- Newest
- Most votes
- Most comments
Unfortunately, there's no reliable way for users in China to consistently access AWS services like S3, EC2, and API Gateway unless you set up infrastructure within the AWS China region. Even nearby regions like Singapore or Tokyo can’t guarantee access due to how China’s internet works. Setting up in AWS China means running a separate account with different rules, which isn’t always worth it if your user base is small.
This article explains the tradeoffs really well: https://mev.com/blog/7-things-i-wish-i-knew-before-deploying-a-project-with-aws-in-china
This is the nature of the Internet: There are many different networks that make up the global internet; many different operators; many different country borders; many different regulatory divisions. It's not under anyone's single control so there is a limited amount of influence that you or even AWS can have in situations like this.
For reliable service in China, you will need to run services in the AWS China regions. And that means working within the regulatory frameworks in that country.
Edit: Also see this handy blog post - it doesn't really answer the question above but might help some people out there.
We have faced the same problem and finally we decided to set up the instance in AWS China (either Beijing or Ningxia region). Otherwise you have to set up Direct Connect or VPN.
Thanks for the replies from the other posters, they are really good information. I will also reply here to my own post to update what I eventually did (3 years later)
The literal answer was "No." There is no other AWS region outside of the two China ones (Ningxia and Beijing) that will provide regularly good access to AWS services.
As I said we just did not have the business (or prospect of enough business) in China to justify the expense and effort of setting and maintaining a parallel stack. I tried various things like CDNs and offloading some of the tasks that required connecting across the firewall to servers (not browsers) and using async tasks that did not cause users to have to wait for a response. But it was not very successful. It was hard to test. And I felt like I was avoiding the obvious. (Though I do know of other services that were successful with CDNs ). So we just told users in China that the service was not great there, and gave them realistic expectations before they signed up.
A few years later we did pick up enough business to reconsider the project. Not much had changed from the business side of things. We needed to get an ICP certification, and use a service in China who acted as our agent. We used a service called CloudX, and they were great. They have the parent AWS account and give us a sub account. It is possible to have your own AWS account, and not use an agent, but its a much longer process with quite rigorous requirements. Having an agent really makes it easier to go through the steps you need to go through. Because a lot of the difficulty in the whole process is not really knowing what is the right way to do things. It was not too expensive.
Interestingly enough the agents that we had been talking with 3 years ago, seemed to be gone, or out of business. I wonder what would have happened to our accounts if we had used them.
It took about 3 weeks from signing up to being able to login to our accounts, and a little longer for the ICP to come through. Before the ICP comes through you can not use port 80 or 443 on your servers. Technically it might be possible, but you would risk being shut down before you started. I was not brave enough to try that.
Once we had access to our AWS account most things were quite familiar. The services and UI and settings and API for the most part were exactly the same. But there were cases when things were not quite the same. And that is where I burned a lot of time. It was not clear if I had just configured something wrong, or AWS China was different in a way I did not know, or if there was some block on my account till my ICP was through.
An example of this was trying to access the AWS transcribe service. No matter what I did, I kept getting DNS errors. Up until that point all the API endpoints followed the standard pattern and there was no indication that AWS transcribe would be different. I was using:
transcribe.cn-northwest-1.amazonaws.com.cn
It turns out that the correct endpoint was non standard. It was :
cn.transcribe.cn-northwest-1.amazonaws.com.cn
That also shows up another point where you can go astray. The documentation is in Chinese, and it even says "it has not been translated into English." So you use the browsers translate to English function. However the documentation is almost all simply a machine translation of the English documentation. And where there are differences in the services it will not be documented there. And there are differences.
Those are laid out in other documents, and you should look for those early on. This was the one that would have helped me: https://docs.amazonaws.cn/aws/latest/userguide/endpoints-Ningxia.html
Other differences I ran into were:
- No function URLs in Lambda
- No ACM certificates in CloudFront (that was hard )
- Available Polly TTS voices were limited
- No accelerated upload endpoints for S3
Also, perhaps it helps someone, though you will mostly read that you cannot transfer EC2 images across regions, I found it was actually pretty easy to use the AWS CLI to do just that. How to backup, and then restore, is documented on this page. That is all you need to do: https://repost.aws/knowledge-center/ec2-export-ami-s3-bucket
Testing was also hard. Without being in China it is hard to know if its working or not. Perhaps you could do something with VNC and a machine in China. I did have our client in China test things and report back, but communication was a problem, and it was just not practical. So in the end I actually went to Shanghai and tested from a hotel there. In my case Shanghai is very close so it was worth doing. And it was good to be able to test and fix in the same session. But if you do that and you have not been there before, you should prepare the resources that you need in advance because some of the services that you rely on might be blocked. Those include Google drive, Gmail, and Github.
After all that, we are now up and running in China and its going great.
Thanks for your reply. But that's a political response to a technical question.
No, that's a technical response too. If you can't control it then there's not much you can do. You've already outlined the two paths that are open to you: Continue the way that you are operating; or launch resources in China.