Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon Can you explain the process of bringing your own IP (BYOIP) with Global Accelerator


Can you explain the process of bringing your own IP (BYOIP) with Global Accelerator


Bringing Your Own IP (BYOIP) with AWS Global Accelerator allows you to use your own public IPv4 address ranges as static IP addresses for your Global Accelerator, instead of relying solely on AWS-provided IPs. This is particularly useful for customers who have existing trusted IP addresses used by partners or customers, such as those whitelisted in firewalls.

Here is a detailed explanation of the BYOIP process with AWS Global Accelerator:

1. Preparation and Authorization

- Ownership Verification: Before you bring your IP address range to AWS, you must prove ownership of the IP range. AWS requires you to provide authorization, typically a signed document or certificate that confirms you have the right to bring the IP range to AWS. This can be done via methods like RDAP verification or DNS TXT records, depending on your Internet Registry support[8][5].

- Stop Advertising Elsewhere: You must stop advertising your IP address range from any other networks before AWS begins advertising it. If the IP range is advertised by multiple providers simultaneously (multihomed), AWS cannot guarantee proper routing or successful completion of the BYOIP process[1].

2. Provisioning the IP Address Range in AWS

- ProvisionByoipCidr API Call: You submit your IP address range in CIDR notation (minimum /24) to AWS Global Accelerator using the `ProvisionByoipCidr` API or through the AWS Management Console. Along with the CIDR, you provide the authorization context (signed proof of ownership)[9].

- Address Pool Creation: Once provisioned, your IP range appears in your AWS account as an address pool. This pool is ready to be advertised by AWS after successful provisioning and authorization.

- Provisioning Time: The provisioning process can take up to three weeks, as AWS verifies and configures the IP range for use within their network[2].

3. Advertising the IP Range

- After provisioning, AWS advertises your IP address range from their edge locations globally. This announcement makes your IP addresses reachable through the AWS global network.

- AWS Global Accelerator assigns one IP address from your BYOIP range to your accelerator as a static IP address. If you bring two IP ranges, you can assign one IP address from each range to the accelerator, enhancing availability by distributing across different network zones[1][3].

4. Using Your BYOIP Addresses with Global Accelerator

- Creating or Updating an Accelerator: You can create a new Global Accelerator or update an existing one to use your BYOIP IP addresses. In the AWS Management Console, when creating an accelerator, you can select your BYOIP CIDR from the IP address pool dropdown to assign a static IP from your own range[3].

- Cross-Account Sharing: AWS Global Accelerator now supports sharing BYOIP IP addresses across AWS accounts. This means you can provision an IP range in one account and assign IP addresses from that range to accelerators in different accounts by configuring cross-account attachments and permissions[4].

- Static IPs Assignment: Each accelerator gets one static IP from your BYOIP pool and one from AWS’s pool by default. When using two BYOIP ranges, one IP from each range can be assigned to the accelerator for higher availability[1][3].

5. Important Considerations

- Region Restriction: Accelerators using BYOIP must be created or updated in the US West (Oregon) region[6].

- No Additional Charges: There is no extra cost for using BYOIP with AWS Global Accelerator beyond the standard pricing for the service[4].

- Limitations: The most specific prefix you can bring is /24, and the IP range must not overlap with other ranges you have brought to AWS[9].

Summary of the BYOIP Process with AWS Global Accelerator

- Verify and authorize your ownership of the IP address range.
- Stop advertising the IP range from other providers.
- Provision the IP range to AWS using the `ProvisionByoipCidr` API or console.
- Wait for AWS to complete provisioning and start advertising the IP range.
- Create or update a Global Accelerator to assign static IP addresses from your BYOIP pool.
- Optionally, share BYOIP IP ranges across AWS accounts for flexible use.
- Use your own IP addresses as static entry points for your global applications with improved control and trust.

This process enables seamless migration and integration of your trusted IP addresses into AWS Global Accelerator, maintaining IP continuity for your applications while leveraging AWS’s global network for performance and availability[1][2][3][4][8][9].

Citations:
[1] https://docs.aws.amazon.com/global-accelerator/latest/dg/using-byoip.html
[2] https://aws.amazon.com/blogs/networking-and-content-delivery/using-bring-your-own-ip-addresses-byoip-with-global-accelerator/
[3] https://docs.aws.amazon.com/global-accelerator/latest/dg/using-byoip.create-accelerator.html
[4] https://aws.amazon.com/about-aws/whats-new/2024/03/aws-global-accelerator-byoip-sharing-ip-space-across-accounts/
[5] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html
[6] https://boto3.amazonaws.com/v1/documentation/api/1.14.57/reference/services/globalaccelerator.html
[7] https://cloud.google.com/vpc/docs/bring-your-own-ip
[8] https://docs.aws.amazon.com/global-accelerator/latest/dg/using-byoip.prepare.html
[9] https://docs.aws.amazon.com/global-accelerator/latest/api/API_ProvisionByoipCidr.html