This post was originally published in Japanese in the past.

Table of Contents

1. 1. Introduction
2. 2. What is AWS Global Accelerator?
3. 3. Attaching to ALB
4. 4. Testing results
5. 5. Conclusion

1. Introduction

On August 28th, 2019, AWS announced that AWS Global Accelerator Now Supports Client IP Address Preservation for Application Load Balancer Endpoints.
In this post, we tested if IP filtering feature works on WAF by attaching GA (Global Accelerator) to ALB (Application Load Balancer).

2. What is AWS Global Accelerator?

It is a service that improves the performance and availability of applications for users all over the world. It provides static IP addresses that act as fixed entry points for single or multiple AWS regions' application endpoints such as Application Load Balancer, Network Load Balancer, and Amazon EC2. It improves TCP and UDP traffic performance by using AWS Global Network to optimize paths from users to applications. AWS Global Accelerator continuously monitors the condition of application endpoints, detects abnormal endpoints, and redirects traffic to functioning endpoints within a minute.

You can update endpoints without users changing anything and improvements in performance can be expected from optimization.
Such features could be in demand in services that can be influenced by latencies or disaster countermeasures.

Refer to the documents below for the official information.

AWS Global Accelerator
AWS Global Accelerator features

3. Attaching to ALB

First, let's create AWS Global Accelerator.
Click the [Create Accelerator] button.

Enter a name and select IPv4 under the IP address type.

Next, select port and protocol.
In this test, we will set them as below.

• Port: 80, 443
• Protocol: TCP
• Client affinity: Default

In the endpoint groups, we will choose Tokyo region since the ALB we will be attaching to is in Tokyo region. Other options will be set to default.

For the endpoint, we've decided to use the existing ALB. Select Application Load Balancer for [Endpoint type] and choose the existing ALB for the [Endpoint].
The [Preserve client IP] is checked by default, which is the key feature to store client IP.

Configuration is complete.

4. Testing results

Let's compare recent direct access to ALB and access from AWS Global Accelerator in the ALB's access log. ALB will be accessed via FQDN and AWS Global Accelerator will be accessed via IP address.

Results

Access to AWS Global Accelerator IP address

Access to ALB's FQDN

Since both accesses are logged in the ALB's access log, we can see that access from AWS Global Accelerator can reach the ALB.

Next, we create a rule to block the client IP address "153.156.XXX.XXX" and apply WAF to ALB.
*Refer to the blog post below on how to create a rule on WAF.
Block Attacks from Specific IP Addresses in AWS WAF

Results

Access to AWS Global Accelerator IP address

Access to ALB's FQDN

We can see that the requests were blocked by WAF.

Below is the result of another AWS Global Accelerator without preservation of client IP address. The requester IP address was listed as reserved IP address from AWS Global Accelerator, meaning that the IP address filter was not applied and the access was deemed normal.
*Existing AWS Global Accelerator endpoint setting did not have a menut to edit "Preserve client IP" option, so we configured another AWS Global Accelerator and attached it to the same ALB.
*IP addresses are masked, but the accessed IP address of AWS Global Accelerator (the part colored in red) is different, but the client IP addresses is the same.

If client IP address is not preserved

If client IP address is preserved

5. Conclusion

Because client IP address can be preserved, you can apply AWS Global Accelerator to a ALB that has been attached to AWS WAF.