Sign inDeploy a VPS
NODED.CLOUD/Blog/Anycast vs Unicast: How Global Services Stay Fast and Resilient

Anycast vs Unicast: How Global Services Stay Fast and Resilient

11 May 2026 · Mario Marin

Anycast lets one IP address serve users from the closest location automatically. Learn how anycast works, when to use it, and how it powers DNS, CDNs, and DDoS scrubbing.

Most websites and APIs use unicast — one IP address points to one server in one place. It works fine for simple services. But when you need global speed, automatic failover, and DDoS resilience, the answer is anycast.

Anycast is the magic behind global DNS, modern CDNs, and DDoS scrubbing networks. This guide explains how anycast works, when to use it, and what it takes to deploy your own anycast service.

Unicast vs Anycast: The Core Difference

Unicast

One IP address = one server. When a user sends a packet to that IP, BGP routes it to exactly one destination. Simple, predictable, and the default for most services.

Anycast

One IP address = many servers in many locations. Each location announces the same prefix into BGP. The internet's routing infrastructure naturally delivers the user's packet to the closest server (in BGP terms — usually shortest AS-path), without the user knowing or caring.

If one anycast location goes offline, BGP withdraws its announcement automatically and traffic shifts to the next-closest location. No DNS changes, no client-side logic, no failover script needed.

How Anycast Works in Practice

  1. You have a service deployed in 10 data centers globally.
  2. Each data center announces the same /24 (e.g., 198.51.100.0/24) to its upstream transit providers.
  3. BGP propagates these announcements across the internet. Every router on the planet builds a routing table with multiple paths to that /24.
  4. Each router picks the "best" path using BGP's decision process — usually whichever has the shortest AS-path.
  5. A user in Tokyo reaches your Tokyo location; a user in London reaches your London location. Both used the same destination IP.
  6. If Tokyo goes offline, BGP withdraws the announcement, and Tokyo users reroute (typically to Singapore or Seoul) within seconds.

Where Anycast Shines

1. DNS

The root DNS servers, every major recursive resolver (1.1.1.1, 8.8.8.8, 9.9.9.9), and authoritative DNS providers all use anycast. DNS queries are short, stateless UDP exchanges — perfect for anycast.

2. CDNs

Cloudflare, Fastly, and Bunny use anycast for their edge networks. A user's packet hits the nearest PoP, which then handles the HTTPS handshake locally.

3. DDoS Scrubbing

Anycast spreads attack traffic across many scrubbing centers. A 1 Tbps attack hitting 50 anycast PoPs becomes 50 separate 20 Gbps attacks — much easier to absorb.

4. Global Load Balancing

Anycast naturally directs users to the closest healthy region, eliminating the need for GeoDNS or external traffic managers for many use cases.

5. NTP and Stateless APIs

Any short, stateless protocol benefits from anycast.

Where Anycast Struggles

Anycast is not a silver bullet. It has real limitations:

  • Stateful connections. A long-lived TCP connection can mid-flight switch to a different PoP if BGP changes — the new PoP doesn't know about your TCP session and resets it. Solutions: keep sessions short, use connection tracking + state replication, or terminate TLS at the edge and reconnect to a fixed origin.
  • BGP path inconsistency. Routes don't always pick the geographically closest PoP. They pick the "best" by BGP's rules, which can be surprising.
  • Hard to debug. Which PoP did this user hit? Logs need clear PoP tagging.
  • Requires your own ASN and PI IP space. You can't anycast from rented PA addresses.
  • Capacity must exist at every PoP. If your Tokyo PoP saturates, BGP doesn't know — it'll keep sending traffic until you withdraw the route.

Anycast vs GeoDNS

GeoDNS solves a similar problem differently: it returns different IPs to different users based on geolocation lookup. Comparison:

  • Anycast — fast failover (BGP-speed, ~10-30 seconds), no DNS TTL issues, works for stateless protocols only.
  • GeoDNS — slow failover (DNS TTL-bound, often minutes), works for any protocol, gives precise control over which user goes where.

Many providers combine both: GeoDNS to direct users to the right region, anycast within each region for redundancy.

Deploying Anycast: The Requirements

  • Your own ASN. Apply through your regional internet registry.
  • Provider-independent (PI) IP space. A /24 IPv4 minimum; /48 IPv6 minimum.
  • Multiple data centers with BGP-capable upstream connections.
  • RPKI ROAs. Sign your prefix from your ASN.
  • Identical service at each PoP. Users hit different PoPs — they all need to serve the same data.
  • State synchronization (if stateful). Sessions, caches, and writes need to converge somehow.
  • Health-driven announcements. Withdraw announcements automatically when a PoP fails health checks.

Common Anycast Deployment Patterns

Pure Anycast (Stateless)

DNS, NTP, simple HTTPS APIs. Each PoP serves identical content. Failover is automatic and fast.

Anycast Edge + Unicast Origin

The edge (TLS termination, caching, WAF) runs on anycast. A connection from edge to origin uses unicast. CDNs work this way.

Anycast Front Door + Application Routing

Anycast lands the user at the nearest PoP, which inspects the request and forwards to the appropriate region (e.g., user in Asia → Singapore region). Many enterprise SaaS use this.

Anycast and DDoS Protection

Anycast is one of the most effective DDoS defenses available. By spreading the same IP across dozens or hundreds of PoPs, attack traffic is naturally distributed. An attacker would need to overwhelm every PoP simultaneously — a much higher bar than overwhelming a single server.

This is why every major CDN and DDoS scrubbing provider runs anycast at scale.

Anycast at Noded

Noded supports anycast deployments for customers with their own ASN and PI IP space. We'll announce your prefix from multiple POPs across our network, so your DNS, CDN, or anycast service benefits from low-latency global routing and built-in DDoS resilience. Combined with our IP transit and IPAM, you get a complete anycast-ready platform.

Building something global? Talk to our team — we'll help you design your announcements, communities, and PoP placement.

Frequently Asked Questions

Is anycast faster than unicast?

Usually, yes — for stateless services, anycast routes users to the nearest PoP, lowering latency. For stateful services where the application is in one region, unicast can sometimes be faster.

Can I do anycast on a single VPS?

No — anycast requires announcing the same prefix from multiple BGP-speaking locations. Each location is at minimum one server with its own BGP session.

Will anycast break long TCP connections?

It can if BGP repaths mid-session. Solutions include keeping sessions short, replicating session state across PoPs, or using protocols like QUIC that handle migration better.

Is HTTPS hard to do over anycast?

Not really. The TLS handshake completes at one PoP, and as long as BGP doesn't repath during the connection (rare on stable backbones), the connection stays on that PoP.

Do I need a /24 to anycast IPv4?

Effectively, yes. Most networks filter prefixes longer than /24, so announcements smaller than /24 won't propagate globally.

← All posts

Keep reading

More from the NOC.

Like the way we run things? Spin up a server in 60 seconds.

Deploy a VPS Talk to an engineer