AWS China Special Considerations

[rjhintz]

There's occasionally discussion about expectations for interacting with AWS China and special considerations. This issue collects links and discussion for appropriate updates to the Open Guide.

• If I open an Amazon China account and host services there, will I be able to access them from my BackEnd (outside China)?
• AWS China(Beijing) Region Tips [Any of you gals/guys created a AWS China acc? ])https://www.reddit.com/r/aws/comments/5ar98u/any_of_you_galsguys_created_a_aws_china_acc/)

Also:

Endpoints are completely separated from the real AWS. The S3 namespace is unique 2 AZs Most CLI tools based on AWS API work out of the box (except a few services) Billing is in RMB exclusively and requires an entity in China or Sinnet will disable your account The packet loss is atrocious, 25-30% to the US, 10-15% to Europe. GFW will filter traffic over port 80/443/8080 until you have completed ICP GFW performs DNS poisoning on blacklisted domains Bandwidth crossing the border is massively reduced thanks to the GFW. (15KB/s to Singapore is a good day) Sinnet has an english support

and

Took us about 15 days total. For some reason they insisted on working on account setup with a native Chinese speaker so our lawyer was the one that got our "root" credentials to our AWS account. It was a little odd. Reason for the air quotes and the other really weird thing was our AWS rep created a Hotmail account matching a format of "aws.firstname_12345@hotmail.com" and set up our account that way. That email address is attached to our real root credentials.

Some other interesting notes is at present they can only invoice and don't accept cards, you can't enable MFA on your IAM accounts, the ARN name spacing is "aws-cn" makes for some trippy role setups, the S3 namespace is unique to the Beijjng region so you can land grab those bucket names!

Ninja Edit: they'll also ask you to set up an ELB for your application and they'll attach static IPs to it for your ICP. (At least our rep did)

[QuinnyPig]

Good find-- want to curate / build a PR for a China section?

[rjhintz]

@QuinnyPig If you're asking me, I had some time around last November when I kicked off some issues and a few PRs, but scheduling issues have been a problem lately. I do hope to get back to the project.

[rokka-n]

I can add few things.

• overall cn region looks like 3-5 years aws implementation from us/eu regions
• list of services and their specifics in cn region: http://docs.amazonaws.cn/en_us/aws/latest/userguide/services.html
• "core" services are available: EC2, DynamoDB, S3, Kinesis and SQS
• no sms/push notifications for SNS service
• account reps can help with a leased line to ap-southeast-1 (cost is manageable but set up time is not fixed). That should help GFW
• support is doing ok, but N
• Route53 works just fine for resolving anything in cn account, but no alias records available
• no encryption on things like EBS volumes
• replicating any data out of cn region is impossible (throttled, firewalled and simply could be unlawful)
• web services you build in the region will be unusable for public access outside of China. Tolerable for internal use cases although developers will hate you :)

[rjhintz]

@rokka-n I have some questions about your helpful update:

• what do you mean "overall cn region looks like 3-5 years aws implementation from us/eu regions"?
• leased line. Do you mean Direct Connect from a site in China to ap-southeast-1/Singapore? Is this totally outside Chinese government technical regulation, that is, Great Firewall?
• "support is doing ok, but N" <-I think some words are missing here
• "no encryption on things like EBS volumes" <- can you can still do client encryption with client managed keys?

[rokka-n]

I think services and it features that are available in cn region are older versions that were deployed in other regions. Obviously, there is no changelog available, so it is just my guess :)

Yes, for a "dedicated" line it is probably a direct connect one. I've heard that the latency and throughput is guaranteed for such connection, but haven't tested myself. If anybody needs details - just ask account rep, they know all local partners.

Support in cn is doing ok, but sometimes is faster to verify with aws support from US. Sometimes cn support knows more about nitty-gritty details (for example, assigning static IPs for ELB to satisfy gov requirements).

Not sure about encryption options, I guess everything has to rely on client managed keys and client-side encryption.