AWS Networking: Regions, Zones and VPC

Introduction

This is a series of essays about networking on AWS. Let's begin with a global view of regions, zones and VPC.

NB: This blog is not affiliated with Amazon Web Services.

Regions

AWS regions represent separate geographic areas around the world. For beginners, choose the region closest to you or your customers, but avoid the us-east-1 region because it's the oldest and largest AWS region that have experienced outages more frequently than any other region in the past.

(Source: AWS)

For big companies, using multiple regions can improve user experience by putting compute resources and data near your customers. It also helps with compliance, as mandated by governments and regulations like the GDPR.

Availability Zones

In most cases, the only type of AWS zone you'll use is Availability Zone (AZ). Resources on AWS are either created within a single AZ, or distributed across several AZs in a region. AZs are usually referenced by their code in the console, for example us-east-1a and us-east-1b.

A little known fact about AZs is that us-east-1a might not refer to the same physical zone across AWS accounts. The rationale for this is that statistically the first AZ is used the most. To balance load between AZs, AWS maintains a mapping of physical zones to AZ codes separately for each AWS account.

Multi-AZ deployment is strongly recommended for production to improve availability and speed up disaster recovery (DR) when an AZ is down. Each AZ is isolated from the others in terms of power supply, networking, physical location, etc. When a failure happens (spoiler: it always happens), it's less likely to affect multiple AZs at the same time.

Within a region, AZs are well inter-connected with redundant paths to each other and to the 2 transit centers that connect to the Internet and other regions, as shown in the diagram below.

Note that multi-AZ deployment can speed up DR, but does not by itself implement high availability (HA). If you have a mission-critical service that could tolerate very little downtime, you have to utilize at least 3 AZs and distributed consensus algorithms like Raft and Paxos.

VPC

When AWS launched EC2 in 2006, all instances run in a single flat regional network secured by security groups. A few years later, they introduced SDN (software-defined networking) features as Amazon VPC (Virtual Private Cloud) and subsequently made it the default in 2013.

All AWS accounts created since then are VPC-only and include a default VPC for each region. VPC brings great flexibility, but it's much more complicated than the classic networking. I'll write more about VPC and subnets in the next post, stay tuned!