# Endpoints for standard accelerators in AWS Global Accelerator Endpoints for standard accelerators Endpoints for standard accelerators in AWS Global Accelerator can be Network Load Balancers, Application Load Balancers, Amazon EC2 instances, or Elastic IP addresses. In AWS Global Accelerator, static IP addresses serve as a single point of contact for clients, and, with a standard accelerator, Global Accelerator distributes incoming traffic across healthy endpoints. Global Accelerator directs traffic to endpoints by using the port (or port range) that you specify for the listener that the endpoint group for the endpoint belongs to. Each endpoint group can have multiple endpoints. You can add each endpoint to multiple endpoint groups, but the endpoint groups must be associated with different listeners. A resource must be valid and active when you add it as an endpoint. **Important** Accelerators that you configure as dual-stack (that is, accelerators that you want to support IPv4 and IPv6) require that you add only endpoints that also support dual-stack. Network Load Balancers, Application Load Balancers, and Amazon EC2 instances can be added as dual-stack endpoints. Global Accelerator continually monitors the health of all endpoints that are included in a standard endpoint group. It routes traffic only to the active endpoints that are healthy. If Global Accelerator doesn’t have any healthy endpoints to route traffic to, it routes traffic to all endpoints in the AWS Region. **Topics** + [ # Requirements for resources you add as accelerator endpoints ](about-endpoints-caveats.md) + [ # Add a standard endpoint ](about-endpoints-adding-endpoints.md) + [ # Edit a standard endpoint ](about-endpoints-adding-endpoints-edit.md) + [ # Remove a standard endpoint ](about-endpoints-adding-endpoints-remove.md) + [ # How endpoint weights work to manage traffic volume ](about-endpoints-endpoint-weights.md) + [ # How failover works for unhealthy endpoints ](about-endpoints-endpoint-weights.unhealthy-endpoints.md) + [ # How to avoid connection collisions that result in TCP connection time delays ](about-endpoints.avoid-connection-collisions.md) # Requirements for resources you add as accelerator endpoints Endpoint requirements Be aware of the following requirements and limitations for different types of resources that you can add as endpoints for standard accelerators in AWS Global Accelerator. Some requirements apply regardless of the type of resource that you add. **All resource types** + Before you enable client IP address preservation for an endpoint, there are additional requirements to keep in mind. For more information, see [Transition endpoints with client IP address preservation](about-endpoints.sipp.md). + To add an endpoint to a dual-stack accelerator, the endpoint must have client IP address preservation enabled. + When you add resources as endpoints behind Global Accelerator, we recommend that you don't also send traffic directly to the same endpoints over the internet. Sending direct traffic can lead to connection collision issues. For more information, see [How to avoid connection collisions that result in TCP connection time delays](about-endpoints.avoid-connection-collisions.md). + The resources that you add as endpoints for an accelerator and the accelerator itself must be owned by the same account, unless you configure cross-account support. However, the target instances behind a load balancer endpoint can be owned by different accounts. In this scenario, the accounts that own the target instances must be given permission to access a subnet owned by the account that owns the load balancer and accelerator. For more information, see [Configure cross-account access in Global Accelerator](cross-account-resources.md). + Before you terminate or delete a resource that you've added as an endpoint behind an accelerator, we recommend that you remove the endpoint from Global Accelerator endpoint groups. **Application Load Balancer endpoints** + An Application Load Balancer endpoint can be internet-facing or internal. + Dual-stack Application Load Balancers can be added as endpoints. + Global Accelerator only supports Application Load Balancers running inside an AWS Region. Global Accelerator does not support an Application Load Balancer running as an endpoint in a Local Zone. **Network Load Balancer endpoints** + A Network Load Balancer endpoint can be internet-facing or internal. + Client IP address preservation is only supported for Network Load Balancers that support security groups. + Client IP address preservation is supported for Network Load Balancers with TCP and UDP listeners, but not with TLS termination. + Dual-stack Network Load Balancers can be added as endpoints for IPv4 or dual-stack accelerators, but there are a few restrictions: + For IPv4 accelerators, when you add a dual-stack Network Load Balancer, you cannot enable client IP address preservation for the endpoint in Global Accelerator. + The Network Load Balancer must support security groups. + Global Accelerator only supports Network Load Balancers running inside an AWS Region. Global Accelerator does not support a Network Load Balancer running as an endpoint in a Local Zone. + For Network Load Balancer endpoints, we recommend that you disable cross-zone traffic for the load balancers to avoid connection collisions, which can result in increased TCP connection time. For more information, see [How to avoid connection collisions that result in TCP connection time delays](about-endpoints.avoid-connection-collisions.md). + Global Accelerator does not support using shared subnets to target Network Load Balancer endpoints with client IP address preservation. + Global Accelerator does not support upgrading to dual-stack an existing IPv4 accelerator with Network Load Balancer endpoints. If you plan to update to dual-stack an IPv4 accelerator that has existing traffic towards a Network Load Balancer endpoint, you must first remove the Network Load Balancer endpoint, then update the accelerator. This will result in a period of downtime for the Network Load Balancer, during the update. Then, after the update is complete, you can add the Network Load Balancer endpoint again so that traffic can resume. **Amazon EC2 instance endpoints** + An EC2 instance endpoint can't be one of the following types: C1, CC1, CC2, CG1, CG2, CR1, CS1, G1, G2, HI1, HS1, M1, M2, M3, or T1. + EC2 instances are supported as endpoints in specific AWS Regions. For more information, see [AWS Region availability for AWS Global Accelerator](preserve-client-ip-address.regions.md). Global Accelerator only supports EC2 instances inside an AWS Region. Global Accelerator does not support routing to an Elastic IP address as an endpoint in a Local Zone. + We recommend that you remove an EC2 instance from Global Accelerator endpoint groups before you terminate the instance. If you terminate an EC2 instance before you remove it from an endpoint group in Global Accelerator, and then you create another instance in the same VPC with the same private IP address, and health checks pass, Global Accelerator will route traffic to the new endpoint. + Dual-stack EC2 instances can be added as endpoints. However, the instances must have a primary IPv6 elastic network interface (ENI) attached to them. For more information, see [ Work with network interfaces](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#working-with-enis) in the Amazon Elastic Compute Cloud User Guide. **Elastic IP addresses** + Dual-stack Elastic IP addresses cannot be added as endpoints. # Add a standard endpoint Add endpoint You add endpoints to endpoint groups so that traffic can be directed to your resources. You can edit a standard endpoint to change the weight for the endpoint. Or you can remove an endpoint from your accelerator by removing it from an endpoint group. Removing an endpoint doesn't affect the endpoint itself, but Global Accelerator can no longer direct traffic to that resource. You must create a resource first, and then you can add it as an endpoint in Global Accelerator. A resource must be valid and active when you add it as an endpoint. For detailed information about the endpoint types and configurations that Global Accelerator supports, see [Requirements for resources you add as accelerator endpoints](about-endpoints-caveats.md). One reason that you might add or remove endpoints from endpoint groups is usage. For example, if demand on your application increases, you can create more resources. Then, you can add more endpoints to one or more endpoint groups to handle the increased traffic. Global Accelerator starts routing requests to an endpoint as soon as you add it and the endpoint passes the initial health checks. You can manage traffic to endpoints by adjusting the weights on an endpoint, to send proportionally more or less traffic to the endpoint. For more information, see [How endpoint weights work to manage traffic volume](about-endpoints-endpoint-weights.md). Note: if you're considering adding an endpoint with client IP address preservation, first review the information in [Preserve client IP addresses in AWS Global Accelerator](preserve-client-ip-address.md). This section explains how to add endpoints on the AWS Global Accelerator console. If you want to use API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To add a standard endpoint 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. On the **Accelerators** page, choose an accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of a listener. 1. In the **Endpoint groups** section, for **Endpoint group ID**, choose the ID of the endpoint group that you want to add an endpoint to. 1. Choose **Edit**. 1. In the **Endpoints** section, choose **Add endpoint**. 1. On the **Add endpoints** page, choose a resource from the dropdown list. If you don't have any AWS resources, there aren't any items in the list. To continue, create AWS resources such as load balancers, Amazon EC2 instances, or Elastic IP addresses. Then come back to the steps here, and choose a resource from the list. **Note** If you have a dual-stack accelerator, you must add a dual-stack endpoint. Network Load Balancers, Application Load Balancers, and Amazon EC2 instances can be added as dual-stack endpoints. 1. Optionally, for **Weight**, enter a number from 0 to 255 to set a weight for routing traffic to this endpoint. When you add weights to endpoints, you configure Global Accelerator to route traffic based on proportions that you specify. By default, all endpoints have a weight of 128. For more information, see [How endpoint weights work to manage traffic volume](about-endpoints-endpoint-weights.md). 1. Optionally, enable client IP address preservation for the endpoint. Under **Preserve client IP address**, select **Preserve address**. For more information, see [Preserve client IP addresses in AWS Global Accelerator](preserve-client-ip-address.md). **Note** Before you add and begin to route traffic to endpoints that preserve the client IP address, make sure that all your required security configurations, for example, security groups, are updated to include the user client IP address on allow lists. 1. Choose **Add endpoint**. # Edit a standard endpoint Edit endpoint This section explains how to edit an endpoint on the AWS Global Accelerator console. If you want to use API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). # To edit a standard endpoint You can edit an endpoint configuration to change the weight. For more information, see [How endpoint weights work to manage traffic volume](about-endpoints-endpoint-weights.md). 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. On the **accelerators** page, choose an accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of a listener. 1. In the **Endpoint groups** section, for **Endpoint group ID**, choose the ID of the endpoint group. 1. Choose **Edit endpoint**. 1. On the **Edit endpoint** page, make updates, and then choose **Save**. # Remove a standard endpoint Remove endpoint This section explains how to remove an endpoint on the AWS Global Accelerator console. If you want to use API operations with AWS Global Accelerator, see the [AWS Global Accelerator API Reference](https://docs.aws.amazon.com/global-accelerator/latest/api/Welcome.html). You can remove endpoints from your endpoint groups, for example, if you need to service your endpoints. Removing an endpoint takes it out of the endpoint group, so that it no longer receives traffic through Global Accelerator, but does not affect the endpoint otherwise. Global Accelerator stops directing traffic to an endpoint as soon as you remove it from an endpoint group. The endpoint goes into a state where it waits for all current requests to be completed so there's no interruption for client traffic that is in progress. You can add the endpoint back to the endpoint group when you’re ready for it to resume receiving requests. Note: Before you terminate or delete a resource that you've added as an endpoint behind an accelerator, we recommend that you remove the endpoint from Global Accelerator endpoint groups. **Warning** Removing an endpoint immediately stops new connections from being routed to it through Global Accelerator. If the endpoint is the only healthy target receiving traffic for your application, or all other endpoints have a weight of 0, when you remove the endpoint, the endpoint group (Region) might become unavailable. Before you remove an endpoint, verify that alternate healthy endpoints exist and are receiving traffic as expected. # To remove an endpoint 1. Open the Global Accelerator console at [ https://us-west-2.console.aws.amazon.com/globalaccelerator/home\$1GlobalAcceleratorHome:](https://us-west-2.console.aws.amazon.com/globalaccelerator/home#GlobalAcceleratorHome:). 1. On the **accelerators** page, choose an accelerator. 1. In the **Listeners** section, for **Listener ID**, choose the ID of a listener. 1. In the **Endpoint groups** section, for **Endpoint group ID**, choose the ID of the endpoint group. 1. Choose **Remove endpoint**. 1. In the confirmation dialog box, choose **Remove**. # How endpoint weights work to manage traffic volume How endpoint weights work Weighted routing lets you choose how much traffic is routed to a specific resource (endpoint) in an endpoint group. This can be useful in several ways, including for load balancing and for testing new versions of your application. A weight is a value you can set that determines the proportion of traffic that Global Accelerator directs to an endpoint in a standard accelerator. Endpoints can be Network Load Balancers, Application Load Balancers, Amazon EC2 instances, or Elastic IP addresses. Global Accelerator calculates the sum of the weights for the endpoints in an endpoint group, and then directs traffic to the endpoints based on the ratio of each endpoint's weight to the total. By default, the weight for an endpoint is set to 128, which is half of the maximum value of 255. ## How endpoint weights work To use weights, you assign each endpoint in an endpoint group a relative weight that corresponds with how much traffic that you want to send to it. By default, the weight for an endpoint is 128—that is, half of the maximum value for a weight, 255. Global Accelerator sends traffic to an endpoint based on the weight that you assign to it as a proportion of the total weight for all endpoints in the group: ![\[How relative weights work for endpoints in Global Accelerator\]](http://docs.aws.amazon.com/global-accelerator/latest/dg/images/WRR_calculation.png) For example, if you want to send a tiny portion of your traffic to one endpoint and the rest to another endpoint, you might specify weights of 1 and 255, respectively. The endpoint with a weight of 1 gets 1/256 of the traffic (1/1\$1255), and the other endpoint gets 255/256 (255/1\$1255). You can gradually change the balance of traffic volume to each endpoint by changing the weights. If you want Global Accelerator to stop sending traffic to an endpoint, you can change the weight for that resource to 0. Be aware that even when you've set endpoint weights in your accelerator, in specific, limited scenarios, Global Accelerator overrides those weights, to help ensure availability. That is, when Global Accelerator is load balancing traffic across endpoints in an endpoint group, it must, in certain circumstances, choose between preserving availability for client traffic and abiding by endpoint weights. For example, with accelerators where the client IP address is preserved, Global Accelerator might need to override an endpoint weight setting to help avoid connection collisions. # How failover works for unhealthy endpoints Failover for unhealthy endpoints If there are no healthy endpoints in an endpoint group that have a weight greater than zero, Global Accelerator tries to fail over to a healthy endpoint with a weight greater than zero in another endpoint group. Note that for this failover, Global Accelerator ignores the traffic dial setting. So if, for example, an endpoint group has a traffic dial set to zero, Global Accelerator still includes that endpoint group in the failover attempt. If Global Accelerator doesn't find a healthy endpoint with a weight greater than zero after trying the three closest endpoint groups (that is, AWS Regions), it routes traffic to a random endpoint in the endpoint group that is closest to the client. That is, it *fails open*. Note the following: + The endpoint group chosen for failover might be one that has a traffic dial set to zero. + The nearest endpoint group might not be the original endpoint group. This is because Global Accelerator considers account traffic dial settings when it chooses the original endpoint group. For example, let's say your configuration has two endpoints, one healthy and one unhealthy, and you've set the weight for each of them to be greater than zero. In this case, Global Accelerator routes traffic to the healthy endpoint. However, now say you set the weight of the only healthy endpoint to zero. Global Accelerator then tries three additional endpoint groups to find a healthy endpoint with a weight greater than zero. If it doesn't find one, Global Accelerator routes traffic to a random endpoint in the endpoint group that is closest to the client. When recovery occurs, that is, Regions are healthy again, Global Accelerator returns to regular routing behavior. This means that, typically, routing will start back to healthy endpoints with traffic dials that aren't set to zero in about 30 seconds or so. However, note that established active connections are not moved. They continue to route to the zero weight Region until the connection is reset by the client or the server, or until the client makes a new connection. # How to avoid connection collisions that result in TCP connection time delays Avoid TCP connection time delays Intermittent connectivity issues can be caused by connection collisions in AWS Global Accelerator. These can occur when users (with the same source IP and source port) access resources in Global Accelerator in certain scenarios. The collisions can result in TCP connection time delays for traffic that goes through your accelerators. You can avoid these delays by configuring your accelerators with *port overrides*, a feature in Global Accelerator that enables you to route incoming traffic to a different destination ports on your accelerator endpoints. Follow the guidance in this section to learn about how to use port overrides to prevent the connection collisions and avoid potential TCP connection time delays. ## Scenarios that can cause connection collisions There are three scenarios in Global Accelerator that can lead to connection collisions, and thus to TCP connection time delays: + You configure the same resource as an endpoint with multiple accelerators. + You configure resources as endpoints behind Global Accelerator, and you also send traffic directly over the internet from your end users to the same resources. + You configure Network Load Balancer endpoints for cross-zone traffic. For Network Load Balancer endpoints, we recommend that you disable cross-zone traffic for the load balancers to avoid connection collisions. For more information, see [ TCP Connection Delays](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-troubleshooting.html#tcp-delays) in the *User Guide for Network Load Balancers*. For the other scenarios, we recommend that you use the port override feature with the endpoint group to prevent collisions. Using port overrides, you can map Global Accelerator listener ports to different destination port numbers on an endpoint resource. Listener ports default to using the same port numbers on endpoint resources. By using port overrides, accelerators can route traffic from the same users (with the source IP and source port) to the same endpoint, but use different destination port numbers, which avoids collisions. The next section provides specific examples for each of the scenarios of how you can configure port overrides to avoid connection collisions. For more information about configuring port overrides, see [Override listener ports for restricted ports or connection collisions](about-endpoint-groups-port-override.md). ## How to prevent connection collisions by using port overrides By default, an accelerator routes user traffic to endpoints in AWS Regions using the same protocol and the same destination port ranges that you specify when you create a listener. However, you can optionally choose to override the port number mapping for the listener port. That is, you can map a listener port number to route traffic to a different destination port number on an endpoint. For example, if you define a listener that accepts TCP traffic on ports 80 and 443, by default, the accelerator routes traffic to those same ports, 80 and 443, on endpoints. However, using the port override feature, the accelerator can route traffic coming in on those ports to different ports on endpoints, such as 8080 and 8443. By creating different port mappings for listeners in two (or more) accelerators that have the same resources configured behind them, you can use separate destination port numbers for each accelerator and avoid collisions. For example, say you have Accelerator-A and Accelerator-B, and each one has a listener configured for TCP and port 443. You can set up a port override for the listener for Accelerator-A to map port 443 to 8443, and the listener for Accelerator-B to map port 443 to 9443. Now you configure an Application Load Balancer endpoint, ALB-1234, for example, to listen on both ports 8443 and 9443. Then traffic coming in on port 443 (to the listeners for both accelerators) from the same user IP address will arrive at ALB-1234, without connection collisions or TCP connection time delays. You can see the traffic paths for this example illustrated in the following: `Accelerator-A [listener: tcp,443] → Endpoint-Group [port-override: 443→8443] → ALB-1234 (listener: HTTPS,8443)` `Accelerator-B [listener: tcp,443] → Endpoint-Group [port-override: 443→9443] → ALB-1234 (listener: HTTPS,9443) ` You can use a port override in a similar way to prevent connection collisions for resources that are accessed by both direct user traffic and through an accelerator by overriding the default mapping for the accelerator's listener port number. To prevent collisions in this scenario, do the following: 1. Determine the port that you want the resource to listen on for your direct traffic. 1. Configure the listener for your accelerator to override the default port, and configure the listener on your resource to listen on that port for accelerator traffic. For example, you could set up a port override for the listener for your accelerator to map port 443 to port 8443. Now, you could configure an Application Load Balancer endpoint, for example, to listen for your accelerator traffic on port 8443 and for direct traffic on port 443. With this configuration, you avoid connection collisions on the Application Load Balancer for traffic coming from the same user IP address.