# Working with custom routing accelerators in AWS Global Accelerator Working with custom routing accelerators This chapter includes information about how a custom routing accelerator in AWS Global Accelerator works, and how to configure accelerators, listeners, endpoint groups, and VPC subnet endpoints for a custom routing accelerator. A custom routing accelerator lets you use application logic to directly map one or more users to a specific Amazon EC2 instance among many destinations, while gaining the performance improvements of routing your traffic through Global Accelerator. This is useful when you have an application that requires a group of users to interact with each other on the same session running on a specific EC2 instance and port, such as gaming applications or Voice over IP (VoIP) sessions. Endpoints for custom routing accelerators must be Amazon VPC (VPC) subnets, and a custom routing accelerator can only route traffic to Amazon EC2 instances in those subnets. When you create a custom routing accelerator, you can include thousands of Amazon EC2 instances running in a single or multiple VPC subnets. To learn more, see [How custom routing accelerators work in Global Accelerator](about-custom-routing-how-it-works.md). **Note** If you want Global Accelerator to instead automatically choose the closest healthy endpoint to your clients, create a standard accelerator. For more information, see [Working with standard accelerators in AWS Global Accelerator](work-with-standard-accelerators.md). To set up custom routing accelerator, you do the following: 1. Review the guidelines and requirements for creating a custom routing accelerator. See [Guidelines and restrictions for custom routing accelerators](about-custom-routing-guidelines.md). 1. Create a VPC subnet. You can add EC2 instances to the subnet at any time after adding the subnet to Global Accelerator. 1. Create an accelerator in Global Accelerator. Select the option for a custom routing accelerator. 1. Add a listener in which you specify a range of ports for Global Accelerator to listen on. Make sure that you include a large range with enough ports for Global Accelerator to map to all the destinations that you expect to have. These ports are distinct from destination ports, which you specify in the next step. For more information about listener port requirements, see [Guidelines and restrictions for custom routing accelerators](about-custom-routing-guidelines.md). 1. Add one or more endpoint groups for AWS Regions in which you have VPC subnets. You specify the following for each endpoint group: + An endpoint port range, which represents the ports on your destination EC2 instances that will be able to receive traffic. + The protocol for each destination port range: UDP, TCP, or both UDP and TCP. 1. For the endpoint subnet, select a subnet ID. You can add multiple subnets in each endpoint group and subnets can be different sizes (up to /17). The following sections explain how custom routing accelerators work, and provide steps for creating and working with custom routing accelerators and their components, including listeners, endpoint groups, and VPC subnet endpoints. **Topics** + [How custom routing accelerators work](about-custom-routing-how-it-works.md) + [Custom routing example](about-custom-routing-how-it-works.example.md) + [Custom routing guidelines](about-custom-routing-guidelines.md) + [Custom routing accelerators](about-custom-routing-accelerators.md) + [Listeners for custom routing accelerators](about-custom-routing-listeners.md) + [Endpoint groups for custom routing accelerators](about-custom-routing-endpoint-groups.md) + [VPC subnet endpoints](about-custom-routing-endpoints.md) # How custom routing accelerators work in Global Accelerator How custom routing accelerators work By using a custom routing accelerator in AWS Global Accelerator, you can use application logic to directly map one or more users to a specific destination among many destinations while still gaining the performance benefits of Global Accelerator. A custom routing accelerator maps listener port ranges to EC2 instance destinations in Amazon VPC (VPC) subnets. This allows Global Accelerator to deterministically route traffic to a specific Amazon EC2 private IP address and port destination in your subnet. For example, you can use a custom routing accelerator with an online real-time gaming application in which you assign multiple players to a single session on an Amazon EC2 game server based on factors that you choose, such as geographic location, player skill, and game mode. Or you might have a VoIP or social media application that assigns multiple users to a specific media server for voice, video, and messaging sessions. Your application can call a Global Accelerator API and receive a full static mapping of Global Accelerator ports and their associated destination IP addresses and ports. You can save that static mapping, and then your matchmaking service use it to route users to specific destination EC2 instances. You don't have to make any modifications to your client software to start using Global Accelerator with your application. To configure a custom routing accelerator, you select a VPC subnet endpoint. Then you define a destination port range that incoming connections will be mapped to, so your software can listen on the same set of ports across all instances. Global Accelerator creates a static mapping that allows your matchmaking service to translate a destination IP address and port number for a session to an external IP address and port that you give to users. Your application’s network stack might operate over a single transport protocol, or perhaps instead you use UDP for fast delivery and TCP for reliable delivery. You can set UDP, TCP, or both UDP and TCP for each destination port range, to give you maximum flexibility without having to duplicate your configuration for each protocol. **Note** By default, all VPC subnet destinations in a custom routing accelerator aren't allowed to receive traffic. This is to be secure by default, and also to give you granular control over which private EC2 instance destinations in your subnet are allowed to receive traffic. You can allow or deny traffic to the subnet, or to specific IP address and port combinations (destination sockets). For more information, see [Add a VPC subnet endpoint for a custom routing accelerator](about-custom-routing-endpoints-adding-endpoints.md). You can also specify destinations by using the Global Accelerator API. For more information, see [AllowCustomRoutingTraffic](https://docs.aws.amazon.com/global-accelerator/latest/api/API_AllowCustomRoutingTraffic.html) and [DenyCustomRoutingTraffic](https://docs.aws.amazon.com/global-accelerator/latest/api/API_DenyCustomRoutingTraffic.html). # Example of how custom routing works in Global Accelerator Custom routing example As an example, let's say that you want to support 10,000 sessions where groups of users interact, such as gaming sessions or VoIP call sessions, across 1,000 Amazon EC2 instances behind Global Accelerator. In this example, we'll specify a listener port range of 10001–20040 and a destination port range of 81–90. We'll say that we have the four VPC subnets in us-east-1: subnet-1, subnet-2, subnet-3, and subnet-4. In our example configuration, each VPC subnet has a block size of /24 so it can support 251 Amazon EC2 instances. (Five addresses are reserved and unavailable from each subnet, and these addresses are not mapped.) Each server running on each EC2 instance serves the following 10 ports, that we specified for the destination ports in our endpoint group: 81-90. This means that we have 2510 ports (10 x 251) associated with each subnet. Each port can be associated with a session. Because we've specified 10 destination ports on each EC2 instance in our subnet, Global Accelerator internally associates them with 10 listener ports that you can use to access EC2 instances. To illustrate this simply, we'll say that there's a block of listener ports that starts with the first IP address of the endpoint subnet for the first set of 10, and then moves to the next IP address for the next set of 10 listener ports. **Note** The mapping is actually not predictable like this, but we're using a sequential mapping here to help to show how the port mapping works. To determine the actual mapping for your listener port ranges, use the following API operations: [ ListCustomRoutingPortMappings](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListCustomRoutingPortMappings.html) and [ ListCustomRoutingPortMappingsByDestination](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListCustomRoutingPortMappingsByDestination.html). In our example, the first listener port is 10001. That port is associated with the first subnet IP address, 192.0.2.4, and the first EC2 port, 81. The next listener port, 10002, is associated with the first subnet IP address, 192.0.2.4, and the second EC2 port, 82. The following table illustrates how this example mapping continues through the last IP address of the first VPC subnet, and then on to the first IP address of the second VPC subnet. | Global Accelerator listener port | VPC subnet | EC2 instance port | | --- | --- | --- | | 10001 | 192.0.2.4 | 81 | | 10002 | 192.0.2.4 | 82 | | 10003 | 192.0.2.4 | 83 | | 10004 | 192.0.2.4 | 84 | | 10005 | 192.0.2.4 | 85 | | 10006 | 192.0.2.4 | 86 | | 10007 | 192.0.2.4 | 87 | | 10008 | 192.0.2.4 | 88 | | 10009 | 192.0.2.4 | 89 | | 10010 | 192.0.2.4 | 90 | | 10011 | 192.0.2.5 | 81 | | 10012 | 192.0.2.5 | 82 | | 10013 | 192.0.2.5 | 83 | | 10014 | 192.0.2.5 | 84 | | 10015 | 192.0.2.5 | 85 | | 10016 | 192.0.2.5 | 86 | | 10017 | 192.0.2.5 | 87 | | 10018 | 192.0.2.5 | 88 | | 10019 | 192.0.2.5 | 89 | | 10020 | 192.0.2.5 | 90 | | ... | ... | ... | | 12501 | 192.0.2.244 | 81 | | 12502 | 192.0.2.244 | 82 | | 12503 | 192.0.2.244 | 83 | | 12504 | 192.0.2.244 | 84 | | 12505 | 192.0.2.244 | 85 | | 12506 | 192.0.2.244 | 86 | | 12507 | 192.0.2.244 | 87 | | 12508 | 192.0.2.244 | 88 | | 12509 | 192.0.2.244 | 89 | | 12510 | 192.0.2.244 | 90 | | 12511 | 192.0.3.4 | 81 | | 12512 | 192.0.3.4 | 82 | | 12513 | 192.0.3.4 | 83 | | 12514 | 192.0.3.4 | 84 | | 12515 | 192.0.3.4 | 85 | | 12516 | 192.0.3.4 | 86 | | 12517 | 192.0.3.4 | 87 | | 12518 | 192.0.3.4 | 88 | | 12519 | 192.0.3.4 | 89 | | 12520 | 192.0.3.4 | 90 | # Guidelines and restrictions for custom routing accelerators Custom routing guidelines When you create and work with custom routing accelerators in AWS Global Accelerator, keep the following guidelines and restrictions in mind. **Supported endpoint destinations** The virtual public cloud (VPC) subnet endpoints in a custom routing accelerator can only include EC2 instances. No other resources, such as load balancers, are supported for custom routing accelerators. The types of EC2 instances that are supported with Global Accelerator are listed in [Endpoints for standard accelerators in AWS Global Accelerator](about-endpoints.md). With custom routing accelerators, Global Accelerator can only route traffic to private IP endpoints on Amazon EC2 instances on VPC subnets. However, gaming customers who want to use custom routing might need to connect to stateful sessions. To do this, the customers run their game servers on Amazon Elastic Kubernetes Service (EKS), with sessions hosted on a specific container running inside a Kubernetes Pod. To use custom routing in this scenario, you can configure a VPC-CNI plugin to send traffic to Kubernetes Pods through an elastic network interface (ENI) that Global Accelerator creates for each subnet where an endpoint is present. This is a way to use a custom routing accelerator with EKS. The same configuration works to use a custom routing accelerator with Amazon Elastic Container Service (ECS). To learn more, see the detailed steps provided in the following blog post: [AWS Global Accelerator Custom Routing with Amazon Elastic Kubernetes Service](https://aws.amazon.com/blogs/networking-and-content-delivery/deploying-multi-region-applications-in-aws-using-aws-global-accelerator/). **Port mappings** When you add a VPC subnet, Global Accelerator creates a static port mapping of listener port ranges to the port ranges supported by the subnet. The port mapping for a specific subnet never changes. You can view the port mapping list for a custom routing accelerator programmatically. For more information, see [https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListCustomRoutingPortMappings.html](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListCustomRoutingPortMappings.html). **VPC subnet size** VPC subnets that you add to a custom routing accelerator must be a minimum of /28 and a maximum of /17. **IP address type** Custom routing accelerators support only the IPv4 IP address type. **Listener port ranges** You must specify enough listener ports, by specifying listener port ranges, to accommodate the number of destinations included in the subnets that you plan to add to your custom routing accelerator. The range that you specify when you create a listener determines how many listener port and destination IP address combinations that you can use with your custom routing accelerator. For maximum flexibility and to reduce the possibility of getting an error that you don't have enough listener ports available, we recommend that you specify a large port range. Global Accelerator allocates port ranges in blocks when you add a subnet to a custom routing accelerator. We recommend that you allocate listener port ranges linearly and make the ranges large enough to support the number of destination ports that you intend to have. That is, the number of ports you should allocate should be at least the subnet size times the number of destination ports and protocols (destination configurations) that you will have in the subnet. The algorithm that Global Accelerator uses to allocate port mappings might require you to add more listener ports, beyond this total. After you create a listener, you can edit it to add additional port ranges and associated protocols, but you can't decrease existing port ranges. For example, if you have a listener port range of 5,000–10,000, you can't change the port range to be 5900–10,000 and you can't change the port range to be 5,000–9,900. Each listener port range must include a minimum of 16 ports. Listeners support ports 1-65535. **Destination port ranges ** There are two places that you specify port ranges for a custom routing accelerator: the port ranges that you specify when you add a listener and the destination port ranges and protocols that you specify for an endpoint group. + **Listener port ranges: **The listener ports on the Global Accelerator static IP addresses that your clients connect to. Global Accelerator maps each port to a unique destination IP address and port on a VPC subnet behind the accelerator. + **Destination port ranges: **The sets of destination port ranges that you specify for an endpoint group (also called the destination configurations) are the EC2 instance ports that receive traffic. To receive traffic on destination ports, the Security Groups associated with your EC2 instances must permit traffic on them. **Health checks and failover** Global Accelerator does not perform health checks for custom routing accelerators and does not failover to healthy endpoints. Traffic for custom routing accelerators is routed deterministically, regardless of the health of a destination resource. **All traffic is denied by default** By default, traffic directed through a custom routing accelerator is denied to all destinations in your subnet. To enable destination instances to receive traffic, you must specifically allow all traffic to the subnet or, alternatively, allow traffic to specific instance IP addresses and ports in the subnet. Updating a subnet or specific destination to allow or deny traffic takes time to propagate across the internet. To determine if a change has propagated, you can call the `DescribeCustomRoutingAccelerator` API action to check the accelerator status. For more information, see [ DescribeCustomRoutingAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_DescribeCustomRoutingAccelerator.html). **CloudFormation is not supported** CloudFormation is not supported for custom routing accelerators. # Custom routing accelerators in AWS Global Accelerator Custom routing accelerators A *custom routing accelerator* in AWS Global Accelerator lets you use custom application logic to direct one or more users to a specific destination among many destinations, while using the AWS global network to improve the availability and performance of your application. A custom routing accelerator routes traffic only to ports on Amazon EC2 instances that are running in virtual private cloud (VPC) subnets. With a custom routing accelerator, Global Accelerator does not route traffic based on the geoproximity or health of the endpoint. To learn more, see [How custom routing accelerators work in Global Accelerator](about-custom-routing-how-it-works.md). When you create an accelerator, by default, Global Accelerator provides you with a set of two static IPv4 addresses. Custom routing accelerators support only the IPv4 IP address type. If you bring your own IP address range to AWS (BYOIP), you can assign static IPv4 addresses from your own pool to use with your accelerator. For more information, see [Bring your own IP addresses (BYOIP) in Global Accelerator](using-byoip.md). **Important** The IP addresses are assigned to your accelerator for as long as it exists, even if you disable the accelerator and it no longer accepts or routes traffic. However, when you *delete* an accelerator, you lose the Global Accelerator static IP addresses that are assigned to the accelerator, so you can no longer route traffic by using them. As a best practice, ensure that you have permissions in place to avoid inadvertently deleting accelerators. You can use IAM policies such as tag-based permissions with Global Accelerator to limit the users who have permissions to delete an accelerator. For more information, see [ABAC with Global Accelerator](security_iam_service-with-iam.md#security_iam_service-with-iam-tags). This section explains how to work with a custom routing accelerator on the Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). **Topics** + [Create a custom routing accelerator](about-custom-routing-accelerators.creating-editing.md) + [Edit a custom routing accelerator](about-custom-routing-accelerators.editing.md) + [View custom routing accelerators](about-custom-routing-accelerators.viewing.md) + [Delete a custom routing accelerator](about-custom-routing-accelerators.deleting.md) # Create a custom routing accelerator in Global Accelerator Create a custom routing accelerator This section provides steps for how to create a custom accelerator on the console. To work with Global Accelerator programmatically, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To create a custom routing accelerator 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. Choose **Create accelerator**. 1. Provide a name for your accelerator. 1. For **Accelerator type**, select **Custom routing**. 1. Optionally, if you have brought your own IP address range to AWS (BYOIP), you can specify static IP addresses for your accelerator from that address pool. Make this choice for each of the two static IP addresses for your accelerator. + For each static IP address, choose the IP address pool to use. + If you chose your own IP address pool, also choose a specific IP address from the pool. If you chose the default Amazon IP address pool, Global Accelerator assigns a specific IP address to your accelerator. 1. Optionally, add one or more tags to help you identify your accelerator resources. 1. Choose **Next** to go to the next pages in the wizard to add listeners, endpoint groups, and VPC subnet endpoints. # Edit a custom routing accelerator in Global Accelerator Edit a custom routing accelerator This section provides steps for how to update a custom accelerator on the console. To work with Global Accelerator programmatically, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To edit a custom routing accelerator 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. In the list of custom routing accelerators, choose one, and then choose **Edit**. 1. On the **Edit accelerator** page, make any changes that you like. For example, you can disable the accelerator so that you can delete it. 1. Choose **Save**. # View custom routing accelerators in Global Accelerator View custom routing accelerators This section provides steps to view information about your custom routing accelerators on the console. To see descriptions of your custom routing accelerators programmatically, see [ListCustomRoutingAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListCustomRoutingAccelerator.html) and [DescribeCustomRoutingAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_DescribeCustomRoutingAccelerator.html) in the AWS Global Accelerator API Reference. # To view information about your custom routing accelerators 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. To see details about an accelerator, choose an accelerator, and then choose **View**. # Delete a custom routing accelerator in Global Accelerator Delete a custom routing accelerator If you created a custom routing accelerator as a test, or if you're no longer using an accelerator, you can delete it. On the console, disable the accelerator, and then you can delete it. You don't have to remove listeners and endpoint groups from the accelerator. To delete a custom routing accelerator by using an API operation instead of the console, you must first remove all listeners and endpoint groups that are associated with the accelerator, and then disable it. For more information, see the [DeleteAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_DeleteAccelerator.html) operation in the *AWS Global Accelerator API Reference*. **Warning** When you delete an accelerator, you lose the static IP addresses that are assigned to the accelerator, so that you can no longer route traffic by using them. The static IP addresses cannot be restored. # To disable a custom routing accelerator 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. In the list, choose an accelerator that you want to disable. 1. Choose **Edit**. 1. Choose **Disable accelerator**, and then choose **Save**. # To delete a custom routing accelerator 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. In the list, choose an accelerator that you want to delete. 1. Choose **Delete**. **Note** If you haven't disabled the accelerator, **Delete** is unavailable. To disable the accelerator, see the previous procedure. 1. In the confirmation dialog box, choose **Delete**. # Listeners for custom routing accelerators in Global Accelerator Listeners for custom routing accelerators For a custom routing accelerator in AWS Global Accelerator, you configure a listener that specifies a range of listener ports with associated protocols that Global Accelerator maps to specific destination Amazon EC2 instances in your VPC subnet endpoints. When you add a VPC subnet endpoint, Global Accelerator creates a static port mapping between the port ranges that you define for your listener and the destination IP addresses and ports in the subnet. Then you can use the port mapping to specify your accelerator static IP addresses together with a listener port and protocol to direct user traffic to specific destination Amazon EC2 instance IP addresses and ports in your VPC subnet. You define a listener when you create your custom routing accelerator, and you can add more listeners at any time. Each listener can have one or more endpoint groups, one for each AWS Region in which you have VPC subnet endpoints. A listener in a custom routing accelerator supports both TCP and UDP protocols. You specify the protocol or protocols for each destination port range that you define: UDP, TCP, or both UDP and TCP. For more information, see [How custom routing accelerators work in Global Accelerator](about-custom-routing-how-it-works.md). **Topics** + [Add listener](about-custom-routing-listeners.creating-custom-routing-listeners.md) + [Edit listener](about-custom-routing-listeners.editing-custom-routing-listeners.md) + [Remove listener](about-custom-routing-listeners.removing-custom-routing-listeners.md) # Add a listener for a custom routing accelerator in Global Accelerator Add listener This section explains how to add a listener for a custom routing accelerator on the AWS Global Accelerator console. To learn about using API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To add a listener for a custom routing accelerator The range that you specify when you create a listener defines how many listener port and destination IP address combinations that you can use with your custom routing accelerator. For maximum flexibility, we recommend that you specify a large port range. Each listener port range that you specify must include a minimum of 16 ports. **Note** After you create a listener, you can edit it to add additional port ranges and associated protocols, but you can't decrease existing port ranges. 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the **Accelerators** page, choose a custom routing accelerator. 1. Choose **Add listener**. 1. On the **Add listener** page, enter the listener port range that you want to associate with the accelerator. Listeners support ports 1-65535. For maximum flexibility with a custom routing accelerator, we recommend that you specify a large port range. 1. Choose **Add listener**. # Edit a listener for a custom routing accelerator in Global Accelerator Edit listener This section explains how to edit a listener for a custom routing accelerator on the AWS Global Accelerator console. To learn about using API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To edit a listener for a custom routing accelerator When you edit a listener for a custom routing accelerator, be aware that you can add additional port ranges and associated protocols, increase existing port ranges, or change protocols, but you can't decrease existing port ranges. 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the **Accelerators** page, choose an accelerator. 1. Choose a listener, and then choose **Edit listener**. 1. On the **Edit listener** page, make the changes that you want to existing port ranges or protocols, or add new port ranges. Be aware that you cannot decrease the range of an existing port range. 1. Choose **Save**. # Remove a listener for a custom routing accelerator in Global Accelerator Remove listener This section explains how to remove a listener for a custom routing accelerator on the AWS Global Accelerator console. To learn about using API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To remove a listener 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the **Accelerators** page, choose an accelerator. 1. Choose a listener, and then choose **Remove**. 1. In the confirmation dialog box, choose **Remove**. # Endpoint groups for custom routing accelerators in Global Accelerator Endpoint groups for custom routing accelerators With a custom routing accelerator in AWS Global Accelerator, an endpoint group defines the ports and protocols that destination Amazon EC2 instances in your virtual private cloud (VPC) subnets accept traffic on. You create an endpoint group for your custom routing accelerator for each AWS Region in which your VPC subnets and EC2 instances are located. Each endpoint group in a custom routing accelerator can have multiple VPC subnet endpoints. Similarly, you can add each VPC to multiple endpoint groups, but the endpoint groups must be associated with different listeners. For each endpoint group, you specify a set of one or more port ranges that include the ports that you want to direct traffic to on the EC2 instances in the Region. For each endpoint group port range, you specify the protocol to use: UDP, TCP, or both UDP and TCP. This provides maximum flexibility for you, without having to duplicate sets of port ranges for each protocol. For example, you might have a game server with gaming traffic running over UDP on ports 8080-8090 while you also have a server listening for chat messages over TCP on port 80. To learn more, see [How custom routing accelerators work in Global Accelerator](about-custom-routing-how-it-works.md). **Topics** + [Add endpoint group](about-custom-routing-endpoint-groups.create-endpoint-group.md) + [Edit endpoint group](about-custom-routing-endpoint-groups.edit-endpoint-group.md) + [Remove endpoint group](about-custom-routing-endpoint-groups.remove-endpoint-group.md) # Add an endpoint group for a custom routing accelerator in Global Accelerator Add endpoint group You work with an endpoint group for your custom routing accelerator on the AWS Global Accelerator console or by using an API operation. You can add or remove VPC subnet endpoints from an endpoint group at any time. This section explains how to create endpoint groups for your custom routing accelerator on the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To add an endpoint group for a custom routing accelerator 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. On the **Accelerators** page, choose a custom routing accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of the listener that you want to add an endpoint group to. 1. Choose **Add endpoint group**. 1. In the section for a listener, specify a Region for the endpoint group. 1. For **Ports and protocols sets**, enter port ranges and protocols for your Amazon EC2 instances. + Enter a **From port** and a **To port** to specify a range of ports. + For each port range, specify the protocol or protocols for that range. The port range doesn't have to be a subset of your listener port range, but there must be enough total ports in the listener port range to support the total number of ports that you specify for the endpoint groups in your custom routing accelerator. 1. Choose **Save**. 1. Optionally, choose **Add endpoint group** to add additional endpoint groups for this listener. You can also choose another listener and add endpoint groups. 1. Choose **Add endpoint group**. # Edit an endpoint group for a custom routing accelerator in Global Accelerator Edit endpoint group You work with an endpoint group for your custom routing accelerator on the AWS Global Accelerator console or by using an API operation. You can add or remove VPC subnet endpoints from an endpoint group at any time. This section explains how to edit endpoint groups for your custom routing accelerator on the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To edit an endpoint group for a custom routing accelerator 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. On the **Accelerators** page, choose a custom routing accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of the listener that the endpoint group is associated with. 1. Choose **Edit endpoint group**. 1. On the **Edit endpoint group** page, change the Region, the range of ports, or the protocol for a range of ports. 1. Choose **Save**. # Remove an endpoint group for a custom routing accelerator in Global Accelerator Remove endpoint group You work with an endpoint group for your custom routing accelerator on the AWS Global Accelerator console or by using an API operation. This section explains how to remove endpoint groups for your custom routing accelerator on the AWS Global Accelerator console. To learn about using API operations with Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To remove a custom routing accelerator 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. On the **Accelerators** page, choose an accelerator. 1. In the **Listeners** section, choose a listener, and then choose **Remove**. 1. In the **Endpoint groups** section, choose an endpoint group, and then choose **Remove**. 1. On the confirmation dialog box, choose **Remove**. # Amazon VPC subnet endpoints for custom routing accelerators in Global Accelerator VPC subnet endpoints Endpoints for custom routing accelerators are Amazon Virtual Private Cloud (VPC) subnets that can receive traffic through an accelerator. Each subnet can contain one or many Amazon EC2 instance destinations. When you add a subnet endpoint, Global Accelerator generates new port mapping. Then, you can use the Global Accelerator API to get a static list of all the port mappings for the subnet, which you can use to route traffic to destination EC2 instance IP addresses in the subnet. For more information, see [ListCustomRoutingPortMappings](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListCustomRoutingPortMappings.html). Be aware of the following when you add VPC subnets and destinations for your custom routing accelerator: + You can only direct traffic to EC2 instances in the subnets, not other resources, like load balancers (in contrast to standard accelerators). + An EC2 instance destination in a subnet endpoint can't be one of the following types: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1, HS1, M1, M2, M3, or T1. + By default, traffic directed through a custom routing accelerator can't arrive at any destinations in your subnet. To enable destination instances to receive traffic, you must choose to allow all traffic to the subnet or, alternatively, enable traffic to specific instance IP addresses and ports (destination sockets) in the subnet. **Important** Updating a subnet or specific destination to allow or deny traffic takes time to propagate across the internet. To determine if a change has propagated, you can use the `DescribeCustomRoutingAccelerator` API action to check the accelerator status. For more information, see [ DescribeCustomRoutingAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_DescribeCustomRoutingAccelerator.html). + Because VPC subnets preserve the client IP address, you should review the relevant security and configuration information when you add subnets as endpoints for custom routing accelerators. For more information, see [Requirements for endpoints with client IP address preservation](about-endpoints.sipp-caveats.md). + When you configure resources as endpoints behind Global Accelerator, we recommend that you don't also send traffic directly to the same endpoints over the internet. Sending direct traffic can lead to connection collision issues. To learn more, see [How custom routing accelerators work in Global Accelerator](about-custom-routing-how-it-works.md). **Topics** + [Add an Amazon VPC subnet endpoint](about-custom-routing-endpoints-adding-endpoints.md) + [Edit an Amazon VPC subnet endpoint](about-custom-routing-endpoints-editing-endpoints.md) + [Remove an Amazon VPC subnet endpoint](about-custom-routing-endpoints-removing-endpoints.md) # Add a VPC subnet endpoint for a custom routing accelerator Add an Amazon VPC subnet endpoint You add Amazon Virtual Private Cloud (VPC) subnet endpoints to endpoint groups in your custom routing accelerators so that you can direct user traffic to destination Amazon EC2 instances in the subnet. When you add and remove EC2 instances from the subnet, or enable or disable traffic to EC2 destinations, you change whether those destinations can receive traffic. However the Global Accelerator port mapping doesn't change. To allow traffic to some destinations in the subnet, but not all, enter IP addresses for each EC2 instance that you want to allow, along with the ports on the instance that you want to receive traffic. The IP addresses that you specify must be for EC2 instances in the subnet. You can specify a port or range of ports, from the ports that are mapped for the subnet. You can remove the VPC subnet from your accelerator by removing it from an endpoint group. Removing a subnet doesn't affect the subnet itself, but Global Accelerator can no longer direct traffic to the subnet or to the Amazon EC2 instances in it. In addition, Global Accelerator will reclaim the port mapping for the VPC subnet to potentially use them for new subnets that you add. The steps in this section explain how to add VPC subnet endpoints on the AWS Global Accelerator console. To learn about using API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To add a VPC subnet endpoint 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the **Accelerators** page, choose a custom routing accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of a listener. 1. In the **Endpoint groups** section, for **Endpoint group ID**, choose the ID of the endpoint group (AWS Region) that you want to add the VPC subnet endpoint to. 1. In the **Endpoints** section, choose **Add endpoint**. 1. On the **Add endpoints** page, for **Endpoint**, choose a VPC subnet. If you don't have any VPCs, there aren't any items in the list. To continue, add at least one VPC, then come back to the steps here, and choose a VPC from the list. 1. For VPC subnet endpoint that you add, you can choose to allow or deny traffic to all destinations in the subnet, or you can allow traffic to only specific EC2 instances and ports. The default is to deny traffic to all destinations in the subnet. 1. Choose **Add endpoint**. # Edit a VPC subnet endpoint for a custom routing accelerator Edit an Amazon VPC subnet endpoint You can edit Amazon Virtual Private Cloud (VPC) subnet endpoints for your custom routing accelerators so that you can change where you direct user traffic to destination Amazon EC2 instances, or allow or deny traffic to all destinations in the subnet. When you add and remove EC2 instances from the subnet, or enable or disable traffic to EC2 destinations, you change whether those destinations can receive traffic. However the Global Accelerator port mapping doesn't change. The steps in this section explain how to edit VPC subnet endpoints on the AWS Global Accelerator console. To learn about using API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To allow or deny traffic to specific destinations You can edit the subnet port mapping for a VPC endpoint to allow or deny traffic to specific EC2 instances and ports (destination sockets) in a subnet. 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the **Accelerators** page, choose a custom routing accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of a listener. 1. In the **Endpoint groups** section, for **Endpoint group ID**, choose the ID of the endpoint group (AWS Region) of the VPC subnet endpoint that you want to edit. 1. Choose an endpoint subnet, and then choose **View details**. 1. On the **Endpoint** page, under **Port mappings**, choose an IP address, and then choose **Edit**. 1. Enter the ports that you want to enable traffic for, and then choose **Allow these destinations**. # To allow or deny ALL traffic to a subnet You can update an endpoint to allow or deny traffic to all destinations in the VPC subnet. 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the **Accelerators** page, choose a custom routing accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of a listener. 1. In the **Endpoint groups** section, for **Endpoint group ID**, choose the ID of the endpoint group (AWS Region) of the VPC subnet endpoint that you want to update. 1. Choose **Allow/Deny all traffic**. 1. Choose an option, to allow all traffic or deny all traffic, and then choose **Save**. # Remove a VPC subnet endpoint for a custom routing accelerator Remove an Amazon VPC subnet endpoint You can remove an Amazon Virtual Private Cloud (VPC) subnet endpoint from your custom routing accelerator so that user traffic no longer goes to destination Amazon EC2 instances in the subnet. The steps in this section explain how to remove a VPC subnet endpoint on the AWS Global Accelerator console. To learn about using API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To remove an endpoint 1. Open the Global Accelerator console at [ https://console.aws.amazon.com/globalaccelerator/home](https://console.aws.amazon.com/globalaccelerator/home). 1. On the **Accelerators** page, choose a custom routing accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of a listener. 1. In the **Endpoint groups** section, for **Endpoint group ID**, choose the ID of the endpoint group (AWS Region) of the VPC subnet endpoint that you want to remove. 1. Choose **Remove endpoint**. 1. In the confirmation dialog box, choose **Remove**.