AWS Global Accelerator interacts with security groups primarily through the elastic network interfaces (ENIs) it creates in your VPC for IP address management and traffic routing to your endpoints. Here is a detailed explanation of how security groups work with Global Accelerator:
Elastic Network Interfaces and Security Groups
- Global Accelerator creates one elastic network interface per subnet where you have endpoints registered. These ENIs are logical interfaces that handle traffic routing but do not represent a single host or bottleneck; they are part of a horizontally scaled, highly available service[2][5].
- All ENIs created by Global Accelerator within the same VPC share a single security group that Global Accelerator automatically creates for that VPC. This means regardless of which subnet an ENI is associated with, it uses the same security group[2].
- The security group created by Global Accelerator controls the traffic that can flow to the endpoints behind the accelerator. You should not modify the rules of this security group because changes can cause endpoint health issues. If you need to adjust access, it is recommended to contact AWS Support[2].
Using Security Groups with Endpoints
- You can use the Global Accelerator security group as a source group in your own security groups for your endpoints (e.g., EC2 instances, Network Load Balancers, Application Load Balancers). This allows you to restrict access so that only traffic coming through Global Accelerator is allowed, effectively blocking direct access to the endpoints from other sources[2][8].
- For example, if you want your Application Load Balancer (ALB) to accept traffic only from Global Accelerator, you can configure the ALBâs security group to allow inbound traffic only from the Global Accelerator security group. This setup enhances security by ensuring that all traffic to your endpoints is routed through Global Accelerator[8].
IP Address Management and Security Groups
- Global Accelerator provides static anycast IP addresses that are associated with your accelerator. These IPs are fronted by the ENIs in your VPC subnets. The security group attached to these ENIs governs the traffic that reaches your endpoints[4][9].
- When you use Global Accelerator with endpoints in private subnets, you must have an internet gateway attached to the VPC. The security groups on your endpoints must be configured to allow inbound traffic from the Global Accelerator security group or the static IP addresses to ensure proper connectivity[5].
Client IP Address Preservation and Security Groups
- For certain endpoint types (Application Load Balancers, Network Load Balancers with security groups, and EC2 instances), Global Accelerator can preserve the original client IP address. To support this, the ENIs created by Global Accelerator are used, and the security groups must allow traffic accordingly[5][6].
- The security groups on your endpoints apply to all traffic arriving at your instances, including traffic forwarded by Global Accelerator. Therefore, you need to ensure that your security groups allow traffic from the Global Accelerator ENIs or their associated IP ranges[5].
Best Practices
- Do not manually modify the security group created by Global Accelerator. Instead, configure your endpoint security groups to allow traffic from the Global Accelerator security group as the source.
- Use private subnets for your endpoints if you want to restrict traffic to only come through Global Accelerator, enhancing security.
- Ensure that your VPC has sufficient IP address capacity in the subnets to accommodate the ENIs that Global Accelerator will create.
- If you want to limit access to your endpoints strictly via Global Accelerator, configure your endpoint security groups accordingly by allowing only the Global Accelerator security group as a source[2][3][8].
In summary, Global Accelerator manages IP addresses through elastic network interfaces in your VPC, each associated with a Global Accelerator-created security group per VPC. This security group is used to control traffic flow to your endpoints, and you should configure your endpoint security groups to allow traffic from this group to ensure secure and reliable routing of client requests via Global Accelerator. Modifying the Global Accelerator security group is discouraged to avoid endpoint health issues. Instead, use it as a source in your own security groups to restrict access to only Global Accelerator traffic.
Citations:
[1] https://docs.aws.amazon.com/global-accelerator/latest/dg/best-practices-aga.html
[2] https://docs.aws.amazon.com/global-accelerator/latest/dg/security.html
[3] https://repost.aws/knowledge-center/globalaccelerator-limit-endpoint-access-by-securitygroup
[4] https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-how-it-works.html
[5] https://docs.aws.amazon.com/global-accelerator/latest/dg/about-endpoints.sipp-caveats.html
[6] https://docs.aws.amazon.com/global-accelerator/latest/dg/preserve-client-ip-address.html
[7] https://support.huaweicloud.com/eu/usermanual-ga/Global%20Accelerator%20User%20Guide-pdf.pdf
[8] https://repost.aws/questions/QUFcukxYdDTt-W8_UG0vcBUg/global-accelerator-with-alb-endpoint
[9] https://docs.aws.amazon.com/global-accelerator/latest/dg/about-accelerators.eip-accelerator.html
[10] https://tutorialsdojo.com/aws-global-accelerator/