Organizations running workloads on AWS often want to take advantage of the AWS global footprint to expand operations globally. Web applications hosted in a single AWS Region can be reached worldwide, but latency issues can negatively affect performance and the user experience.
Web applications are often powered by underlying databases, such as a database running on SQL Server on Amazon EC2. Extending your web application deployment to multiple Regions helps reduce latency, but you must ensure that the separate database instances running in different Regions are constantly in sync. You also need to check there are no write conflicts. Avoiding these conflicts and challenges can be burdensome, especially if you are not using a managed database engine capable of handling these replication issues. The extension to AWS China Regions can be difficult as not all AWS services and features are available.
To establish a low latency link between an AWS China Region and another global AWS Region, we recommend using AWS Direct Connect. To comply with China’s legal and regulatory requirements, AWS Regions in China are supported by local AWS Partners. Through Direct Connect connections, supported by a partner network, reverse proxy servers route users in China to appropriate resources in your home Region with low latency. This reduces the need to configure replication across multiple database resources and having to worry about synchronicity.
In this post, we show you how you can improve user experiences when accessing your web application powered by SQL Server running on Amazon EC2. This is done by establishing Direct Connect connections and configuring reverse proxy servers.
Overview of solution
The following architecture diagram shows two VPCs, one in the North Virginia Region and one in the Beijing Region.
- The North Virginia Region is used as the “home” Region where primary resources reside. A web application as well as a primary and replica SQL Server instances are hosted on Amazon EC2 instances.
- Note that for this example we only have one read replica and two web servers, but this architecture will also work for varying amounts of Amazon EC2 instances. Global users connect to the web servers in North Virginia through the Application Load Balancer.
- China users connect to reverse proxy servers hosted on Amazon EC2 instances and provisioned in the Beijing Region through an Application Load Balancer. The reverse proxy servers are configured to route traffic back to resources in North Virginia through the established Direct Connect connections.
The link between the two regions is supported by both AWS Direct Connect and a Direct Connect Partner network of your choice. From a Direct Connect gateway in the AWS China Region, your traffic travels to the Partner’s interconnection point. The Partner’s backbone network is used to facilitate traffic across the Chinese border.
Outside of China, the Partner you work with provides another interconnection point. From here, your traffic travels through the AWS backbone network via another AWS Direct Connect connection.
Here is an overview of the steps to build out this architecture:
- Provision the Direct Connect connections
- Create Virtual Private Gateways
- Configure your Direct Connect connections
- Create reverse proxy servers
- Configure route tables to route traffic between Regions
For this walkthrough, you should have the following prerequisites:
- An AWS account and an AWS China account
- A web application running on Amazon EC2 behind an Application Load Balancer
- SQL Server running on Amazon EC2 with an optional read replica
Provision the Direct Connect Connections
Direct Connect connections come in different bandwidths, ranging from speeds of 50Mbps to 100Gbps. You need to first figure out what connection capacity you require.
Work with an AWS Direct Connect Partner, who will provision the Direct Connect connections for the AWS accounts you need in your China and US regions. Two connections are made:
- one that connects your China resources to the partner’s network,
- one that connects from the partner’s network to your North Virginia resources.
For more information, contact a partner.
Create Private Virtual Gateways and Direct Connect Gateways
- In your North Virginia VPC where your resources reside, create a Virtual Private gateway. This allows resources in your VPC to access the Direct Connect connection.
- Associate your subnets to your virtual private gateway, and ensure that route propagation is enabled. Repeat the same procedure for your VPC in the Beijing Region.
- You will also need to create Direct Connect gateways in each of your accounts in the two regions. Direct Connect gateways allows you to use your provisioned Direct Connect connection amongst most other Regions from multiple VPCs.
- Then, associate the Direct Connect gateways with the virtual private gateways in the same Region.
Configure your Direct Connect Connections
Once your Direct Connect connections are ready to use, you need to associate the connections with the Direct Connect gateways you created.
- First, accept the Direct Connect connection in the Direct Connect console.
- When you accept a connection, you can then create private virtual interfaces to associate the connection to.
- When creating your private virtual interface choose Direct Connect gateway as your gateway type, and choose the appropriate Direct Connect gateway.
Now that our Direct Connect connection is fully configured, we must tell our traffic how and where to flow from and to. We achieve this with reverse proxy servers and VPC route tables.
Create Reverse Proxy Servers
Reverse proxy servers will reroute traffic from users in China connecting to Amazon EC2 instances in China back to resources in North Virginia.
To do this, you must configure your instances to act as reverse proxy servers. You can use off the shelf software such as NGINX for this, such as the NGINX Reverse Proxy Server AMI, or any other software of your choosing. You can alternatively develop and configure your own reverse proxy server.
Configure VPC Route Tables
Now that your reverse proxy servers are configured to redirect traffic to resources in North Virginia, you must configure your route tables to take advantage of your Direct Connect connection. For this example, assume that the Beijing Region VPC’s CIDR block is 10.1.0.0/24 and has a virtual private gateway identified as vgw-01. The VPC in the North Virginia Region has a CIDR block of 10.2.0.0/24 and a virtual private gateway identified as vgw-02.
In the Beijing Region, create a new route in your VPC to route traffic destined for the North Virginia CIDR block towards the virtual private gateway you previously configured as seen in Table 1.
In the North Virginia Region, create a route for the Beijing Region VPC CIDR block towards the virtual private gateway as seen in Table 2. When traffic is sent to the virtual private gateway, it then flows to the Direct Connect gateways provisioned and enters the Direct Connect connection.
In this post, we showed how to extend your web application deployment from any global AWS Region to AWS China Region through Direct Connect connections, supported by a partner network. Reverse proxy servers route users in China to appropriate resources in your home Region with low latency.
This reduces the need to configure replication across multiple database resources and having to worry about synchronicity. By taking advantage of a dedicated Direct Connect connection, you can achieve consistent and performant user experiences for your web application hosted on Amazon EC2. Review Getting Started with AWS Services in AWS China (Beijing) Region and AWS China (Ningxia) Region to learn more about AWS China and how to get started with AWS China Gateway.