Anycast Routing Mechanics
The Proximity of Identity
The Concept of One-to-Nearest
In traditional Unicast routing, there is a one-to-one mapping between an IP address and a physical interface. In Anycast, a single IP address is announced by multiple routers across the globe. When you send a request to an Anycast IP (like Google's `8.8.8.8`), the global routing table delivers your packet to the node that is topologically closest to you.
Note that "closest" does not always mean geographical distance—it means the path with the fewest BGP 'hops' or the lowest cost.
Proximity-Based Latency Optimization
By distributing nodes geographically, Anycast significantly reduces the Propagation Delay. Instead of a request from Tokyo traveling all the way to a server in Virginia, it is intercepted by a Tokyo-based node sharing the same identity.
Challenges: Statefulness
Anycast is primarily used for stateless protocols like UDP (DNS) or short-lived TCP sessions. Because BGP can change routes mid-session (a 'flap'), a long-lived TCP connection might suddenly be routed to a different server that has no knowledge of the previous handshake.
The Physics of BGP: Catchment Areas
In an Anycast network, the world is divided into invisible regions called Catchment Areas. These are not defined by geography, but by BGP topology.
"If you announce the same IP prefix from London and New York, a user in Paris will almost certainly go to London. But a user in Iceland? That depends entirely on which fiber cables their ISP prefers."
Engineers manipulate these catchment areas using BGP attributes like AS-PATH Prepending (making a route look "longer" to discourage traffic) or Communities. This allows for coarse-grained traffic engineering, shifting a million users from one data center to another with a single configuration change.
Anycast vs. DNS GSLB (Global Server Load Balancing)
There are two ways to route users to the nearest server. It is crucial to understand the difference:
| Feature | Anycast (Layer 3) | DNS GSLB (Layer 7) |
|---|---|---|
| Mechanism | BGP Routing Advertisement | DNS A-Record Response |
| Speed | Instant (Packet Level) | Slow (TTL Caching) |
| Precision | Coarse (AS-Path Count) | High (GeoIP / Latency Probing) |
| Resilience | Automatic Rerouting | Requires Client Retry |
The Security Superpower: Native DDoS Mitigation
Anycast is the architecture of choice for Cloudflare, Google, and AWS because it turns the network topology into a defensive weapon.
During a massive Distributed Denial of Service (DDoS) attack, traffic originates from botnets all over the world. In a Unicast network, all that traffic funnels to a single victim server, overwhelming it.
In an Anycast network, the attack traffic is diluted. Bots in Asia attack the Hong Kong node. Bots in Europe attack the Frankfurt node. No single node receives the full force of the attack, making it much easier to absorb or filter locally. This is called Attack Surface Fragmentation.
Understanding Anycast is essential for designing High-Availability Systems that must withstand regional outages.