# DNS addressing and custom domains in AWS Global Accelerator
This chapter explains how AWS Global Accelerator does DNS routing and includes information about using a custom domain with Global Accelerator. It also includes the steps for configuring bring your own IP (BYOIP) addresses to use with accelerators in Global Accelerator.
+ **DNS addressing**: When you create an accelerator, Global Accelerator assigns a default Domain Name System (DNS) name to your accelerator.
+ **Custom domain name**: You can configure DNS to use your custom domain name (such as `www.example.com`) with your accelerator, instead of using the assigned static IP addresses or the default DNS name.
+ **BYOIP IP addresses**: You can bring your own IP addresses to AWS to add to an accelerator instead of, or together with, the static IP addresses that Global Accelerator assigns to you.
**Topics**
+ [Support for DNS addressing](dns-addressing-custom-domains.dns-addressing.md)
+ [Route custom domain traffic to your accelerator](dns-addressing-custom-domains.mapping-your-custom-domain.md)
+ [Bring your own IP addresses](using-byoip.md)
# Support for DNS addressing in AWS Global Accelerator
When you create an accelerator with an IPv4 IP address type, Global Accelerator provisions two static IPv4 addresses for you. It also assigns a default Domain Name System (DNS) name to your accelerator, similar to `a1234567890abcdef.awsglobalaccelerator.com`, that points to the static IP addresses.
For accelerators with dual-stack IP address types, Global Accelerator provides a total of four addresses: two static IPv4 addresses and two static IPv6 addresses. Global Accelerator creates a new DNS name that points to both the A record and the AAAA record that points to all four IP addresses. The new DNS record enables Global Accelerator to upgrade an accelerator to dual-stack without affecting clients that currently reference the original DNS record that is not dual-stack. An example DNS name for an accelerator with dual-stack IP addresses is the following: `a1234567890abcdef.dualstack.awsglobalaccelerator.com`
The static addresses are advertised globally using anycast from the AWS edge network to your endpoints. You can use your accelerator's static addresses or DNS name to route traffic to your accelerator. DNS servers and DNS resolvers use the [round-robin DNS](https://en.wikipedia.org/wiki/Round-robin_DNS) process to resolve the DNS name for an accelerator, so the name resolves to the static IP addresses for the accelerator, returned by Amazon Route 53 in random order. Clients typically use the first IP address that is returned.
**Note**
For each IPv4 and IPv6 address associated with your accelerator, Global Accelerator creates a Pointer (PTR) record that maps an accelerator’s static IP address to the corresponding DNS name generated by Global Accelerator, to support reverse DNS lookup. This is also known as a reverse hosted zone. Be aware that the DNS name that Global Accelerator generates for you isn't configurable, and you can't create PTR records that point to your custom domain name. Global Accelerator also does not create PTR records for static IP addresses from an IP address range that you bring to AWS (BYOIP).
# Route custom domain traffic to your accelerator
In most scenarios, you can configure DNS to use your custom domain name (such as `www.example.com`) with your accelerator, instead of using the assigned static IP addresses or the default DNS name. First, using Amazon Route 53 or another DNS provider, create a domain name, and then add or update DNS records with your Global Accelerator IP addresses. Or you can associate your custom domain name with the DNS name for your accelerator. Complete the DNS configuration and wait for the changes to propagate over the internet. Now when a client makes a request using your custom domain name, the DNS server resolves it to the IP addresses, in random order, or to the DNS name for your accelerator.
To use your custom domain name with Global Accelerator when you use Route 53 as your DNS service, you create an alias record that points your custom domain name to the DNS name assigned to your accelerator. An alias record is a Route 53 extension to DNS. It's similar to a CNAME record, but you can create an alias record both for the root domain, such as `example.com`, and for subdomains, such as `www.example.com`. For more information, see [ Choosing Between Alias and Non-Alias Records](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html) in the Amazon Route 53 Developer Guide.
To set up Route 53 with an alias record for an accelerator, follow the guidance included in the *Value/route traffic to* section in the [ Values that are common for alias records for all routing policies](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-alias-common.html#rrsets-values-alias-common-target) in the Amazon Route 53 Developer Guide. To see the information for Global Accelerator, scroll down to "AWS Global Accelerator accelerators".
# Bring your own IP addresses (BYOIP) in Global Accelerator
You can bring part or all of your public IPv4 address ranges from your on-premises network to your AWS account to use with AWS Global Accelerator. You continue to own the address ranges, but AWS advertises them on the internet. BYOIP with IPv6 is not supported at this time.
Global Accelerator uses static IP addresses as entry points for your accelerators. These IP addresses are anycast from AWS edge locations. By default, Global Accelerator provides static IP addresses from the [Amazon IP address pool](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html). Instead of using the IP addresses that Global Accelerator provides, you can configure these entry points to be IPv4 addresses from your own address ranges. This topic explains how to use your own IP address ranges with Global Accelerator.
You can't use the IP addresses that you bring to AWS for one AWS service with another service. The steps in this chapter describe how to bring your own IP address range for use in AWS Global Accelerator only. For steps to bring your own IP address range for use in Amazon EC2, see [Bring your own IP addresses (BYOIP)](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) in the Amazon EC2 User Guide.
**Important**
You must stop advertising your IP address range from other locations before you advertise it through AWS. If an IP address range is multihomed (that is, the range is advertised by multiple service providers at the same time), we can't guarantee that traffic to the address range will enter our network or that your BYOIP advertising workflow will complete successfully.
After you bring an address range to AWS, it appears in your account as an address pool. When you create an accelerator, you can assign one IP address from your range to it. Global Accelerator assigns you a second static IP address from an Amazon IP address range. If you bring two IP address ranges to AWS, you can assign one IP address from each range to your accelerator. This restriction is because Global Accelerator assigns each address range to a different network zone, for high availability.
To use your own IP address range with Global Accelerator, review the requirements, and then follow the steps provided in this topic.
**Topics**
+ [Requirements](using-byoip.requirements.md)
+ [Prepare to bring your IP address range to your AWS account: Authorization](using-byoip.prepare.md)
+ [Provision the address range for use with Global Accelerator](using-byoip.provision.md)
+ [Advertise the address range through AWS](using-byoip.advertise.md)
+ [Deprovision the address range](using-byoip.deprovision.md)
+ [Use your BYOIP address with an accelerator in Global Accelerator](using-byoip.create-accelerator.md)
+ [Update an accelerator to change your IP addresses](using-byoip.update-accelerator.md)
# Requirements
You can bring up to two qualifying IP address ranges to AWS Global Accelerator per AWS account.
To qualify, your IP address range must meet the following requirements:
+ The IP address range must be registered with one of the following regional internet registries (RIRs): the American Registry for Internet Numbers (ARIN), Réseaux IP Européens Network Coordination Centre (RIPE), or Asia-Pacific Network Information Centre (APNIC). The address range must be registered to a business or institutional entity. It can’t be registered to an individual.
+ The only address range that you can bring is /24. The first 24 bits of the IP address specify the network number. For example, 198.51.100 is the network number for IP address 198.51.100.0.
+ The IP addresses in the address range must have a clean history. That is, they can’t have a poor reputation or be associated with malicious behavior. We reserve the right to reject the IP address range if we investigate the reputation of the IP address range and find that it contains an IP address that doesn’t have a clean history.
Also, we require the following allocation and assignment network types or statuses, depending on where you registered your IP address range:
+ ARIN: `Direct Allocation` and `Direct Assignment` network types
+ RIPE: `ALLOCATED PA`, `LEGACY`, and `ASSIGNED PI` allocation statuses
+ APNIC: `ALLOCATED PORTABLE` and `ASSIGNED PORTABLE` allocation statuses
# Prepare to bring your IP address range to your AWS account: Authorization
To ensure that only you can bring your IP address space to Amazon, we require two authorizations:
+ You must authorize Amazon to advertise the IP address range.
+ You must provide proof that you own the IP address range and so have the authority to bring it to AWS.
**Note**
When you use BYOIP to bring an IP address range to AWS, you can't transfer ownership of that address range to a different account or company while we're advertising it. You also can't directly transfer an IP address range from one AWS account to another account. To transfer ownership or to transfer between AWS accounts, you must deprovision the address range, and then the new owner must follow the steps to add the address range to their AWS account.
To authorize Amazon to advertise the IP address range, you provide Amazon with a signed authorization message. Use a Route Origin Authorization (ROA) to provide this authorization. A ROA is a cryptographic statement about your route announcements that you create through your Regional Internet Registry (RIR). A ROA contains the IP address range, the Autonomous System Numbers (ASN) that are allowed to advertise the IP address range, and an expiration date. The ROA authorizes Amazon to advertise an IP address range under a specific Autonomous System (AS).
A ROA does not authorize your AWS account to bring the IP address range to AWS. To provide this authorization, you must publish a self-signed X.509 certificate in the Registry Data Access Protocol (RDAP) remarks for the IP address range. The certificate contains a public key, which AWS uses to verify the authorization-context signature that you provide. Keep your private key secure and use it to sign the authorization-context message.
The following sections provide detailed steps for completing these authorization tasks. The commands in these steps are supported on Linux. If you use Windows, you can access the [Windows Subsystem for Linux](https://docs.microsoft.com/en-us/windows/wsl/about) to run Linux commands.
## Steps to provide authorization
+ [Step 1: Create a ROA object](#using-byoip.prepare-steps-1)
+ [Step 2: Create a self-signed X.509 certificate](#using-byoip.prepare-steps-2)
+ [Step 3: Create a signed authorization message](#using-byoip.prepare-steps-3)
## Step 1: Create a ROA object
Create a ROA object to authorize Amazon ASN 16509 to advertise your IP address range as well as the ASNs that are currently authorized to advertise the IP address range. The ROA must contain the /24 IP address that you want to bring to AWS and you must set the maximum length to /24.
For more information about creating a ROA request, see the following sections, depending on where you registered your IP address range:
+ ARIN: [ROA Requests ](https://www.arin.net/resources/rpki/roarequest.html)
+ RIPE: [ Managing ROAs](https://www.ripe.net/manage-ips-and-asns/resource-management/certification/resource-certification-roa-management)
+ APNIC: [ Route Management](https://www.apnic.net/wp-content/uploads/2017/01/route-roa-management-guide.pdf)
## Step 2: Create a self-signed X.509 certificate
Create a key pair and a self-signed X.509 certificate, and then add the certificate to the RDAP record for your RIR. The following steps describe how to perform these tasks.
**Note**
The `openssl` commands in these steps require OpenSSL version 1.0.2 or later.
## To create and add an X.509 certificate
1. Generate an RSA 2048-bit key pair using the following command.
```
openssl genrsa -out private.key 2048
```
1. Create a public X.509 certificate from the key pair using the following command.
```
openssl req -new -x509 -key private.key -days 365 | tr -d "\n" > publickey.cer
```
In this example, the certificate expires in 365 days, after which time it can’t be trusted. When you run the command, make sure that you set the `–days` option to the desired value for the correct expiration. When you're prompted for other information, you can accept the default values.
1. Update the RDAP record for your RIR with the X.509 certificate by using the following steps, depending on your RIR.
1. View your certificate using the following command.
```
cat publickey.cer
```
1. Add the certificate that you previously created to the RDAP record for your RIR. Be sure to include the `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` strings before and after the encoded portion. All of this content must be on a single, long line. The procedure for updating RDAP depends on your RIR:
+ For ARIN, use the [Account Manager portal](https://account.arin.net/public/secure/dashboard) to add the certificate in the "Public Comments" section for the "Network Information" object representing your address range. Do not add it to the comments section for your organization.
+ For RIPE, add the certificate as a new "descr" field to the "inetnum" or "inet6num" object representing your address range. These can usually be found in the "My Resources" section of the [RIPE Database portal](https://apps.db.ripe.net/db-web-ui/myresources/overview). Do not add it to the comments section for your organization or the "remarks" field of the above objects.
+ For APNIC, email the certificate to [helpdesk@apnic.net](mailto:helpdesk@apnic.net) to manually add it to the "remarks" field for your address range. Send the email using the APNIC authorized contact for the IP addresses.
You can remove the certificate from your RIR's record after the provisioning stage below has been completed.
## Step 3: Create a signed authorization message
Create the signed authorization message to allow Amazon to advertise your IP address range.
The format of the message is as follows, where the `YYYYMMDD` date is the expiration date of the message.
```
1|aws|aws-account|address-range|YYYYMMDD|SHA256|RSAPSS
```
## To create the signed authorization message
1. Create a plaintext authorization message and store it in a variable named `text_message`, as the following example shows. Replace the example account number, IP address range, and expiration date with your own values.
```
text_message="1|aws|123456789012|203.0.113.0/24|20191201|SHA256|RSAPSS"
```
1. Sign the authorization message in `text_message` using the key pair that you created in the previous section.
1. Store the message in a variable named `signed_message`, as the following example shows.
```
signed_message=$(echo $text_message | tr -d "\n" | openssl dgst -sha256 -sigopt
rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1 -sign private.key -keyform PEM | openssl base64 |
tr -- '+=/' '-_~' | tr -d "\n")
```
# Provision the address range for use with Global Accelerator
When you provision an address range for use with AWS, you are confirming that you own the address range and authorize Amazon to advertise it. We'll verify that you own the address range.
You must provision your address range using the CLI or Global Accelerator API operations. This functionality is not available in the AWS console.
To provision the address range, use the following [ProvisionByoipCidr](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ProvisionByoipCidr.html) command. The `--cidr-authorization-context` parameter uses the variables that you created in the previous section, not the ROA message.
```
aws globalaccelerator --region us-west-2 provision-byoip-cidr --cidr address-range --cidr-authorization-context Message="$text_message",Signature="$signed_message"
```
The following is an example of provisioning an address range.
```
aws globalaccelerator --region us-west-2 provision-byoip-cidr
--cidr 203.0.113.0/24
--cidr-authorization-context Message="$text_message",Signature="$signed_message"
```
Provisioning an address range is an asynchronous operation, so the call returns immediately. However, the address range is not ready to use until its state changes from `PENDING_PROVISIONING` to `READY`. It can take up to 3 weeks to complete the provisioning process. To monitor the state of the address ranges that you've provisioned, use the following [ ListByoipCidrs](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListByoipCidrs.html) command:
```
aws globalaccelerator --region us-west-2 list-byoip-cidrs
```
To see a list of the states for an IP address range, see [ByoipCidr](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ByoipCidr.html).
When your IP address range is provisioned, the `State` returned by `list-byoip-cidrs` is `READY`. For example:
```
{
"ByoipCidrs": [
{
"Cidr": "203.0.113.0/24",
"State": "READY"
}
]
}
```
# Advertise the address range through AWS
After the address range is provisioned, it's ready to be advertised. You must advertise the exact address range that you provisioned. You can't advertise only a portion of the provisioned address range. In addition, you must stop advertising your IP address range from other locations before you advertise it through AWS.
You must advertise (or stop advertising) your address range using the CLI or Global Accelerator API operations. This functionality is not available in the AWS console.
**Important**
Make sure that your IP address range is advertised by AWS before you use an IP address from your pool with Global Accelerator.
To advertise the address range, use the following [AdvertiseByoipCidr](https://docs.aws.amazon.com/global-accelerator/latest/api/API_AdvertiseByoipCidr.html) command.
```
aws globalaccelerator --region us-west-2 advertise-byoip-cidr --cidr address-range
```
The following is an example of requesting Global Accelerator to advertise an address range.
```
aws globalaccelerator --region us-west-2 advertise-byoip-cidr --cidr 203.0.113.0/24
```
To monitor the state of the address ranges that you've advertised, use the following [ListByoipCidrs](https://docs.aws.amazon.com/global-accelerator/latest/api/API_ListByoipCidrs.html) command.
```
aws globalaccelerator --region us-west-2 list-byoip-cidrs
```
When your IP address range is advertised, the `State` returned by `list-byoip-cidrs` is `ADVERTISING`. For example:
```
{
"ByoipCidrs": [
{
"Cidr": "203.0.113.0/24",
"State": "ADVERTISING"
}
]
}
```
To stop advertising the address range, use the following `withdraw-byoip-cidr` command.
**Important**
To stop advertising your address range, you first must remove any accelerators that have static IP addresses that are allocated from the address pool. To delete an accelerator using the console or using API operations, see [Delete accelerator](about-accelerators.deleting.md).
```
aws globalaccelerator --region us-west-2 withdraw-byoip-cidr --cidr address-range
```
The following is an example of requesting Global Accelerator to withdraw an address range.
```
aws globalaccelerator --region us-west-2 withdraw-byoip-cidr
--cidr 203.0.113.0/24
```
# Deprovision the address range
To stop using your address range with AWS, you first must remove any accelerators that have static IP addresses that are allocated from the address pool and stop advertising your address range. After you complete those steps, you can deprovision the address range.
You must stop advertising and deprovision your address range using the CLI or Global Accelerator API operations. This functionality is not available in the AWS console.
**Step 1: Delete any associated accelerators. **To delete an accelerator using the console or using API operations, see [Delete accelerator](about-accelerators.deleting.md).
**Step 2. Stop advertising the address range.** To stop advertising the range, use the following [WithdrawByoipCidr](https://docs.aws.amazon.com/global-accelerator/latest/api/API_WithdrawByoipCidr.html) command.
```
aws globalaccelerator --region us-west-2 withdraw-byoip-cidr --cidr address-range
```
**Step 3. Deprovision the address range.** To deprovision the range, use the following [DeprovisionByoipCidr](https://docs.aws.amazon.com/global-accelerator/latest/api/API_DeprovisionByoipCidr.html) command.
```
aws globalaccelerator --region us-west-2 deprovision-byoip-cidr --cidr address-range
```
# Use your BYOIP address with an accelerator in Global Accelerator
After you complete the steps to add an address range with BYOIP, you can create an accelerator with your BYOIP IP addresses, or you can use your BYOIP IP addresses with an existing accelerator. If you brought one address range to AWS, you can assign one IP address to your accelerator. If you brought two address ranges, you can assign one IP address from each address range to your accelerator.
You can also update an existing accelerator to use one or more of your BYOIP IP addresses. For more information, see [Update an accelerator to change your IP addresses](using-byoip.update-accelerator.md)
Another option is to use a shared BYOIP address. If one or more additional CIDR addresses have been shared with you from another account, you can choose from a shared BYOIP CIDR when you select one or both BYOIP IP addresses. Note that if you choose to use two shared BYOIP addresses, they must both come from CIDRs owned by the same account. For more information, see [Configure cross-account access in Global Accelerator](cross-account-resources.md).
You have several options for creating an accelerator using your own IP addresses for the static IP addresses:
+ **Use Global Accelerator console to create an accelerator.** For more information, see the following:
+ [Create accelerator](about-accelerators.creating-editing.md)
+ [Create a custom routing accelerator in Global Accelerator](about-custom-routing-accelerators.creating-editing.md)
+ [Add cross-account endpoints in AWS Global Accelerator](cross-account-resources.add-endpoints.md)
+ **Use the Global Accelerator API to create an accelerator.** For more information, including examples of using the CLI, see the following in the AWS Global Accelerator API Reference:
+ [CreateAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_CreateAccelerator.html)
+ [CreateCustomRoutingAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_CreateCustomRoutingAccelerator.html)
# Update an accelerator to change your IP addresses
After you assign BYOIP addresses as static IP addresses for an accelerator in AWS Global Accelerator, you can update the accelerator later to use different IP addresses from your address ranges. You can also update an accelerator that uses your own IP addresses to instead use IP addresses provided by AWS Global Accelerator.
After an Amazon-owned static IP address is changed, you can revert to the original static IP address, but you must do so *within 10 days* of when it was changed. After 10 days, the original static IP address is returned to the Amazon IP address pool and reused. After that, if you update your accelerator to change a BYOIP address to a Global Accelerator-assigned IP address, you are assigned a new IP address from the Amazon IP address pool. To learn more about reverting your IP address, see [Revert a static IP address change](#AGAUpdateAddressRevert).
The following sections provide information about how to change IP addresses when you use bring your own IP address (BYOIP) with Global Accelerator, and list the requirements and things to know when you change static IP addresses.
## How to update an accelerator to change an IP address
To change an IP address for an accelerator, edit the accelerator and then, under **IP addresses**, select a new IP address. Your options for whether you can select an address from your own BYOIP address pool or the Amazon IP address pool depend on what your accelerator already has for static IP addresses, and other factors.
Make sure that you review the [requirements and things to be aware of](#AGAUpdateAccRequirements) for changing accelerator static IP addresses before you begin.
The following topics provide procedures for updating accelerators.
+ **Use Global Accelerator console to update an accelerator.** For more information, see the following:
+ [Update accelerator](about-accelerators.editing.md)
+ [Edit a custom routing accelerator in Global Accelerator](about-custom-routing-accelerators.editing.md)
+ **Use the Global Accelerator API to update an accelerator.** For more information, including examples of using the CLI, see the following in the AWS Global Accelerator API Reference:
+ [UpdateAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_UpdateAccelerator.html)
+ [UpdateCustomRoutingAccelerator](https://docs.aws.amazon.com/global-accelerator/latest/api/API_UpdateCustomRoutingAccelerator.html)
## Requirements when you update an accelerator to change IP addresses
When you update an accelerator to change one or both static IP addresses, keep in mind the following:
+ You can change the BYOIP address for both standard accelerators and custom routing accelerators. After you create an accelerator with one or two BYOIP addresses, that accelerator must always have at least one BYOIP address. However, you can update the accelerator to change one or both static IP addresses to use a BYOIP addresses or to change the BYOIP address
+ If you have an accelerator with two BYOIP static IP addresses, you can change only one of them to use a static IP address assigned by Global Accelerator. Note the following about changing a BYOIP static IP address for an accelerator to a Global Accelerator-assigned static IP address:
+ You can only change the address back to one of your original Global Accelerator static IP addresses if you make the change *within 10 days* of when you changed it to a BYOIP address. After 10 days, the original static IP address is returned to the Global Accelerator IP address pool and reused. After that, if you update your accelerator to change a BYOIP address to a Global Accelerator-assigned IP address, you are assigned a new IP address from the Global Accelerator IP address pool.
+ You can't change both BYOIP static IP addresses to use Global Accelerator static IP addresses instead. To use two static IP addresses that are assigned by Global Accelerator with an accelerator, create a new accelerator.
+ If you have an accelerator that is using two BYOIP addresses, you can change either of them to a different BYOIP address. The same restrictions apply as when you add BYOIP addresses when you create an accelerator, however. For example, if you update an accelerator to use two different BYOIP addresses, the addresses must be from different BYOIP address ranges that you've added to Global Accelerator.
+ If you've configured cross-account BYOIP addresses, when you update the static IP addresses for an accelerator, you can use a cross-account address.
+ In one specific scenario, when you update a BYOIP address, Global Accelerator might need to change your Amazon static IP address so that it can complete the update successfully. The Amazon static IP address can only be impacted when 1) you update a BYOIP static IPv4 address for your accelerator to use a BYOIP address from another account (that is, a cross-account BYOIP address), and 2) your second static IP address on the accelerator is from the Amazon pool.
If you didn't want the Amazon static IP address to change, you can revert to the previous Amazon IP address, but only if no more than 10 days has elapsed since you made the update. When you revert the change, the original Amazon IP address is restored for your accelerator. After 10 days has elapsed, however, the Amazon IP address is released back into the available IP addresses pool and can't be restored.
## Revert a static IP address change
To revert to the original Amazon IP address for your accelerator, do the following:
+ Update the accelerator with the original BYOIP static IP address that you changed to a new address.
When you make this update, Global Accelerator will restore the original Amazon static IP address as well.