AWS customers with users who live in mainland China need to take special considerations in the perceived performance of the product they're delivering, whether it's a basic website or a SaaS application. You may have already received complaints about page load times and latency from your users for products you're hosting outside of China. Some of this slowdown can come from the physical limitations of geographical distances, if you're serving out of regions in America or Europe. This can be partially overcome by choosing a region closer to China, such as AWS Asia Pacific (Singapore).
Once geography is solved, you may still find your users are suffering through unsatisfactory response times. This additional lag may be because all traffic that enters and leaves mainland China must pass through what has been coined the Great Firewall of China. The deep packet inspection and filtering believed to be performed by this system, as well as the limited number of connections to the outside Internet acting as choke points, greatly limit the speed at which external websites can be accessed. If you have a core user base in mainland China and you're not already hosting your services in the AWS China (Beijing) region, it may be time to start investigating about what it takes to do so.
While you may already be comfortable with the ease of switching between AWS regions as you work with their various services, it's not the same approach when it comes to the AWS China (Beijing) Region. The first time you start using this region, it's easy to get caught up in some of the differences if you assume it's going to be as simple as changing between US East (N. Virginia) and EU (Ireland).
I have collected some useful tips learned from my experiences working with AWS China which will hopefully help you find your way when dealing with this unique region.
AWS China Region Facts
- Opened in early 2014
- Provided and operated by Beijing Sinnet Technology Co., Ltd.
- Official website: www.amazonaws.cn
- Region name: cn-north-1
- Two AZs: cn-north-1a, cn-north-1b
What Makes The AWS China Region Different
Let’s switch to the AWS China Region to launch a few EC2 instances and see what it looks like:
Wait! Where is it? As you can see there’s no AWS China listed in the regions list in the regular AWS account.
Here are a few things you need to know about the AWS China Region before you get started:
- The AWS China Region is completely separate from other AWS regions.
- You cannot use your global AWS account in the AWS China Region.
- You will have to open an AWS China account in China.
- Only China-based and multinational companies with customers in China can apply for an account.
- Opening an AWS account in China requires several steps:
- Complete the “Request an AWS (China) Account” form: http://www.amazonaws.cn/en/sign-up/
- Provide documents of your company status
- Get approved
AWS China Region Accounts type
Once you are approved, you will have an Internal Access Account.
- In Amazon EC2, all common Internet ports are blocked except 22 (SSH) and 3389 (RDP).
- All internal ports remain available.
- In Amazon S3, buckets are not allowed to serve content for public anonymous access, and pre-signed URL functionality is disabled.
If you want to publish some web content you will require a Full Access Account. In China, all web content requires government approval in the form of an Internet Content Provider (ICP) license (also known as an ICP recordal). You can apply for an ICP license from your AWS China Internal Access Account, in the My Account section under your account's drop down menu:
However, this process is not so easy and not as fast as you may expect. Here you can see an overview of the ICP Recordal application process as published by SINNET Technology:
Once you get your ICP license, port 80 (HTTP) and 443 (HTTPS) will be opened to allow external access into your account. You can see the ICP license number published at the bottom of the page:
The Great Firewall of China
All Internet traffic is monitored and can be blocked by the government in China. Because of this, you will experience huge network latency for traffic from outside of Mainland China.
Many popular websites, such as Google, Facebook and YouTube, are not available right now in China, as you can see from this table of high-ranking websites blocked in Mainland China that has been published in Wikipedia:
AWS Services Available in AWS China Region September 2017
The AWS China Region has a greatly reduced set of AWS services available. This is how the AWS Management Console looks when logged in to an AWS China account right now, with a list of all the available services within the region:
Notable missing services:
Most people have learned that an S3 bucket name must be unique across all regions in AWS, but this does not include the AWS China Region. Due to its special status you can have one bucket in the China region and one in a global region which both use the same name.
In this example, I have created a bucket with the same name in both China (Beijing) and in US East (N. Virginia) regions.
In case you need to sync data from an S3 bucket in a global region to an S3 bucket in the China Region you will have to use two credentials and two steps (an “intermediate location” in this case is your local computer drive).
- Sync from your global S3 bucket in an intermediate location using global IAM user credentials
- Sync from an intermediate location to your S3 bucket in China using China IAM user credentials
AWS CLI commands:
#>aws s3 sync s3://mybucket.com /home/temp/ --profile=USER-GLOBAL --region=us-east-2
#>aws s3 sync /home/temp/ s3://mybucket.cn --profile=USER-CHINA --region=cn-north-1
Key Differences between the China Region and Global Regions
The following is a list of major differences between the AWS China Region and other regions in your global AWS account:
|Global Region||China Region|
|arn:aws:s3:::my_bucket||Amazon Resource Name||arn:aws-cn:s3:::my_bucket|
|arn:aws:iam::1234567890:user/David||Amazon Resource Name||arn:aws-cn:iam::1234567890:user/David|
|arn:aws:ec2:us-west-2:*||Amazon Resource Name||arn:aws-cn:ec2:cn-north-1:*|
|http://mybucket.s3-website-us-east-1.amazonaws.com||S3 WebPage Endpoint||http://mybucket.s3-website.cn-north-1.amazonaws.com.cn|
|Version 2 and Version 4||Authentication Signature||Version 4 only|
|MFA available||MFA||MFA not available|
|Can copy to another Region||AMI Copy||Only available within China Region|
|Can be same as in China||S3 Bucket Name||Can be same as in Global|
A few examples of 3rd party applications which now support the AWS China Region:
- s3fs (v1.82): Use to mount an S3 bucket as a folder in Linux, using AuthenticationSignatureV4 which is required for the China region.
- Jenkins Plugin AWS Elastic Beanstalk Deployment Plugin (v0.3.19): I worked with the developer of this plugin to get the China region supported there was originally an issue with the S3 endpoint name.
When trying to use applications with the China region that don’t support it yet, you may receive a similar error to the following:
Check if there is an updated version of the application with support for AuthenticationSignatureV4, which is required for all AWS regions opened in 2014 and later, including the AWS China Region.
While working with the AWS China Region you may find that little adjustments need to be made to your existing knowledge and scripts. Many 3rd party application have not been tested in this region and you may find bugs or errors trying to use them there. Always check for the most up-to-date version of applications and contact developers to let them know about issues—the fixes are usually very easy for developers.
If you don’t comprehend the language, use can use Google translate to read information on the AWS China website and forums about the services available out of Beijing.
AWS is working hard to introduce more services into new regions, so if you are reading this in the near future, you will likely see many more services available in the China region.
And as always, if you need help with migrating to or starting a new project in the AWS China Region, please don’t hesitate to reach out to us at TriNimbus.