AWS Global Accelerator handles IP address blocking by client networks primarily through its use of multiple static IP addresses and fault-tolerant routing across isolated network zones. Each Global Accelerator is assigned two static IPv4 addresses (or four for dual-stack accelerators), which are anycast from the AWS edge network and serve as fixed entry points for client traffic. These IP addresses come from unique IP subnets in separate network zones, providing redundancy[10].
If a client network blocks one of the static IP addresses or if there is a network disruption affecting one IP, client applications can retry their connection using the other static IP address from a different isolated network zone. This design ensures high availability and fault tolerance by allowing traffic to be routed through an alternate IP address that is not blocked or disrupted[3][10].
Additionally, Global Accelerator supports "Bring Your Own IP" (BYOIP), allowing customers to use their own IP address ranges as static entry points. This can help in scenarios where clients have IP allow lists or restrictions, as customers can bring IPs that are already trusted or whitelisted by client networks[2][8].
Regarding client IP address preservation, Global Accelerator can preserve the original client IP address when forwarding traffic to endpoints like Application Load Balancers or Network Load Balancers. This is important for security controls such as IP filtering or firewall rules at the endpoint level. When client IP preservation is enabled, the original client IP appears in headers (e.g., X-Forwarded-For) and is visible to AWS WAF or security groups, allowing fine-grained access control based on client IPs rather than the Global Accelerator IPs[1][5][7][9].
In summary, Global Accelerator mitigates IP address blocking by:
- Providing two static IP addresses from separate network zones to ensure redundancy and fault tolerance. If one IP is blocked, traffic can be retried on the other[3][10].
- Allowing customers to bring their own IP addresses, which can be pre-approved or allowed by client networks[2][8].
- Supporting client IP address preservation, enabling security policies at the endpoint to filter based on the original client IP rather than the accelerator's IP addresses[1][5][7][9].
This combination of static IP redundancy, BYOIP, and client IP preservation helps maintain connectivity and manage IP blocking by client networks effectively.
Citations:
[1] https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html
[2] https://aws.amazon.com/global-accelerator/features/
[3] https://aws.amazon.com/global-accelerator/faqs/
[4] https://repost.aws/knowledge-center/globalaccelerator-limit-endpoint-access-by-securitygroup
[5] https://www.wafcharm.com/en/blog/how-to-apply-ip-filter-on-waf-to-access-from-aws-global-accelerator/
[6] https://boto3.amazonaws.com/v1/documentation/api/1.16.27/reference/services/globalaccelerator.html
[7] https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.sipp-caveats.html
[8] https://cloudchipr.com/blog/aws-global-accelerator
[9] https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.how-to-enable-preservation.html
[10] https://docs.aws.amazon.com/pdfs/global-accelerator/latest/dg/global-accelerator-guide.pdf