Networking & Content Delivery
Announcing cross-account support for AWS Global Accelerator
AWS Global Accelerator now offers cross-account support that lets you use a single accelerator to route traffic across multiple AWS accounts. With cross-account support for AWS Global Accelerator, you can select application endpoints behind a single accelerator, even when the endpoints are located in different AWS accounts. In this blog, learn the benefits of using cross-account, and go through a step-by-step guide to enabling this feature in your account.
Global Accelerator is a networking service that improves performance and availability for your application users by sending traffic over the AWS global network infrastructure. If your application uses resources from different AWS accounts, you can gain the benefits of Global Accelerator without creating extra accelerators.
Previously, if you wanted your accelerator to route traffic to endpoints in multiple AWS accounts, for security, administrative, or availability reasons, you couldn’t do so with a single accelerator. The accelerator and the endpoint had to be in the same account. Now, by using cross-account, you can easily enable resources from multiple AWS accounts to be added as endpoints in a single accelerator.
The following scenarios provide examples of the benefits you can gain from using the cross-account feature:
- If you have a multi-account strategy for active-active or active-passive design purposes, cross-account provides you with a path to route traffic between AWS accounts. Cross-account helps you move traffic between these AWS accounts seamlessly, helping you achieve your resiliency objectives. Note that you must take steps to set up this feature in Global Accelerator before you can add cross-account resources.
- If you’re a large enterprise customer and you have account tied to functional roles, such as Network Analysts and Security Architects, you might have multiple accelerators to support different departments. Cross-account allows you to apply limits to the number of employees who are allowed to make network level changes, thereby improving the manageability of resources.
How to setup cross-account support in Global Accelerator?
In Global Accelerator, resource owners control whether their resources are shared with accelerators owned by other AWS accounts. To enable resource sharing, you use Global Accelerator cross-account attachments to authorize resources in other AWS accounts to be added to an accelerator. You create the cross-account attachment in Global Accelerator. The attachment lists the resources that you want to share, and the principals—other AWS accounts or specific accelerator Amazon Resource Names (ARNs) that are authorized to add the resources as endpoints. Then, when an AWS user signs in to AWS with the account that is listed in the attachment, or is the owner of a specified accelerator, they can add any of the listed resources as endpoints. In this section, we walk you through a specific example of how this works.
For the example, we assume that you already have an Application Load Balancer (ALB) backend, with Amazon Elastic Compute Cloud (Amazon EC2) instance targets, in the your account, Account-2, with the account number 2222222222(Account-2 in the figure). We also have an accelerator owner, with the account number 1111111111 (Account-1 in the figure) who wants to add your ALB as an endpoint for an accelerator.
In the configuration shown in the preceding figure, end users can communicate with an EC2 instance behind the ALB resource owned by Account-2 by accessing the global static IP address provided with the accelerator owned by Account-1.
To set up this configuration by using the cross-account feature, start by creating a cross-account attachment in Global Accelerator. This unique approach enables AWS Global Accelerator Service to offer cross-account functionality by using a new resource cross-account attachment. This eliminates the need for configuring AWS Identity and Access Management (IAM).
Create a cross-account attachment
You create the cross-account attachment in AWS Global Accelerator, and sign in to AWS as Account-2. Account-2 is the account with the resource that you want to add to an accelerator in another account.
When signed in as Account-2, run an AWS Command Line Interface (AWS CLI) command to create a cross-account attachment. When you create the attachment, you specify the principals to which you want to provide access, as well as the resources that you want principals to be able to add to accelerators.
aws globalaccelerator create-cross-account-attachment --name gacross --principals 1111111111 --resources EndpointId=arn:aws:elasticloadbalancing:us-east-2:2222222222:loadbalancer/app/agaloadbalancer/d245aaa82430032e --region us-west-2
{
"CrossAccountAttachment": {
"Name": "gacross",
"AttachmentArn": "arn:aws:globalaccelerator::2222222222:attachment/99ee9b3c-1335-4df7-baa0-70f2f6497836",
"CreatedTime": 1689550359.0,
"LastModifiedTime": 1689550359.0,
"Principals": [
"1111111111"
],
"Resources": [
{
"EndpointId": "arn:aws:elasticloadbalancing:us-east-2:2222222222:loadbalancer/app/agaloadbalancer/d245aaa82430032e"
}
]
}
}
Now that you’ve created the cross-account attachment, the accelerator owner – listed in the attachment as a principal – can add your resource. To do that, use the standard Global Accelerator APIs to create or update accelerators, or add endpoints.
For example, someone can log in to Account-1, which is an authorized principal in the cross-account attachment, and create an accelerator with your ALB resource as an endpoint. The following steps walk through this example.
1. As the Account-1 owner, create an accelerator with an AWS CLI command like the following:
aws globalaccelerator create-accelerator --name gaowner --region us-west-2
{
"Accelerator": {
"AcceleratorArn": "arn:aws:globalaccelerator::1111111111:accelerator/2bd6c105-f161-4f92-9922-e0a496548d8d",
"Name": "gaowner",
"IpAddressType": "IPV4",
"Enabled": true,
"IpSets": [
{
"IpFamily": "IPv4",
"IpAddresses": [
"15.197.176.3",
"3.33.187.254"
],
"IpAddressFamily": "IPv4"
}
],
"DnsName": "af2a1701714329835.awsglobalaccelerator.com",
"Status": "IN_PROGRESS",
"CreatedTime": "2023-07-17T17:56:50+00:00",
"LastModifiedTime": "2023-07-17T17:56:51+00:00"
}
}
2. As the Account-1 owner, create a listener for the accelerator with a command like the following:
aws globalaccelerator create-listener --accelerator-arn arn:aws:globalaccelerator::1111111111:accelerator/2bd6c105-f161-4f92-9922-e0a496548d8d --port-ranges FromPort=80,ToPort=80 --protocol TCP --region us-west-2
{
"Listener": {
"ListenerArn": "arn:aws:globalaccelerator::1111111111:accelerator/2bd6c105-f161-4f92-9922-e0a496548d8d/listener/756a4dca",
"PortRanges": [
{
"FromPort": 80,
"ToPort": 80
}
],
"Protocol": "TCP",
"ClientAffinity": "NONE"
}
}
3. As the Account-1 owner, create an endpoint group in the AWS Region where your ALB resource is located. For example, you could use a command like the following:
aws globalaccelerator create-endpoint-group --listener-arn arn:aws:globalaccelerator::1111111111:accelerator/2bd6c105-f161-4f92-9922-e0a496548d8d/listener/756a4dca --endpoint-group-region us-east-2 --region us-west-2
{
"EndpointGroup": {
"EndpointGroupArn": "arn:aws:globalaccelerator::1111111111:accelerator/2bd6c105-f161-4f92-9922-e0a496548d8d/listener/756a4dca/endpoint-group/1eb69ce54300",
"EndpointGroupRegion": "us-east-2",
"EndpointDescriptions": [],
"TrafficDialPercentage": 100.0,
"HealthCheckPort": 80,
"HealthCheckProtocol": "TCP",
"HealthCheckIntervalSeconds": 30,
"ThresholdCount": 3
}
}
4. As the Account-1 owner, add an endpoint to the endpoint group. For example, you could use a command like the following:
aws globalaccelerator add-endpoints --endpoint-group-arn arn:aws:globalaccelerator::1111111111:accelerator/2bd6c105-f161-4f92-9922-e0a496548d8d/listener/756a4dca/endpoint-group/1eb69ce54300 --endpoint-configurations EndpointId=arn:aws:elasticloadbalancing:us-east-2:2222222222:loadbalancer/app/agaloadbalancer/d245aaa82430032e,Weight=100,ClientIPPreservationEnabled=false,AttachmentArn=arn:aws:globalaccelerator::2222222222:attachment/99ee9b3c-1335-4df7-baa0-70f2f6497836 --region us-west-2
{
"EndpointDescriptions": [
{
"EndpointId": "arn:aws:elasticloadbalancing:us-east-2:2222222222:loadbalancer/app/agaloadbalancer/d245aaa82430032e",
"Weight": 100,
"ClientIPPreservationEnabled": false
}
],
"EndpointGroupArn": "arn:aws:globalaccelerator::1111111111:accelerator/2bd6c105-f161-4f92-9922-e0a496548d8d/listener/756a4dca/endpoint-group/1eb69ce54300"
}
Now, end users can access an ALB endpoint, in account 2222222222 by using the global IP addresses for this accelerator, owned by account 1111111111.
Conclusion
In this post, you learned about some of the benefits of using cross-account support for Global Accelerator, and how to set up cross-account. You can get started by creating a cross-account attachment, and then the authorized principals can add the resources that you’ve specified to an accelerator. Learn more about cross-account access and how to use Global Accelerator by visiting the webpage.