To configure network ACLs (Access Control Lists) for AWS Global Accelerator, follow these detailed steps:
1. Understand the Role of Network ACLs with Global Accelerator
Network ACLs are stateless firewalls that control inbound and outbound traffic at the subnet level within your VPC. When using Global Accelerator, which routes traffic to endpoints such as load balancers or EC2 instances in one or more AWS Regions, you must ensure that the network ACLs associated with the subnets hosting these endpoints allow the necessary traffic. This includes traffic from Global Accelerator's static IP addresses and the ports your application uses[3][6].
2. Identify the Subnets Hosting Your Endpoints
Determine which VPC subnets contain the endpoints (e.g., Application Load Balancers, Network Load Balancers, or EC2 instances) that Global Accelerator will route traffic to. For a custom routing accelerator, you add one or more VPC subnets as endpoints[6][8].
3. Review Global Accelerator IP Address Ranges
Global Accelerator uses static IP addresses that are anycast from multiple AWS edge locations. AWS publishes the IP address ranges used by Global Accelerator. You should create custom prefix lists or include these IP ranges in your network ACL rules to allow traffic from Global Accelerator[4].
4. Configure Inbound Rules on Network ACLs
- Allow inbound traffic on the ports your application listens to (e.g., TCP ports 80, 443, or custom ports).
- Allow inbound traffic from the Global Accelerator IP address ranges or prefix lists. This ensures that traffic routed by Global Accelerator can reach your endpoints.
- Ensure the rules are ordered correctly, as network ACLs process rules in number order, and the first matching rule is applied[3][6].
5. Configure Outbound Rules on Network ACLs
- Allow outbound responses to the source IPs and ports as necessary. Since network ACLs are stateless, you must explicitly allow outbound traffic that corresponds to inbound requests.
- Typically, allow outbound traffic to ephemeral ports (e.g., TCP ports 1024-65535) to support return traffic to clients or Global Accelerator endpoints[3].
6. Associate Network ACLs with the Appropriate Subnets
- In the VPC console, associate the configured network ACL with the subnets where your Global Accelerator endpoints reside.
- Each subnet can be associated with only one network ACL at a time, so ensure that the ACL you configure is applied to all relevant subnets[3].
7. Test and Validate Traffic Flow
- After configuring the network ACLs, test that traffic from Global Accelerator reaches your endpoints correctly.
- Use tools like VPC Flow Logs or AWS Firewall Manager compliance reports if you manage multiple accounts and subnets. Firewall Manager can help automate and monitor network ACL configurations across your AWS organization[3].
8. Optional: Use AWS Firewall Manager for Centralized Management
- If you manage multiple accounts or a large number of subnets, consider using AWS Firewall Manager to define and enforce network ACL policies centrally.
- Firewall Manager can automatically apply network ACL configurations to new subnets and report compliance status[3].
**Additional Notes:
- Ensure that security groups associated with your endpoints also allow traffic from Global Accelerator IPs and required ports, as security groups and network ACLs work together to control traffic[6].
- When using custom routing accelerators, ensure that the network ACLs allow traffic to the specific ports used for deterministic routing to EC2 instances within the subnets[6][8].
By following these steps, you can properly configure network ACLs to secure and enable traffic flow for AWS Global Accelerator endpoints.
Citations:
[1] https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-how-it-works.html
[2] https://docs.aws.amazon.com/vpc/latest/userguide/create-network-acl.html
[3] https://docs.aws.amazon.com/pdfs/global-accelerator/latest/dg/global-accelerator-guide.pdf
[4] https://repost.aws/knowledge-center/globalaccelerator-limit-endpoint-access-by-securitygroup
[5] https://softwareengineering.stackexchange.com/questions/414351/a-recipe-for-handling-an-aws-network-request-from-start-to-finish-at-global-scal
[6] https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-global-accelerator-custom-routing-accelerators/
[7] https://boto3.amazonaws.com/v1/documentation/api/1.16.27/reference/services/globalaccelerator.html
[8] https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-get-started.html
[9] https://www.youtube.com/watch?v=CUYvzTd9vKE