Multi-region Cognito?

3

There is a 4 years old thread on aws forums but i think there is still no support for multi-region cognito?

https://forums.aws.amazon.com/thread.jspa?messageID=777006

we run on us & asia regions and cognito is the single bottleneck. We can run databases, APIs etc cross-region but not cognito :( One thing is lag. We can either support US or Asia customers better now :( But another high topic is disaster recovery & failover.

This month was real bad for AWS, it was down in US regions for 3 times in a month. Last year, AWS was also down during Q4 of 2020 and Q4 is most important Q of the year for many because of holiday sales.

We run on n.virginia (probably most pop region?) and it was heavily affected during this December, when the traffic is at it's peak and everyone just looks how AWS region is down and $ is not collected from the peak sales period. I bet a lot of you had that frustration during this December 2021 too. And also 2020, while AWS was down during Q4 of 2020 too.

AWS talks constantly - everything fails, do multi region. Follow the 5 pillars.

How can we follow AWS best practises when core service which is in use by user for any API call can not run by AWS's best practises? What's the point to run database in multi-region as failover if user can't access it anyways because of the 1st service it needs to hit is single-region and it is down?

The thread around this started back in 2017 Mar, It's been 4 years already and still no option to run multi-region authorization.

AWS, Is there any progress on this?

Lukas
asked 2 years ago3642 views
3 Answers
1

Thanks Sean. In terms of the 2nd option, it looks like passwords can't be replicated. so how does that factor in? Will the user have to reset the password during a Disaster and reset it again when the primary comes back online?

AWS
PK
answered 2 years ago
0

While I cannot answer the question on when multi-region support is arriving I can give some suggestions that I have seen people use. I don't know the use case you have (identity pools, user pools, or both) so I will talk about user pools since that is the common use case.

The underlying database used by Cognito is highly resilient and I would expect it to survive a regional failure. However, it would be unavailable for the duration of a regional failure and that may well be unacceptable. If this is the case, and until multi-region support arrives, I would suggest the following:

First. Don't store user credentials in the Cognito database. Instead federate via SAML as this removes the biggest issue with single region use, the inability to back up user credentials. I prefer this anyway as I really want a single database of record for all my users and that often already exists.

Second. Design for failure. Assume that the region will fail and either build out parallel Cognito infrastructure in another region, or have the Cloudformation to do so ready to go. This is a cost vs. RTO trade off as to whether it is better to have warm or cold standby in your use case.

Finally. If at all possible store only transient session data in the database. Ideally if the region fails then you should be able to cold start in another region with minimal impact. If the data needs to persist then run regular backup jobs to walk the database and copy the data out according to your RPO.

Sean_L
answered 2 years ago
  • Thanks Sean. In terms of the 2nd option, it looks like passwords can't be replicated. so how does that factor in? Will the user reset the password during a Disaster and reset it again when the primary comes back online?

0

We experience the same issue and got stuck solving it. But for us is also important synchronization of user pool app clients across the regions. Seems like we have to completely rid of Cognito from the solution and secure our API with API keys

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions