My experience with AWS China
Given the global nature of Teracloud’s customers, we often need to learn new tricks or adapt our practices to different geographical locations. The last several weeks I have been working for a customer who has an application in AWS Cloud with users in both USA and China. The process of setting up the infrastructure to provide an excellent user experience in both locations was not exempt of problems. The aim of this article is to share my experience in this tricky endeavour.
You may wonder what is the difference between AWS China and the rest of the regions. To begin you cannot find AWS China in http://console.aws.amazon.com/ as a region that you can switch to. AWS China is completely separated from AWS global: there is no way directly connect resources between AWS global and AWS China, even China’s IAM is separated from IAM global.
AWS China has two regions, Beijing (with 2 availability zones) which is operated by Sinnet, and Ningxia (with three availability zones) which is operated by NWCD. Amazon Web Services has collaborated with Chinese local partners to comply with the China’s regulatory and legal requirements that they couldn’t satisfy on its own .
Let's see some of the main differences between AWS Global and AWS China:
There is no direct connection between AWS China regions and AWS global.
AWS China has its own domain.
The amount of service available in China is smaller compared to other regions. For example, at the time this publication was written Fargate, EKS, EFS, AWS Secrets Manager and many more are not available in AWS China. For the complete list of available services on AWS China click here.
The user accounts of AWS China are different to AWS global, because are in a completely separated infrastructure.
AWS China has no access to global Route53 service.
Despite of above we still need to work with AWS China to service chinese customers. So, as with any other service it begins creating an account, but it does not end here: your identity must be verified by the chinese government before you may get access to AWS China Regions. Companies that want to register for an AWS China account need to provide a valid Chinese business license called ICP license (wikipedia). Moreover, depending on the business you are operating in China, there might be several regulatory requirements besides the ICP requirements. For more information click here.
At this point you may say “why bother? I can deploy in Singapore Region and have similar latency” and you will be right, the latency is similar. BUT you are still on the wrong side of the Great Firewall of China. All traffic that enters and leaves mainland China must pass through the Great Firewall.
There are only three entry points on the Chinese Firewall, so all traffic entering and leaving it is monitored by the government. Because of this, often there is congestion and packet loss, resulting in a poor user experience for our valuable chinese customers.
You not only need to comply with chinese regulations, you have to make major changes to your infrastructure configuration and your architecture to adapt AWS China.
Do not hesitate to contact us at Teracloud.io with questions or concerns about servicing your customers on the AWS China Region. We can help you.
If you feel that this blogpost represents your actual needs, concerns or you just want to know more, email to our team member firstname.lastname@example.org.