the client IP address preservation feature, be aware of the following when you add endpoints to Global Accelerator, in addition to the overall requirements for endpoints in Global Accelerator.

Elastic IP addresses

Client IP address preservation is not supported for Elastic IP address endpoints in Global Accelerator.

Network Load Balancer endpoints

If you want to enable client IP address preservation when you add Network Load Balancer resources as endpoints to Global Accelerator, be aware that client IP address preservation is not supported for the following:

• Network Load Balancers without security groups

• Network Load Balancers with security groups that have TLS listeners attached

• Network Load Balancers with security groups that perform IPv4 to IPv6 NAT translation to their EC2 targets

In addition, for Network Load Balancers, client IP address preservation is supported only when targets are in the same VPC as the Network Load Balancer. Traffic must flow directly from the Network Load Balancer to the target.

Elastic network interfaces

To support client IP address preservation, Global Accelerator creates elastic network interfaces in your AWS account—one for each subnet where an endpoint is present. For more information about how Global Accelerator works with elastic network interfaces, see Best practices for client IP address preservation.

Endpoints in private subnets

You can target an Application Load Balancer, Network Load Balancer, or an EC2 instance in a private subnet using AWS Global Accelerator but you must have an internet gateway attached to the VPC that contains the endpoints. For more information, see Secure VPC connections in AWS Global Accelerator.

As a best practice, use private subnets if you want to ensure that traffic is delivered only by Global Accelerator. Also, make sure that inbound security group rules are configured appropriately to correctly allow or deny traffic for your applications.

Add the client IP address to the allow list

Before you add and begin to route traffic to endpoints that preserve the client IP address, make sure that all your required security configurations, for example, security groups, are updated to include the user client IP address on the allow list. Network access control lists (ACLs) only apply to egress (outbound) traffic. If you need to filter ingress (inbound) traffic, you must use security groups.

Configure network access control lists (ACLs)

Network ACLs associated with your VPC subnets apply to egress (outbound) traffic when client IP address preservation is enabled on your accelerator. However, for traffic to be allowed to exit through Global Accelerator, you must configure the ACL as both an inbound and outbound rule.

For example, to allow TCP and UDP clients using an ephemeral source port to connect to your endpoint through Global Accelerator, associate the subnet of your endpoint with a Network ACL that allows outbound traffic destined to an ephemeral TCP or UDP port (port range 1024-65535, destination 0.0.0.0/0). In addition, create a matching inbound rule (port range 1024-65535, source 0.0.0.0/0).

Be aware of the following for security groups and WAF:

• Security group and AWS WAF rules are an additional set of capabilities that you can apply to protect your resources. For example, the inbound security group rules associated with your Amazon EC2 instances and Application Load Balancers allow you to control the destination ports that clients can connect to through Global Accelerator, such as port 80 for HTTP or port 443 for HTTPS.

• Amazon EC2 instance security groups apply to any traffic that arrives to your instances, including traffic from Global Accelerator and any public or Elastic IP address that is assigned to your instance.

Transitioning endpoints to use client IP address preservation

Follow the guidance in this section to transition one or more endpoints in your accelerator to endpoints that preserve the user’s client IP address. You can optionally choose to transition an Application Load Balancer, Network Load Balancer with security groups, or an Elastic IP address endpoint to a corresponding endpoint—a corresponding load balancer endpoint or an EC2 instance endpoint—that has client IP address preservation. For more information, see Preserve client IP addresses in AWS Global Accelerator.

We recommend that you transition to using client IP address preservation slowly. First, add new load balancer or EC2 instance endpoints that you enable to preserve the client IP address. Then slowly move traffic from existing endpoints to the new endpoints by configuring weights on the endpoints.

Important

Before you begin to route traffic to endpoints that preserve the client IP address, make sure that all the configurations in which you’ve included Global Accelerator client IP addresses on allow lists are updated to include the user client IP address instead.

Client IP address preservation is supported in all AWS Regions where Global Accelerator is supported. For a list of supported Regions, see AWS Region availability for AWS Global Accelerator.

This section explains how to work with endpoint groups on the AWS Global Accelerator console. If you want to use API operations with Global Accelerator, see the AWS Global Accelerator API Reference.

After you move a small amount of traffic to the new endpoint with client IP address preservation, test to make sure that your configuration is working as you expect it to. Then gradually increase the proportion of traffic to the new endpoint by adjusting the weights on the corresponding endpoints.

To transition to endpoints that preserve client IP addresses, start by following the steps here to add a new endpoint and, if needed, enable client IP address preservation. (The client IP address preservation option is always selected for internal Application Load Balancers and EC2 instances.)

To add an endpoint with client IP address preservation

1. Open the Global Accelerator console at https://console.aws.amazon.com/globalaccelerator/home.

2. On the Accelerators page, choose an accelerator.

3. In the Listeners section, choose a listener.

4. In the Endpoint group section, choose an endpoint group.

5. In the Endpoints section, choose Add endpoint.

6. On the Add endpoints page, in the Endpoints drop-down menu, choose an endpoint that supports client IP address preservation.

7. In the Weight field, choose a low number compared to the weights that are set for your existing endpoints. For example, if the weight for a corresponding Application Load Balancer is 255, you could enter a weight of 5 for the new Application Load Balancer, to start with. For more information, see Endpoint weights.

8. If needed, under Preserve client IP address, select Preserve address.

9. Choose Save changes.

Next, follow the steps here to edit the corresponding existing endpoints (that you're replacing with the new endpoints with client IP address preservation) to reduce the weights for existing endpoints so that less traffic goes to them.

To reduce traffic for the existing endpoints

1. On the Endpoint group page, choose an existing endpoint that doesn't have client IP address preservation.

2. Choose Edit.

3. On the Edit endpoint page, in the Weight field, enter a lower number than the current number. For example, if the weight for an existing endpoint is 255, you could enter a weight of 220 for the new endpoint (with client IP address preservation).

4. Choose Save changes.

After you’ve tested with a small portion of the original traffic by setting the weight for the new endpoint to a low number, you can slowly transition all the traffic by continuing to adjust the weights for the original and new endpoints.

For example, say you start with an existing Application Load Balancer with a weight set to 200, and you add a new Application Load Balancer endpoint with client IP address preservation enabled with a weight set to 5. Gradually shift traffic from the original Application Load Balancer to the new Application Load Balancer by increasing the weight for the new Application Load Balancer and decreasing the weight for the original Application Load Balancer. For example:

• Original weight 190/new weight 10

• Original weight 180/new weight 20

• Original weight 170/new weight 30, and so on.

When you have decreased the weight to 0 for the original endpoint, all traffic (in this example scenario) goes to the new Application Load Balancer endpoint, which includes client IP address preservation.

If you have additional endpoints—load balancers or EC2 instances—that you want to transition to use client IP address preservation, repeat the steps in this section to transition them.

If you need to revert your configuration for an endpoint so that traffic to the endpoint doesn't preserve the client IP address, you can do that at any time: increase the weight for the endpoint that does not have client IP address preservation to the original value, and decrease the weight for the endpoint with client IP address preservation to 0.