Global Load Balancing - Learning Module

Loading content...

0/273

Anycast Routing

One Address, Many Destinations

Imagine you could assign the exact same IP address to servers in New York, London, Tokyo, and São Paulo—and when users connect to that address, the network automatically routes them to the nearest server. No DNS lookups to update, no complex routing policies to maintain, no geographic databases to query. The network itself makes the optimal routing decision, transparently and instantly.

This isn't science fiction—it's Anycast routing, a networking technique that has become foundational to the modern internet. Every time you use Cloudflare's 1.1.1.1 DNS resolver, access content from a major CDN, or connect to Google's services, you're benefiting from Anycast. It's the invisible infrastructure enabling sub-100ms response times worldwide.

Understanding Anycast is essential for system designers building globally distributed services, as it represents a fundamentally different approach to traffic distribution than DNS-based load balancing.

What You Will Learn

By the end of this page, you will have mastered: how Anycast works at the BGP routing layer; the difference between Anycast, Unicast, Broadcast, and Multicast; why Anycast is ideal for stateless protocols like DNS; Anycast's role in CDN architecture and DDoS mitigation; TCP and Anycast—challenges and solutions; and how to implement Anycast in cloud and on-premise environments.

Understanding Anycast

To understand Anycast, we must first contrast it with other IP addressing schemes:

Unicast (One-to-One): The standard addressing model. Each IP address identifies exactly one destination. When you send a packet to 192.0.2.1, it goes to the single server assigned that address.

Broadcast (One-to-All): A packet sent to a broadcast address (e.g., 255.255.255.255 on a local network) is delivered to all hosts on that network segment.

Multicast (One-to-Many): Packets sent to a multicast address are delivered to all hosts that have joined that multicast group. Used for streaming video and IPTV.

Anycast (One-to-Nearest): The same IP address is assigned to multiple hosts at different network locations. Packets are routed to the topologically 'nearest' host based on BGP routing metrics. The network selects the destination, not the application.

IP Addressing Schemes Comparison
Scheme	Senders	Receivers	Routing Decision	Use Cases
Unicast	One	One (specific)	Explicit destination	Standard client-server communication
Broadcast	One	All on segment	All local hosts	ARP, DHCP, local discovery
Multicast	One	Group members	Subscription-based	Video streaming, IPTV
Anycast	One	One (nearest)	BGP routing metrics	DNS, CDN, DDoS mitigation

How Anycast Works at the Network Layer:

Anycast operates through the Border Gateway Protocol (BGP), the routing protocol that governs how packets traverse the internet between autonomous systems (ASes).

Here's the mechanism:

Identical Address Announcement: Multiple servers in different physical locations announce the same IP address (or IP prefix) to their upstream BGP peers.
BGP Path Selection: Each router on the internet receives multiple BGP announcements for the same prefix. It selects the 'best' path based on BGP metrics: shortest AS path, lowest origin type, lowest MED, etc.
Nearest Server Receives Traffic: When a client sends a packet to the Anycast address, it follows the 'best' BGP path, naturally reaching the topologically nearest server.
Automatic Failover: If a server goes down, it stops announcing the route. BGP converges (within seconds to minutes), and traffic automatically routes to the next-nearest server.

Converting Mermaid diagram...

Anycast Is Not Load Balancing

Unlike load balancers that distribute traffic based on configured algorithms, Anycast relies entirely on BGP routing decisions. Traffic distribution is determined by network topology, not application logic. This means Anycast optimizes for 'nearest' (in network terms), which usually correlates with lowest latency but isn't the same as optimal capacity utilization.

Why Anycast Is Revolutionary for Global Services

Anycast offers unique advantages that make it indispensable for certain use cases. Understanding these advantages—and their limitations—helps architects select the right tool for global traffic distribution.

Advantage 1: Zero-Configuration Geographic Routing

With DNS-based GSLB, you must maintain geographic databases, health checks, and routing policies. A user in Sydney requires your DNS server to recognize their location and return the appropriate IP. With Anycast, none of this is necessary—the network itself handles geographic routing based on real-time topology.

Advantage 2: Resilience Through Automatic Failover

When an Anycast node fails, it stops announcing its BGP route. Upstream routers detect the route withdrawal and BGP reconverges, typically within 30-90 seconds. Traffic automatically flows to the next-nearest healthy node with no DNS TTL delays, no health check propagation, no manual intervention.

Advantage 3: DDoS Attack Absorption

Anycast is a powerful DDoS mitigation strategy. Attack traffic targeting an Anycast address is distributed across all announcing nodes globally. A 100 Gbps attack becomes 10 Gbps distributed across 10 points of presence—each absorbing a fraction of the attack while legitimate traffic continues flowing.

Anycast's Unique Advantages

•Lowest Network Latency — BGP naturally routes to the topologically nearest node, usually resulting in the lowest possible network latency for first-hop routing.
•Simplified Operations — No geographic databases to maintain, no complex routing policies to configure. Add a new PoP by announcing the same IP; the network handles distribution automatically.
•Horizontal Scalability — Adding capacity is as simple as deploying new Anycast nodes. Each additional node absorbs regional traffic and increases global resilience.
•Protocol Agnostic — Works at the IP layer, below TCP/UDP. Any protocol can benefit from Anycast routing, though stateful protocols require careful consideration.
•Instant Address Memorization — Users and operators can remember a single IP (like 8.8.8.8 or 1.1.1.1) rather than region-specific addresses.

Real-World Anycast Deployments:

Major Anycast Implementations
Service	Anycast IPs	Purpose	Scale
Cloudflare DNS	1.1.1.1, 1.0.0.1	Public DNS resolver	275+ cities worldwide
Google Public DNS	8.8.8.8, 8.8.4.4	Public DNS resolver	Global Google Edge network
Root DNS Servers	Various (e.g., 198.41.0.4)	Internet DNS root	Multiple operators, global
Cloudflare CDN	Shared IP ranges	Content delivery	275+ data centers
AWS CloudFront	Anycast edge IPs	Content delivery	400+ PoPs
Fastly CDN	Shared IP ranges	Content delivery, compute	Global edge network

The Scale of Anycast DNS

Cloudflare's 1.1.1.1 handles hundreds of billions of DNS queries daily across 275+ cities. This scale would be operationally impossible with traditional unicast addressing—you'd need to manage hundreds of IP addresses, update DNS records constantly, and handle health checks for every location. Anycast reduces this to a single IP address that 'just works' globally.

Anycast for Stateless Protocols: DNS and UDP

Anycast is particularly well-suited for stateless, request-response protocols where each packet is self-contained and doesn't require maintaining a session across multiple exchanges. DNS over UDP is the canonical example.

Why DNS and Anycast Are a Perfect Match:

A DNS query is typically a single UDP packet (the query) followed by a single UDP response (the answer). There's no connection state to maintain, no session to preserve, and each query is independent. If the Anycast node changes between queries (due to BGP reconvergence), it doesn't matter—each query is handled completely by whichever node receives it.

The Anycast DNS Flow:

anycast-dns-flow.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Anycast DNS Request-Response Flow
 
# Step 1: User in Tokyo queries dns.example.com (Anycast: 203.0.113.53)
Client (Tokyo) --UDP--> 203.0.113.53:53
  DNS Query: "What is the IP for api.example.com?"
 
# Step 2: Network routes to nearest Anycast node (Tokyo PoP)
Packet routes via BGP shortest path --> Tokyo Anycast Node (203.0.113.53)
 
# Step 3: Tokyo node responds
Tokyo Anycast Node --> UDP Response --> Client (Tokyo)
  DNS Answer: "api.example.com A 198.51.100.10"
 
# Total latency: ~5ms (Tokyo to Tokyo PoP)
 
# ========================================
# Compare with Unicast Alternative:
 
# If DNS server was only in Virginia:
Client (Tokyo) --UDP--> Virginia DNS (203.0.113.53):53
  DNS Query travels 10,000+ km
 
# Response returns same path
Virginia DNS --> UDP Response --> Client (Tokyo)
 
# Total latency: ~180ms (Tokyo to Virginia round-trip)
 
# Anycast reduced latency by 97% in this example!

Other Stateless Use Cases:

Beyond DNS, Anycast works well for:

NTP (Network Time Protocol): Time synchronization queries are stateless.
RADIUS/TACACS+: Authentication protocols with request-response patterns.
Syslog over UDP: Log shipping doesn't require connection state.
QUIC Initial Handshake: QUIC's connection migration properties make it Anycast-friendly (discussed later).
WebRTC STUN/TURN: Session setup protocols for real-time communication.

Anycast for DDoS Mitigation Services:

DDoS mitigation platforms use Anycast extensively. When attack traffic targets an Anycast IP:

Traffic is distributed globally based on attacker geography.
Each PoP handles a fraction of attack traffic.
Scrubbing centers filter malicious traffic at the edge.
Clean traffic is forwarded to origin servers.
No single point experiences the full attack volume.

Anycast Is Not Just for Cost Reduction

While Anycast reduces operational complexity, its primary benefit is performance and resilience. The latency reduction from serving users from nearby nodes has direct business impact—faster DNS resolution means faster page loads, better user experience, and higher conversion rates.

TCP and Anycast: Challenges and Solutions

While Anycast works seamlessly for stateless UDP protocols, TCP presents challenges due to its stateful, connection-oriented nature. Understanding these challenges—and their solutions—is critical for deploying Anycast in production HTTP/HTTPS services.

The TCP State Problem:

TCP connections maintain state on both client and server: sequence numbers, acknowledgments, window sizes. This state is tied to a specific server. If BGP routing changes during an active TCP connection (called a 'flap'), packets may route to a different Anycast node that has no knowledge of the connection—causing a connection reset.

When BGP Flaps Happen:

Causes of Anycast Route Changes

•PoP Failure or Maintenance — When an Anycast node goes down, routes withdraw and traffic shifts to the next-nearest PoP. Active connections are broken.
•BGP Convergence Events — Unrelated network changes can ripple through BGP, temporarily changing preferred paths for Anycast prefixes.
•Path Cost Oscillation — When multiple paths have similar costs, BGP may oscillate between them, causing some connections to hop between PoPs.
•Upstream Provider Changes — If your connectivity to an upstream provider changes, the PoP's attractiveness to certain networks may shift.
•DDoS Attack Mitigation — During attacks, PoPs may be intentionally removed from Anycast to absorb traffic elsewhere.

Impact on TCP Connections:

When a BGP flap causes packets to route to a different PoP:

The new PoP receives TCP packets for an unknown connection.
The PoP sends TCP RST (reset), terminating the connection.
The client sees a connection error and must reconnect.
If the flap resolves quickly, subsequent packets may return to the original PoP—but the connection is already broken.

For short-lived HTTP/1.1 or HTTP/2 connections that complete in seconds, this is usually acceptable—the probability of a flap during a single request is low. For long-lived connections (WebSockets, streaming, gRPC streams), the risk increases significantly.

tcp-anycast-failure.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# TCP Connection Failure During BGP Flap
 
# T=0: Client in Singapore establishes connection to Anycast IP
Client (SG) --> TCP SYN --> Anycast IP --> Singapore PoP
Singapore PoP --> TCP SYN-ACK --> Client
Client --> TCP ACK --> Singapore PoP
[Connection Established to Singapore PoP]
 
# T=5s: HTTP Request in progress
Client --> HTTP Request --> Singapore PoP
Singapore PoP --> HTTP Response (streaming) --> Client
 
# T=10s: BGP Flap! Singapore PoP route withdrawn (maintenance)
# BGP Convergence: Tokyo PoP now preferred for Singapore clients
 
# T=12s: Next TCP packet from client
Client --> TCP Data --> Tokyo PoP  # Wrong PoP!
Tokyo PoP: "Unknown connection, not in my state table"
Tokyo PoP --> TCP RST --> Client
Client: "Connection reset by peer" ❌
 
# Result: User sees error, must reconnect

Solutions for TCP over Anycast:

TCP over Anycast Mitigation Strategies
Strategy	Mechanism	Tradeoffs
BGP Stabilization	Tune BGP timers, damping, and prepend to reduce flapping	Slower failover; doesn't eliminate issue
Short Connection Lifetime	Keep connections brief; clients reconnect frequently	Works for HTTP request-response; not for streams
Connection Migration (QUIC)	QUIC protocol supports connection migration across IPs	Requires QUIC adoption; emerging standard
State Synchronization	Sync TCP state across PoPs in real-time	Extremely complex; massive overhead
Hybrid Anycast + Unicast	Anycast for initial routing; unicast for established connections	Operational complexity; two-tier addressing
Application-Level Retry	Clients automatically retry on connection reset	User experiences brief interruption; good UX design helps

QUIC Changes the Game

QUIC (HTTP/3's transport protocol) includes built-in connection migration. Connections are identified by a Connection ID independent of IP address, allowing connections to survive IP changes. This makes QUIC significantly more Anycast-friendly than TCP, and is one reason why CDNs are aggressively adopting QUIC.

Implementing Anycast in Practice

Implementing Anycast requires BGP capabilities, IP address resources, and careful network engineering. The complexity of implementation varies significantly between cloud and on-premise environments.

Requirements for Anycast:

Anycast Prerequisites

•BGP Capability — You need routers/software capable of speaking BGP with upstream providers. This requires BGP expertise and peering relationships.
•Provider Independent (PI) IP Space — You need IP addresses that you control and can announce from multiple locations. These are typically /24 or larger blocks from a Regional Internet Registry (ARIN, RIPE, APNIC, etc.).
•Autonomous System Number (ASN) — To announce BGP routes, you need your own ASN. These are assigned by Regional Internet Registries.
•Multiple Points of Presence — Anycast is only useful with multiple announcement points. Single-location Anycast is just unicast.
•BGP Monitoring — You need visibility into how your Anycast prefixes are propagating and which paths are preferred.

Cloud Provider Anycast Options:

Most organizations don't operate their own BGP infrastructure. Cloud providers offer managed Anycast or Anycast-like services:

Anycast Options by Cloud Provider
Provider	Service	Anycast Support	Notes
AWS	Global Accelerator	Yes (managed)	Provides static Anycast IPs routing to regional endpoints
GCP	Premium Network Tier	Yes (native)	Anycast IPs for load balancers; extensive global network
Cloudflare	Spectrum/CDN	Yes (core)	Entire platform is Anycast-native
Azure	Front Door	Anycast-like	Uses Microsoft's Anycast edge network
Fastly	CDN	Yes (core)	Anycast to edge PoPs globally
Equinix Metal	Bring Your Own IP	Manual BGP	Full BGP control for Anycast implementation

aws-global-accelerator.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# AWS Global Accelerator - Managed Anycast
# Provides static Anycast IPs that route to regional endpoints
 
resource "aws_globalaccelerator_accelerator" "main" {
  name            = "production-api"
  ip_address_type = "IPV4"
  enabled         = true
 
  attributes {
    flow_logs_enabled   = true
    flow_logs_s3_bucket = aws_s3_bucket.flow_logs.bucket
    flow_logs_s3_prefix = "global-accelerator/"
  }
 
  # Returns two static Anycast IPs (e.g., 75.2.x.x, 99.83.x.x)
  # These IPs can be used globally; traffic routes to nearest AWS edge
}
 
resource "aws_globalaccelerator_listener" "https" {
  accelerator_arn = aws_globalaccelerator_accelerator.main.id
  protocol        = "TCP"
 
  port_range {
    from_port = 443
    to_port   = 443
  }
}
 
resource "aws_globalaccelerator_endpoint_group" "us_east" {
  listener_arn = aws_globalaccelerator_listener.https.id
 
  endpoint_group_region = "us-east-1"
  health_check_interval_seconds = 10
  health_check_path = "/health"
  health_check_protocol = "HTTPS"
  threshold_count = 3
  traffic_dial_percentage = 100
 
  endpoint_configuration {
    endpoint_id = aws_lb.us_east.arn
    weight      = 100
  }
}
 
resource "aws_globalaccelerator_endpoint_group" "eu_west" {
  listener_arn = aws_globalaccelerator_listener.https.id
 
  endpoint_group_region = "eu-west-1"
  health_check_interval_seconds = 10
  health_check_path = "/health"
  health_check_protocol = "HTTPS"
  threshold_count = 3
  traffic_dial_percentage = 100
 
  endpoint_configuration {
    endpoint_id = aws_lb.eu_west.arn
    weight      = 100
  }
}
 
# Result: Two Anycast IPs that route users to nearest healthy region

Self-Operated Anycast (Advanced):

For organizations requiring full control, implementing Anycast involves:

Obtain IP Resources: Apply for a /24 (minimum BGP-routable) from your Regional Internet Registry.
Obtain ASN: Apply for an Autonomous System Number.
Establish BGP Peering: Connect to upstream providers or Internet Exchanges at each PoP location.
Configure BGP Announcements: Announce the same prefix from all locations with appropriate BGP attributes.
Implement Health-Based Withdrawal: Automatically stop announcing routes when the local service is unhealthy.
Monitor BGP Propagation: Use looking glass servers and BGP monitoring tools to verify proper propagation.

Anycast Requires Expertise

Self-operated Anycast is complex and requires deep BGP expertise. Misconfigurations can result in routing loops, black holes, or inadvertently attracting traffic you can't handle. Most organizations should use managed Anycast services (Global Accelerator, CDN providers) rather than operating their own BGP infrastructure.

Anycast vs. DNS-Based Load Balancing

With both DNS-based load balancing and Anycast available for global traffic distribution, when should you use each? Understanding the tradeoffs helps you architect optimal solutions.

Fundamental Differences:

Anycast vs. DNS Load Balancing Comparison
Dimension	Anycast	DNS-Based GSLB
Routing Layer	Network (BGP, IP)	Application (DNS)
Routing Granularity	Per-packet/flow	Per-DNS resolution
Failover Speed	BGP convergence (seconds-minutes)	DNS TTL expiration (minutes-hours)
Client Visibility	No client info (IP layer)	Client IP/ECS (application layer)
Policy Flexibility	Limited (BGP metrics)	Extensive (geo, weighted, latency, health)
Implementation	Requires BGP infrastructure	Requires intelligent DNS
Operational Complexity	High (BGP expertise)	Moderate (DNS expertise)
Protocol Support	All IP protocols	All protocols (DNS-resolved)

When to Choose Anycast:

Stateless UDP protocols: DNS, NTP, STUN—Anycast is ideal.
DDoS mitigation: Anycast's distributed absorption is essential.
Ultra-low latency requirements: BGP routing is faster than DNS resolution.
Simplicity at scale: Operating hundreds of PoPs with per-PoP unicast IPs is operationally prohibitive.

When to Choose DNS-Based GSLB:

Complex routing policies: Weighted, geolocation, latency, failover chains.
Application-aware routing: Different backends for different user segments.
TCP/HTTP services: Where connection state matters and flaps are unacceptable.
Hybrid cloud routing: Directing traffic between cloud providers based on policies.

The Hybrid Approach:

Most sophisticated global architectures combine both techniques:

Anycast at the Edge: CDN/edge network uses Anycast to route users to nearest PoP.
DNS-Based Origin Selection: GSLB directs traffic to appropriate origin data centers.
Application-Layer Routing: Within data centers, application load balancers make final routing decisions.

Converting Mermaid diagram...

CDN Architecture Example

Cloudflare, Fastly, and AWS CloudFront all use this hybrid model: Anycast routes user requests to the nearest edge PoP, then GSLB/origin selection routes cache misses to appropriate origin data centers. This combines Anycast's low-latency edge routing with GSLB's policy flexibility for origin selection.

Summary: Anycast Routing

Anycast routing represents a powerful network-layer technique for distributing traffic globally. It's the invisible backbone enabling the performance and resilience of the internet's largest services. Let's consolidate the key concepts:

Key Takeaways

•Anycast Assigns One IP to Many Servers — Unlike unicast (one-to-one), Anycast allows the same IP address to be announced from multiple locations. The network routes packets to the topologically nearest node.
•BGP Is the Mechanism — Anycast works through BGP routing. Multiple nodes announce the same prefix; BGP path selection chooses the 'best' path for each user based on routing metrics.
•Ideal for Stateless Protocols — DNS (UDP) is the canonical Anycast use case. Each query is independent; BGP flaps don't break sessions because there are no sessions.
•TCP Requires Careful Handling — Stateful TCP connections can break during BGP reconvergence. QUIC's connection migration addresses this; TCP services need retry logic or accept brief interruptions.
•DDoS Attack Absorption — Anycast distributes attack traffic globally, reducing per-PoP impact and enabling edge-level scrubbing.
•Hybrid Architectures Are Optimal — Combine Anycast for edge routing with DNS-based GSLB for origin selection. This leverages each technique's strengths.

What's Next:

We've covered GSLB, DNS-based load balancing, and Anycast routing. Next, we'll explore GeoDNS—a specialized application of DNS-based routing that enables precise geographic targeting for regulatory compliance, localized content, and regional service differentiation.

Page Complete

You've mastered Anycast routing—from BGP fundamentals through TCP challenges and hybrid architectures. You understand when Anycast is the right tool vs. DNS-based alternatives, and how major internet services combine both for optimal global distribution. Next, we'll dive into GeoDNS for geographic routing precision.

Anycast Routing

One Address, Many Destinations

What You Will Learn

Understanding Anycast

To understand Anycast, we must first contrast it with other IP addressing schemes:

Unicast (One-to-One): The standard addressing model. Each IP address identifies exactly one destination. When you send a packet to 192.0.2.1, it goes to the single server assigned that address.

Broadcast (One-to-All): A packet sent to a broadcast address (e.g., 255.255.255.255 on a local network) is delivered to all hosts on that network segment.

Multicast (One-to-Many): Packets sent to a multicast address are delivered to all hosts that have joined that multicast group. Used for streaming video and IPTV.

IP Addressing Schemes Comparison
Scheme	Senders	Receivers	Routing Decision	Use Cases
Unicast	One	One (specific)	Explicit destination	Standard client-server communication
Broadcast	One	All on segment	All local hosts	ARP, DHCP, local discovery
Multicast	One	Group members	Subscription-based	Video streaming, IPTV
Anycast	One	One (nearest)	BGP routing metrics	DNS, CDN, DDoS mitigation

How Anycast Works at the Network Layer:

Anycast operates through the Border Gateway Protocol (BGP), the routing protocol that governs how packets traverse the internet between autonomous systems (ASes).

Here's the mechanism:

Identical Address Announcement: Multiple servers in different physical locations announce the same IP address (or IP prefix) to their upstream BGP peers.
BGP Path Selection: Each router on the internet receives multiple BGP announcements for the same prefix. It selects the 'best' path based on BGP metrics: shortest AS path, lowest origin type, lowest MED, etc.
Nearest Server Receives Traffic: When a client sends a packet to the Anycast address, it follows the 'best' BGP path, naturally reaching the topologically nearest server.
Automatic Failover: If a server goes down, it stops announcing the route. BGP converges (within seconds to minutes), and traffic automatically routes to the next-nearest server.

Converting Mermaid diagram...

Anycast Is Not Load Balancing

Why Anycast Is Revolutionary for Global Services

Advantage 1: Zero-Configuration Geographic Routing

Advantage 2: Resilience Through Automatic Failover

Advantage 3: DDoS Attack Absorption

Anycast's Unique Advantages

•Lowest Network Latency — BGP naturally routes to the topologically nearest node, usually resulting in the lowest possible network latency for first-hop routing.
•Simplified Operations — No geographic databases to maintain, no complex routing policies to configure. Add a new PoP by announcing the same IP; the network handles distribution automatically.
•Horizontal Scalability — Adding capacity is as simple as deploying new Anycast nodes. Each additional node absorbs regional traffic and increases global resilience.
•Protocol Agnostic — Works at the IP layer, below TCP/UDP. Any protocol can benefit from Anycast routing, though stateful protocols require careful consideration.
•Instant Address Memorization — Users and operators can remember a single IP (like 8.8.8.8 or 1.1.1.1) rather than region-specific addresses.

Real-World Anycast Deployments:

Major Anycast Implementations
Service	Anycast IPs	Purpose	Scale
Cloudflare DNS	1.1.1.1, 1.0.0.1	Public DNS resolver	275+ cities worldwide
Google Public DNS	8.8.8.8, 8.8.4.4	Public DNS resolver	Global Google Edge network
Root DNS Servers	Various (e.g., 198.41.0.4)	Internet DNS root	Multiple operators, global
Cloudflare CDN	Shared IP ranges	Content delivery	275+ data centers
AWS CloudFront	Anycast edge IPs	Content delivery	400+ PoPs
Fastly CDN	Shared IP ranges	Content delivery, compute	Global edge network

The Scale of Anycast DNS

Anycast for Stateless Protocols: DNS and UDP

Why DNS and Anycast Are a Perfect Match:

The Anycast DNS Flow:

anycast-dns-flow.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# Anycast DNS Request-Response Flow
 
# Step 1: User in Tokyo queries dns.example.com (Anycast: 203.0.113.53)
Client (Tokyo) --UDP--> 203.0.113.53:53
  DNS Query: "What is the IP for api.example.com?"
 
# Step 2: Network routes to nearest Anycast node (Tokyo PoP)
Packet routes via BGP shortest path --> Tokyo Anycast Node (203.0.113.53)
 
# Step 3: Tokyo node responds
Tokyo Anycast Node --> UDP Response --> Client (Tokyo)
  DNS Answer: "api.example.com A 198.51.100.10"
 
# Total latency: ~5ms (Tokyo to Tokyo PoP)
 
# ========================================
# Compare with Unicast Alternative:
 
# If DNS server was only in Virginia:
Client (Tokyo) --UDP--> Virginia DNS (203.0.113.53):53
  DNS Query travels 10,000+ km
 
# Response returns same path
Virginia DNS --> UDP Response --> Client (Tokyo)
 
# Total latency: ~180ms (Tokyo to Virginia round-trip)
 
# Anycast reduced latency by 97% in this example!

Other Stateless Use Cases:

Beyond DNS, Anycast works well for:

NTP (Network Time Protocol): Time synchronization queries are stateless.
RADIUS/TACACS+: Authentication protocols with request-response patterns.
Syslog over UDP: Log shipping doesn't require connection state.
QUIC Initial Handshake: QUIC's connection migration properties make it Anycast-friendly (discussed later).
WebRTC STUN/TURN: Session setup protocols for real-time communication.

Anycast for DDoS Mitigation Services:

DDoS mitigation platforms use Anycast extensively. When attack traffic targets an Anycast IP:

Traffic is distributed globally based on attacker geography.
Each PoP handles a fraction of attack traffic.
Scrubbing centers filter malicious traffic at the edge.
Clean traffic is forwarded to origin servers.
No single point experiences the full attack volume.

Anycast Is Not Just for Cost Reduction

TCP and Anycast: Challenges and Solutions

The TCP State Problem:

When BGP Flaps Happen:

Causes of Anycast Route Changes

•PoP Failure or Maintenance — When an Anycast node goes down, routes withdraw and traffic shifts to the next-nearest PoP. Active connections are broken.
•BGP Convergence Events — Unrelated network changes can ripple through BGP, temporarily changing preferred paths for Anycast prefixes.
•Path Cost Oscillation — When multiple paths have similar costs, BGP may oscillate between them, causing some connections to hop between PoPs.
•Upstream Provider Changes — If your connectivity to an upstream provider changes, the PoP's attractiveness to certain networks may shift.
•DDoS Attack Mitigation — During attacks, PoPs may be intentionally removed from Anycast to absorb traffic elsewhere.

Impact on TCP Connections:

When a BGP flap causes packets to route to a different PoP:

The new PoP receives TCP packets for an unknown connection.
The PoP sends TCP RST (reset), terminating the connection.
The client sees a connection error and must reconnect.
If the flap resolves quickly, subsequent packets may return to the original PoP—but the connection is already broken.

tcp-anycast-failure.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
# TCP Connection Failure During BGP Flap
 
# T=0: Client in Singapore establishes connection to Anycast IP
Client (SG) --> TCP SYN --> Anycast IP --> Singapore PoP
Singapore PoP --> TCP SYN-ACK --> Client
Client --> TCP ACK --> Singapore PoP
[Connection Established to Singapore PoP]
 
# T=5s: HTTP Request in progress
Client --> HTTP Request --> Singapore PoP
Singapore PoP --> HTTP Response (streaming) --> Client
 
# T=10s: BGP Flap! Singapore PoP route withdrawn (maintenance)
# BGP Convergence: Tokyo PoP now preferred for Singapore clients
 
# T=12s: Next TCP packet from client
Client --> TCP Data --> Tokyo PoP  # Wrong PoP!
Tokyo PoP: "Unknown connection, not in my state table"
Tokyo PoP --> TCP RST --> Client
Client: "Connection reset by peer" ❌
 
# Result: User sees error, must reconnect

Solutions for TCP over Anycast:

TCP over Anycast Mitigation Strategies
Strategy	Mechanism	Tradeoffs
BGP Stabilization	Tune BGP timers, damping, and prepend to reduce flapping	Slower failover; doesn't eliminate issue
Short Connection Lifetime	Keep connections brief; clients reconnect frequently	Works for HTTP request-response; not for streams
Connection Migration (QUIC)	QUIC protocol supports connection migration across IPs	Requires QUIC adoption; emerging standard
State Synchronization	Sync TCP state across PoPs in real-time	Extremely complex; massive overhead
Hybrid Anycast + Unicast	Anycast for initial routing; unicast for established connections	Operational complexity; two-tier addressing
Application-Level Retry	Clients automatically retry on connection reset	User experiences brief interruption; good UX design helps

QUIC Changes the Game

Implementing Anycast in Practice

Implementing Anycast requires BGP capabilities, IP address resources, and careful network engineering. The complexity of implementation varies significantly between cloud and on-premise environments.

Requirements for Anycast:

Anycast Prerequisites

•BGP Capability — You need routers/software capable of speaking BGP with upstream providers. This requires BGP expertise and peering relationships.
•Provider Independent (PI) IP Space — You need IP addresses that you control and can announce from multiple locations. These are typically /24 or larger blocks from a Regional Internet Registry (ARIN, RIPE, APNIC, etc.).
•Autonomous System Number (ASN) — To announce BGP routes, you need your own ASN. These are assigned by Regional Internet Registries.
•Multiple Points of Presence — Anycast is only useful with multiple announcement points. Single-location Anycast is just unicast.
•BGP Monitoring — You need visibility into how your Anycast prefixes are propagating and which paths are preferred.

Cloud Provider Anycast Options:

Most organizations don't operate their own BGP infrastructure. Cloud providers offer managed Anycast or Anycast-like services:

Anycast Options by Cloud Provider
Provider	Service	Anycast Support	Notes
AWS	Global Accelerator	Yes (managed)	Provides static Anycast IPs routing to regional endpoints
GCP	Premium Network Tier	Yes (native)	Anycast IPs for load balancers; extensive global network
Cloudflare	Spectrum/CDN	Yes (core)	Entire platform is Anycast-native
Azure	Front Door	Anycast-like	Uses Microsoft's Anycast edge network
Fastly	CDN	Yes (core)	Anycast to edge PoPs globally
Equinix Metal	Bring Your Own IP	Manual BGP	Full BGP control for Anycast implementation

aws-global-accelerator.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# AWS Global Accelerator - Managed Anycast
# Provides static Anycast IPs that route to regional endpoints
 
resource "aws_globalaccelerator_accelerator" "main" {
  name            = "production-api"
  ip_address_type = "IPV4"
  enabled         = true
 
  attributes {
    flow_logs_enabled   = true
    flow_logs_s3_bucket = aws_s3_bucket.flow_logs.bucket
    flow_logs_s3_prefix = "global-accelerator/"
  }
 
  # Returns two static Anycast IPs (e.g., 75.2.x.x, 99.83.x.x)
  # These IPs can be used globally; traffic routes to nearest AWS edge
}
 
resource "aws_globalaccelerator_listener" "https" {
  accelerator_arn = aws_globalaccelerator_accelerator.main.id
  protocol        = "TCP"
 
  port_range {
    from_port = 443
    to_port   = 443
  }
}
 
resource "aws_globalaccelerator_endpoint_group" "us_east" {
  listener_arn = aws_globalaccelerator_listener.https.id
 
  endpoint_group_region = "us-east-1"
  health_check_interval_seconds = 10
  health_check_path = "/health"
  health_check_protocol = "HTTPS"
  threshold_count = 3
  traffic_dial_percentage = 100
 
  endpoint_configuration {
    endpoint_id = aws_lb.us_east.arn
    weight      = 100
  }
}
 
resource "aws_globalaccelerator_endpoint_group" "eu_west" {
  listener_arn = aws_globalaccelerator_listener.https.id
 
  endpoint_group_region = "eu-west-1"
  health_check_interval_seconds = 10
  health_check_path = "/health"
  health_check_protocol = "HTTPS"
  threshold_count = 3
  traffic_dial_percentage = 100
 
  endpoint_configuration {
    endpoint_id = aws_lb.eu_west.arn
    weight      = 100
  }
}
 
# Result: Two Anycast IPs that route users to nearest healthy region

Self-Operated Anycast (Advanced):

For organizations requiring full control, implementing Anycast involves:

Obtain IP Resources: Apply for a /24 (minimum BGP-routable) from your Regional Internet Registry.
Obtain ASN: Apply for an Autonomous System Number.
Establish BGP Peering: Connect to upstream providers or Internet Exchanges at each PoP location.
Configure BGP Announcements: Announce the same prefix from all locations with appropriate BGP attributes.
Implement Health-Based Withdrawal: Automatically stop announcing routes when the local service is unhealthy.
Monitor BGP Propagation: Use looking glass servers and BGP monitoring tools to verify proper propagation.

Anycast Requires Expertise

Anycast vs. DNS-Based Load Balancing

With both DNS-based load balancing and Anycast available for global traffic distribution, when should you use each? Understanding the tradeoffs helps you architect optimal solutions.

Fundamental Differences:

Anycast vs. DNS Load Balancing Comparison
Dimension	Anycast	DNS-Based GSLB
Routing Layer	Network (BGP, IP)	Application (DNS)
Routing Granularity	Per-packet/flow	Per-DNS resolution
Failover Speed	BGP convergence (seconds-minutes)	DNS TTL expiration (minutes-hours)
Client Visibility	No client info (IP layer)	Client IP/ECS (application layer)
Policy Flexibility	Limited (BGP metrics)	Extensive (geo, weighted, latency, health)
Implementation	Requires BGP infrastructure	Requires intelligent DNS
Operational Complexity	High (BGP expertise)	Moderate (DNS expertise)
Protocol Support	All IP protocols	All protocols (DNS-resolved)

When to Choose Anycast:

Stateless UDP protocols: DNS, NTP, STUN—Anycast is ideal.
DDoS mitigation: Anycast's distributed absorption is essential.
Ultra-low latency requirements: BGP routing is faster than DNS resolution.
Simplicity at scale: Operating hundreds of PoPs with per-PoP unicast IPs is operationally prohibitive.

When to Choose DNS-Based GSLB:

Complex routing policies: Weighted, geolocation, latency, failover chains.
Application-aware routing: Different backends for different user segments.
TCP/HTTP services: Where connection state matters and flaps are unacceptable.
Hybrid cloud routing: Directing traffic between cloud providers based on policies.

The Hybrid Approach:

Most sophisticated global architectures combine both techniques:

Anycast at the Edge: CDN/edge network uses Anycast to route users to nearest PoP.
DNS-Based Origin Selection: GSLB directs traffic to appropriate origin data centers.
Application-Layer Routing: Within data centers, application load balancers make final routing decisions.

Converting Mermaid diagram...

CDN Architecture Example

Summary: Anycast Routing

Key Takeaways

•Anycast Assigns One IP to Many Servers — Unlike unicast (one-to-one), Anycast allows the same IP address to be announced from multiple locations. The network routes packets to the topologically nearest node.
•BGP Is the Mechanism — Anycast works through BGP routing. Multiple nodes announce the same prefix; BGP path selection chooses the 'best' path for each user based on routing metrics.
•Ideal for Stateless Protocols — DNS (UDP) is the canonical Anycast use case. Each query is independent; BGP flaps don't break sessions because there are no sessions.
•TCP Requires Careful Handling — Stateful TCP connections can break during BGP reconvergence. QUIC's connection migration addresses this; TCP services need retry logic or accept brief interruptions.
•DDoS Attack Absorption — Anycast distributes attack traffic globally, reducing per-PoP impact and enabling edge-level scrubbing.
•Hybrid Architectures Are Optimal — Combine Anycast for edge routing with DNS-based GSLB for origin selection. This leverages each technique's strengths.

What's Next:

Page Complete