This chapter covers AWS Global Accelerator, a networking service that improves the availability and performance of applications with global users. For the SOA-C02 exam, understanding Global Accelerator is critical for questions on optimizing network performance, reducing latency, and providing static IP addresses for global applications. Approximately 5-8% of exam questions touch on global networking services, with Global Accelerator appearing in scenarios involving hybrid architectures, disaster recovery, and performance optimization.
Jump to a section
Imagine you run an international e-commerce company with warehouses in London, Tokyo, and São Paulo. Customers worldwide place orders online. Without a smart routing system, a customer in Sydney might have their order shipped from London because that's the closest known warehouse, but the actual best route might be through Tokyo due to faster shipping lanes or customs clearance. AWS Global Accelerator acts like a global express delivery hub that doesn't just look at physical distance but constantly monitors real-time conditions: traffic congestion at ports, weather delays, and customs processing times. It maintains a persistent 'membership card' for each customer (the static IP address) so that even if a customer moves or their ISP changes, their packages always go to the same hub first. The hub then uses a dynamic routing table updated every second to decide which warehouse (Application Load Balancer or Network Load Balancer endpoint) can fulfill the order fastest based on current network latency, health of the warehouse staff, and available inventory. If a warehouse suddenly catches fire (becomes unhealthy), the hub immediately reroutes all pending orders to the next best warehouse without the customer ever knowing. This is fundamentally different from a simple DNS-based routing (like Amazon Route 53) which only checks location at the start of a session and then sends all traffic to that endpoint even if it becomes overloaded or fails—like giving a customer a warehouse address that might be closed when they arrive.
What is AWS Global Accelerator and Why It Exists
AWS Global Accelerator is a networking service that directs user traffic to the optimal AWS endpoint (Application Load Balancer, Network Load Balancer, EC2 instance, or Elastic IP) based on health, geographic proximity, and current network conditions. It provides two static anycast IP addresses that serve as a fixed entry point for your application, regardless of changes to the underlying infrastructure. The primary use cases are improving global application performance (by up to 60% in some cases) and providing fast failover for multi-Region deployments.
The service operates at the edge of the AWS network, using the same infrastructure that powers Amazon.com. It uses the Anycast routing technique, meaning the same IP address is advertised from multiple AWS edge locations worldwide. User traffic is routed to the nearest edge location (closest by network latency), then forwarded over the AWS global network backbone to the optimal endpoint. This avoids the public internet for the majority of the path, reducing latency and jitter.
How Global Accelerator Works Internally
When a user requests a connection to a Global Accelerator static IP, the following occurs:
DNS Resolution: The user's DNS resolver queries the Global Accelerator DNS name (e.g., abc123.awsglobalaccelerator.com). The service returns the two static anycast IP addresses. These IPs are advertised from all AWS edge locations via BGP.
Traffic Arrival at Edge: The user's packet reaches the nearest AWS edge location based on BGP routing. This is not necessarily the geographically closest location; it's the one with the best network path.
Endpoint Group Selection: Global Accelerator has a concept of endpoint groups—logical groupings of endpoints in a region. Each endpoint group is associated with a listener port and protocol (TCP/UDP). The service selects an endpoint group based on the user's source IP and the configured traffic dial percentage (0-100%) for each group. If multiple groups are healthy, traffic is distributed according to the dial settings.
Endpoint Selection: Within the chosen endpoint group, Global Accelerator selects a healthy endpoint using the routing algorithm (least outstanding requests or round robin). The endpoint can be an Application Load Balancer (ALB), Network Load Balancer (NLB), EC2 instance, or Elastic IP address.
Connection Forwarding: The edge location establishes a connection to the selected endpoint over the AWS global network. This connection is persistent and reused for multiple client requests (connection reuse). The edge location proxies the traffic, meaning the client's source IP is preserved in the X-Forwarded-For header (for HTTP) or via Proxy Protocol v2 (for TCP).
Health Checks: Global Accelerator performs health checks on endpoints every 10 seconds (configurable) from multiple edge locations. If an endpoint fails health checks, it is removed from the pool within ~30 seconds. Traffic is then redirected to the next healthiest endpoint.
Key Components, Values, Defaults, and Timers
Static IP Addresses: Two IPv4 addresses are assigned per accelerator. These are anycast and do not change for the lifetime of the accelerator. You can optionally bring your own IP (BYOIP) via AWS IPAM.
Listeners: Each listener processes inbound connections based on port (1-65535) and protocol (TCP/UDP). You can define multiple listeners per accelerator.
Endpoint Groups: Each listener routes traffic to one or more endpoint groups. Each endpoint group is associated with a specific AWS region (e.g., us-east-1). You can set a traffic dial percentage (0-100) to control the proportion of traffic sent to each group. Default is 100.
Endpoints: Within an endpoint group, you can add endpoints of type: Application Load Balancer (ALB), Network Load Balancer (NLB), EC2 instance, or Elastic IP. Each endpoint has a weight (0-255) for routing. Default weight is 128.
Health Check: Default interval is 10 seconds, threshold is 3 consecutive failures to mark unhealthy, success threshold is 3 consecutive successes to mark healthy. Health checks originate from multiple edge locations.
Client IP Preservation: For ALB and NLB endpoints, you can enable client IP preservation. When enabled, the endpoint sees the original client IP. When disabled, the endpoint sees the edge location's IP.
Proxy Protocol: For TCP listeners, you can enable Proxy Protocol v2 to pass client connection information (source IP, port) to the endpoint.
Accelerator Status: Can be DEPLOYED (active) or IN_PROGRESS (updating).
Configuration and Verification Commands
Global Accelerator can be managed via AWS Management Console, AWS CLI, SDK, or CloudFormation. Key CLI commands:
Create an accelerator: aws globalaccelerator create-accelerator --name MyAccelerator --ip-address-type IPV4
List accelerators: aws globalaccelerator list-accelerators
Describe accelerator: aws globalaccelerator describe-accelerator --accelerator-arn arn:aws:globalaccelerator::123456789012:accelerator/abc123
Create listener: aws globalaccelerator create-listener --accelerator-arn <arn> --port-ranges FromPort=80,ToPort=80 --protocol TCP
Create endpoint group: aws globalaccelerator create-endpoint-group --listener-arn <arn> --endpoint-group-region us-east-1 --endpoint-configurations EndpointId=arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/app/my-alb/1234567890abcdef,Weight=128
Update traffic dial: aws globalaccelerator update-endpoint-group --endpoint-group-arn <arn> --traffic-dial-percentage 50
To verify:
Use dig or nslookup on the Global Accelerator DNS name to see the two static IPs.
Use traceroute or mtr from a client to see that traffic enters the AWS edge network.
Check CloudWatch metrics: NewFlowCount, ProcessedBytesIn, ProcessedBytesOut, HealthyEndpointCount, UnhealthyEndpointCount.
How It Interacts with Related Technologies
Route 53: Route 53 can be used for DNS-based routing (latency, geolocation, weighted) but does not provide static IPs or fast failover at the network level. Global Accelerator is often used in conjunction with Route 53 for health-check-based DNS failover as a secondary layer.
CloudFront: CloudFront is a CDN for HTTP/HTTPS content, while Global Accelerator works at Layer 4 (TCP/UDP) and can handle non-HTTP protocols. CloudFront also provides static IPs but only for HTTP traffic.
NLB/ALB: Global Accelerator sits in front of load balancers, providing a global entry point. It can also front EC2 instances directly (without a load balancer) for TCP/UDP workloads.
AWS WAF: Global Accelerator can be integrated with AWS WAF via ALB endpoints to provide web application firewall protection at the edge.
AWS Shield: Global Accelerator includes AWS Shield Standard at no extra cost, providing DDoS protection at the edge.
User Initiates Connection
A user types your application's domain name into their browser. Their device performs a DNS lookup, which resolves to the two static anycast IP addresses provided by Global Accelerator. These IPs are announced from all AWS edge locations via BGP. The user's client selects one of the IPs (usually the first returned) and initiates a TCP handshake to that IP. The packet is routed over the public internet to the nearest AWS edge location, determined by BGP routing metrics.
Edge Location Receives Packet
The packet arrives at an AWS edge location (e.g., in Sydney, if the user is in Australia). The edge location terminates the TCP connection from the client. Global Accelerator's listener configuration (port and protocol) determines how to handle the traffic. The edge location then selects an endpoint group based on the client's source IP and the traffic dial percentages. For example, if you have endpoint groups in us-east-1 and eu-west-1, with traffic dials 70 and 30, 70% of new flows from this edge will be routed to us-east-1.
Endpoint Selection Within Group
Within the chosen endpoint group, Global Accelerator selects a healthy endpoint using the configured routing algorithm. The default is 'least outstanding requests' for ALB/NLB endpoints, which sends new connections to the endpoint with the fewest active connections. For EC2/EIP endpoints, the algorithm is round robin. Each endpoint has a weight (1-255) that can bias traffic. If no endpoints are healthy, traffic is dropped or sent to a fallback if configured.
Forwarding Over AWS Global Network
The edge location establishes a new TCP connection to the selected endpoint over the AWS global network backbone. This connection is persistent and reused for multiple client requests (connection multiplexing). The edge location proxies data between the client and the endpoint. If client IP preservation is enabled, the endpoint sees the original client IP; otherwise, it sees the edge location's IP. For TCP, Proxy Protocol v2 can be used to pass client information.
Health Check and Failover
Global Accelerator continuously monitors the health of all endpoints from multiple edge locations. Health checks are sent every 10 seconds (configurable). If an endpoint fails three consecutive health checks, it is marked unhealthy and removed from the pool. New flows are then directed to the next healthiest endpoint. Existing flows to the failed endpoint are terminated (since the edge location breaks the connection). Failover typically completes within 30 seconds.
Enterprise Scenario 1: Global Gaming Platform
A gaming company has players worldwide and uses multiple AWS regions (us-east-1, eu-west-1, ap-southeast-1) for their game servers. They need low-latency connections for real-time gameplay and must handle sudden spikes in traffic during tournaments. They deploy Global Accelerator with a TCP listener on port 443 (HTTPS) and three endpoint groups, each with a Network Load Balancer (NLB) fronting auto-scaled game server instances. The traffic dial is set to 100% for all groups initially. Global Accelerator automatically routes each player to the region with the best network performance. During a tournament, if one region becomes overloaded, the traffic dial can be adjusted via API to shift load to other regions. The static IPs are whitelisted in enterprise firewalls, avoiding DNS caching issues. Common misconfiguration: setting traffic dial to 0 for a region without verifying that other regions can handle the load, causing all traffic to drop if the remaining region fails. The solution uses health checks to detect endpoint failures; if an NLB becomes unhealthy, traffic is rerouted to other groups within seconds.
Enterprise Scenario 2: Hybrid Application with On-Premises Integration
A financial services company runs a trading application on EC2 instances behind an ALB in us-east-1. They have on-premises users who require low-latency access and a static IP for firewall rules. They deploy Global Accelerator with a TCP listener on port 8443. The endpoint group in us-east-1 contains the ALB. They also have a secondary region (eu-west-1) for disaster recovery, with a standby ALB. The traffic dial is set to 100% for us-east-1 and 0% for eu-west-1. Health checks monitor the primary ALB. If the primary region fails, they manually adjust the traffic dial to 0% for us-east-1 and 100% for eu-west-1, or use an automated script. The static IPs remain the same, so on-premises firewalls don't need updates. A common pitfall: forgetting to enable client IP preservation, causing the application to see the edge location IP instead of the client IP, which breaks security auditing. They resolve this by enabling client IP preservation on the endpoint group.
Enterprise Scenario 3: E-Commerce with Global User Base
An e-commerce company uses CloudFront for static content and Global Accelerator for dynamic API calls (HTTPS). They have two ALBs in us-east-1 and ap-southeast-1. Global Accelerator uses a TCP listener on port 443. Traffic dials are set to 60% for us-east-1 and 40% for ap-southeast-1 to reflect user distribution. They monitor CloudWatch metrics: if UnhealthyEndpointCount spikes, they investigate. A misconfiguration: setting endpoint weights too low (e.g., weight=1) for a region, causing it to receive almost no traffic even though it's healthy. They use weighted routing to gradually shift traffic during deployments. Performance gains: users in Asia see 50% reduction in latency because traffic stays on AWS network from the edge location in Singapore to the ALB in Singapore, avoiding the public internet.
What SOA-C02 Tests on Global Accelerator
The SOA-C02 exam (Domain 5: Networking and Content Delivery, Objective 5.1: Implement networking features) tests your ability to:
Differentiate Global Accelerator from Route 53 latency routing and CloudFront.
Understand the use of static anycast IPs and how they improve performance.
Configure traffic dials and weights for multi-region failover.
Identify when to use Global Accelerator vs. other services.
Interpret CloudWatch metrics to troubleshoot performance or health issues.
Common Wrong Answers and Why Candidates Choose Them
Choosing Route 53 latency routing over Global Accelerator when the requirement is static IPs. Candidates often think Route 53's latency-based DNS is sufficient, but it does not provide static IPs—DNS responses change over time. Global Accelerator's static IPs are crucial for firewall whitelisting.
Selecting CloudFront for non-HTTP protocols. CloudFront only supports HTTP/HTTPS and WebSocket. Global Accelerator supports TCP/UDP, making it suitable for gaming, VoIP, and IoT.
Believing Global Accelerator can front an S3 bucket directly. It cannot. S3 bucket endpoints are not supported; you must use CloudFront or an ALB/NLB in front of S3.
Assuming Global Accelerator provides automatic DNS failover. It does not; failover is at the network layer based on health checks. DNS failover is separate (Route 53).
Specific Numbers and Values to Memorize
Two static anycast IPs per accelerator (IPv4; dual-stack coming soon).
Health check interval: 10 seconds (default).
Health check thresholds: 3 failures to mark unhealthy, 3 successes to mark healthy.
Traffic dial range: 0-100%.
Endpoint weight range: 0-255.
Supported endpoint types: ALB, NLB, EC2 instance, Elastic IP.
Maximum listeners per accelerator: 10.
Maximum endpoint groups per listener: 10.
Maximum endpoints per endpoint group: 10.
Edge Cases and Exceptions
Cross-region endpoints: Endpoints must be in the same region as the endpoint group. You cannot add an endpoint in us-west-2 to an endpoint group for us-east-1.
Client IP preservation with NLB: If the endpoint is an NLB, client IP preservation is automatically enabled and cannot be disabled.
Global Accelerator and AWS Shield Advanced: You can subscribe to Shield Advanced for additional DDoS protection; Global Accelerator includes Shield Standard.
BYOIP: You can bring your own IP address range to Global Accelerator via AWS IPAM, but it must be /24 or larger.
How to Eliminate Wrong Answers
If a question asks for a service that provides static IPs for global traffic, eliminate Route 53 (dynamic DNS), CloudFront (static IPs for HTTP only), and any service that does not offer anycast. If the requirement is for non-HTTP protocols (e.g., UDP gaming), eliminate CloudFront. If the requirement is for DNS-level routing (e.g., geographic restriction), eliminate Global Accelerator.
Global Accelerator provides two static anycast IPv4 addresses that serve as a fixed entry point for global applications.
It supports TCP and UDP protocols, making it suitable for non-HTTP workloads like gaming and VoIP.
Health checks are performed every 10 seconds from multiple edge locations; an endpoint is marked unhealthy after 3 failures.
Traffic dials (0-100%) control the proportion of traffic sent to each endpoint group; endpoint weights (0-255) control distribution within a group.
Client IP preservation is available for ALB and NLB endpoints; for NLB it is always enabled.
Global Accelerator integrates with AWS Shield Standard for DDoS protection at no extra cost.
It cannot front S3 buckets directly; use CloudFront or a load balancer in front of S3.
Maximum of 10 listeners per accelerator, 10 endpoint groups per listener, and 10 endpoints per endpoint group.
Global Accelerator is ideal for multi-region failover with fast convergence (<30 seconds).
It does not cache content; it only optimizes network path.
These come up on the exam all the time. Here's how to tell them apart.
AWS Global Accelerator
Operates at Layer 4 (TCP/UDP)
Provides static anycast IPs
Supports non-HTTP protocols (e.g., gaming, VoIP)
Does not cache content
Ideal for dynamic content and real-time applications
Amazon CloudFront
Operates at Layer 7 (HTTP/HTTPS)
Provides static IPs for HTTP only
Supports HTTP, HTTPS, WebSocket
Caches content at edge locations
Ideal for static and dynamic web content
AWS Global Accelerator
Provides static IPs that don't change
Routes at network layer (anycast)
Fast failover (<30 seconds) based on health checks
Preserves client IP (optional)
Best for applications requiring fixed endpoints for firewalls
Amazon Route 53 Latency Routing
Uses DNS-based routing (dynamic responses)
Routes at DNS level (latency record)
Failover depends on DNS TTL (typically 60-300 seconds)
Does not preserve client IP (DNS resolver sees client)
Best for simple geographic traffic distribution
Mistake
Global Accelerator is just a CDN like CloudFront.
Correct
Global Accelerator is a Layer 4 (TCP/UDP) proxy that improves performance for any application, not just HTTP. CloudFront is a CDN for HTTP(S) content only. Global Accelerator does not cache content.
Mistake
Global Accelerator replaces Route 53 for DNS routing.
Correct
Global Accelerator uses DNS to resolve its static IPs, but routing decisions are made at the network layer based on health and latency. Route 53 provides DNS-level routing (latency, geolocation, weighted) and can be used together with Global Accelerator for additional control.
Mistake
Global Accelerator automatically distributes traffic equally across all endpoints.
Correct
Traffic distribution is based on traffic dials (per endpoint group) and endpoint weights. By default, all endpoint groups have 100% dial and endpoints have weight 128, but you must configure these to achieve desired distribution.
Mistake
Global Accelerator supports IPv6.
Correct
As of the latest update, Global Accelerator supports IPv4 only. IPv6 support is not yet available (though dual-stack is on the roadmap).
Mistake
Global Accelerator endpoints must be load balancers.
Correct
Endpoints can be ALB, NLB, EC2 instance, or Elastic IP. You can front EC2 instances directly without a load balancer.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Global Accelerator works at Layer 4 (TCP/UDP) and provides static IPs for any application, including non-HTTP protocols like gaming and VoIP. CloudFront works at Layer 7 (HTTP/HTTPS) and caches content at edge locations. Use Global Accelerator for dynamic content requiring low latency and static IPs; use CloudFront for web content delivery and caching.
No, Global Accelerator cannot directly front an S3 bucket. You must place an Application Load Balancer or Network Load Balancer in front of S3 (using S3 as a target via VPC endpoints) or use CloudFront to serve S3 content. Global Accelerator only supports ALB, NLB, EC2 instance, and Elastic IP endpoints.
Global Accelerator uses the AWS global network backbone to route traffic from the nearest edge location to the optimal endpoint, avoiding public internet congestion. This reduces latency and jitter. Additionally, it uses connection multiplexing at edge locations to reduce connection overhead. Performance improvements can be up to 60% for global users.
If all endpoints in an endpoint group are unhealthy, Global Accelerator will not route traffic to that group. If no endpoint groups have healthy endpoints, traffic is dropped. You should configure multiple endpoint groups (e.g., in different regions) to provide failover. The traffic dial for a group with all unhealthy endpoints effectively becomes 0.
As of now, Global Accelerator supports IPv4 only. IPv6 support is not yet available. However, you can use dual-stack ALB/NLB behind Global Accelerator, but the accelerator itself uses IPv4 addresses. Check AWS documentation for the latest updates on IPv6 support.
Yes, you can bring your own IP address range (BYOIP) to Global Accelerator using AWS IP Address Manager (IPAM). The IP range must be at least /24 and must be registered with a regional internet registry. After provisioning, you can associate the IPs with your accelerator.
Global Accelerator charges based on two components: a fixed hourly rate for each accelerator (prorated per hour) and a data transfer fee per GB processed. Data transfer pricing is tiered and depends on the source and destination regions. There is no charge for static IPs. Pricing is similar to AWS Data Transfer out.
You've just covered AWS Global Accelerator — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?