Networking & Content Delivery
Zero-rating and IP address management made easy: CloudFront’s new anycast static IPs explained
Starting today, Amazon CloudFront supports anycast IPs, a set of dedicated IP addresses that the customers can use to access CloudFront POPs for delivery of zero-rated traffic into the network carriers. For end-customers accessing your application, you now can collaborate with network carriers to exempt data charges from your end-customers’ data limits or implement distinct pricing models for accessing specific types of online content. This can help you accelerate your B2B applications on CloudFront where some of your end-customers may have a requirement to allow-list the static IP addresses in the outbound firewall rules to be able to access these enterprise applications.
Zero-rating
Zero-rated billing involves a partnership between a customer and a third-party service provider, such as a mobile carrier, where the provider’s traffic is offered to the customer’s end users at no cost or without counting against data thresholds. To streamline the identification of this zero-rated traffic, Amazon Web Services (AWS) provides our customers with a dedicated set of static IP addresses to be used exclusively, enabling accurate segregation and monitoring of the zero-rated traffic.
Anycast routing technique
Anycast is a networking technique in which the same IP address is assigned to multiple servers or network nodes distributed across different locations. When a user makes a request to the anycast IP address, the routing infrastructure directs the request to the nearest or optimal node based on factors such as network conditions, proximity, or routing policies.
Use cases
1. Facilitate zero-rated billing: Anycast offers, with the appropriate agreements with your network carrier, specific types of traffic without charge to your end-customers, or to exclude certain data from counting toward their usage limits.
2. Reduce IP address range updates: Anycast is designed to help minimize the need for making frequent IP address change updates, according to your business needs.
3. Recognize traffic from content providers: A fixed set of IPs should make it easier to identify your traffic using source IP when your end-customer can’t run deep packet inspection on the packets.
4. Simplify IP address management: Anycast should streamline management of complex or legacy applications due to the use of a small set of IP addresses.
Architecture details
In our routing framework, we’ve structured the CloudFront platform into virtual partitions, each with its own distinct anycast IP address. This segmentation enhances the efficiency and organization of CloudFront, allowing for more streamlined and targeted operations. As end-user requests reach our virtual partitions, they are processed by the CloudFront anycast IPs. Using BGP for routing, the request is sent to the nearest Point of Presence (POP). The implementation of virtual partitions helps us with precise capacity management, surpassing the limitations of relying solely on DNS for POP capacity management. By actively monitoring server loads, we have the flexibility to redistribute traffic both within and outside these virtual partitions, seamlessly transferring traffic among servers or data centers. This strategic approach makes sure of optimal performance for our customers’ applications powered by CloudFront. An entry POP refers to a POP in a network where Border Gateway Protocol (BGP) speakers announce routes for anycast addresses directed toward that specific POP. The response to the end-user is served by the Destination POP.
Example
In this section I explain how the routing happens with an example. In the following diagram, an end-user initiates a request to a CloudFront anycast IP. The incoming packet has a source IP of 10.0.0.1 and a destination IP of 192.168.1.2.
The end-user establishes a connection with the entry POP which, owing to its self-advertised route through BGP, becomes the entry point for the request. Upon reaching the entry POP, the serviceability of the request is evaluated. It can either be addressed within the same POP or necessitate tunneling to another POP.
If the routing table dictates forwarding the request to a different POP, a crucial step involves encapsulating the data to make sure of its integrity during transit. To accomplish this, the request is tunneled to the designated POP through the Generic Routing Encapsulation (GRE) protocol. This encapsulation process provides efficient transfer of the request across the network infrastructure. In this example, the request is forwarded to POP3, which serves the response to the end-user.
Enable anycast IPs on CloudFront in the AWS Management Console
To enable CloudFront anycast, create an Anycast Routing Policy in your account. Then, associate your distribution(s) with the Anycast Routing Policy to be used. After the changes are saved, the specific IP addresses associated with the distribution can be copied or downloaded from the list shown in the AWS Management Console or through APIs.
When you enroll in CloudFront anycast, you are assigned 21 IPv4 addresses during policy creation. These IPs are dedicated to serving your traffic and don’t change for the life of your distribution/policy if you are subscribed to the feature and continue to pay the monthly fee. You must add these IP addresses into any relevant allow lists.
Steps to configure
To enable Anycast IPs on your CloudFront distribution:
1. Under Settings, your price class must be set to Use all edge locations (best performance) and IPv6=Disabled.
2. Configure CloudFront to serve HTTPS requests using SNI.
3. For first-time users using this feature, request the Anycast IP list, as shown in the following figure:
4. Once the list is created, associate it with your CloudFront distribution:
Also, if you must disassociate the Anycast IP list from your CloudFront distribution, then you have the flexibility to do so.
Customer quote
Snap Inc. has been an early adopter of this feature, working closely with the CloudFront Team throughout its development.
“Our migration to Anycast static IPs from unicast IPs on Amazon CloudFront has been a huge success, reducing operational overhead in managing our zero-rating agreements with Telco partners. It also delivered performance improvements in Time to First Byte (TTFB) compared to unicast, further enhancing the user experience for Snapchat’s global audience. “– Shaft Wu, Senior Engineering Manager at Snap Inc