Networking & Content Delivery
Optimizing performance for users in China with Amazon Route 53 and Amazon CloudFront
China is an important market for global companies. Both enterprises and startups conducting or expanding business globally are looking for ways to tap into the growing user market in China. To help accelerate the customer cloud journey and help them move quickly into the new markets, AWS China (Beijing) Region was launched in 2016, followed by the launch of AWS China (Ningxia) Region in 2017. These regions provide the best experience for customers to provide services in mainland China.
With the recent launch of Amazon Route 53 in China, customers have an additional powerful tool in their growing tool-chest to offer high performing services to end-users in China. Amazon Route 53 provides a highly available and scalable Domain Name System (DNS), domain name registration (Route53 Global), and health-checking web services. It complements Amazon CloudFront (China) which was launched in 2019. Amazon CloudFront is a web service that gives businesses and web application developers an easy and cost-effective way to distribute content with low latency and high data transfer speeds.
This blog post will show you an approach to improve web site performance for end-users within and outside of China using Amazon Route 53, Amazon CloudFront, and Application Load Balancer (ALB).
Solution Overview
Our solution will show you how to use Amazon Route 53 and Amazon CloudFront in the AWS Global and AWS China partition to improve the user experience, performance inside and outside China regions. The goal is to keep user traffic originating inside China within China and user traffic originating outside China outside of China. Thereby we reduce traffic that crosses network boundaries and thereby minimize latency and improve performance. This is accomplished by using DNS zones inside and outside of China along with Amazon Route 53 Geolocation routing policy. Geolocation routing lets you choose the resources that serve your traffic based on the geographic location of your users. With this end-users in China are steered towards an endpoint inside the China regions that is fronted by an Amazon CloudFront (China) distribution to further improve performance. Global user’s traffic targets an endpoint outside of China and is also fronted by a CloudFront distribution. Refer to Network Connections for AWS China Regions section in Getting Started with AWS Services in AWS China (Beijing) Region and AWS China (Ningxia) Region blog post to learn more about exposing a public service endpoint in the AWS China region.
Prerequisites
- We will be using Global Amazon Route 53, Global Amazon CloudFront, Amazon Route 53 China, Amazon CloudFront China, and origins served via Application Load Balancer (ALB) as the services. This blog focuses on providing a static or dynamic website and makes use of HTTP Redirects. Such behavior might impede function of an API endpoint. Therefore, this use case is not covered here.
- Solutions to extend existing global origins into the AWS China Regions exist, but are out of scope for this blog post.
- AWS China regions have specific Internet Content Provider (ICP), AWS account and credentials requirements to access the AWS services in mainland China, separate from AWS Commercial Regions. Refer to Getting Started with AWS Services in AWS China (Beijing) Region and AWS China (Ningxia) Region to learn more.
- Required domain names are registered for use both globally (.com) and inside China (.cn) either via Amazon Route 53 or other 3rd-party domain registrars. For example: www.example.com and www.example.cn
How it works
This solution will show you how to solve four primary use-cases using Amazon Route 53 and Amazon CloudFront to optimize user experience performance in China:
- Users inside China accessing www.example.cn
- Global users (outside China) accessing www.example.com
- Users inside China accessing www.example.com
- Global users (outside China) accessing www.example.cn
Setup
In this architecture, we combine both Global and China Amazon Route 53 and Amazon CloudFront services. Global Route 53 nameservers and CloudFront edge locations located outside China Region handle the non-China user traffic. For users inside China, China Amazon Route 53 and China Amazon CloudFront do the same, keeping China traffic inside the Region, optimizing the user experience and performance. Here’s how you can achieve this:
Global AWS Regions
- Create the Application Load Balancer serving as the origin for your web site under e.g. origin.example.com. Setup a URL redirect action from *.example.cn to *.example.com based on a Host Header Condition.
- Create a distribution in Amazon CloudFront, for example xyz.cloudfront.net. Setup the Alternate Domain Name/CNAME for www.example.com and www.example.cn
- In Amazon Route 53 create a Public Hosted Zone for example.com
- Create two CNAME records using Geolocation routing policy for the record www. The location Default should point to the above created Amazon CloudFront distribution xyz.cloudfront.net via CNAME. The second record for the location China will eventually point to the Amazon CloudFront distribution in the China partition. As an interim it will have to point to the Application Load Balancer serving as the origin under origin.example.com via a CNAME.
China AWS Regions
- Create the Application Load Balancer serving as the origin for your web site under e.g. origin.example.cn. Setup a URL redirect action from *.example.com to *.example.cn based on a Host Header Condition.
- Create a distribution in Amazon CloudFront (China), for example xyz.cloudfront.cn. Setup Alternate Domain Name/CNAME pointing to www.example.com and www.example.cn. Note that in AWS China regions, you can’t use the default CloudFront domain, *.cloudfront.cn, to serve content. You must add an alternate domain name, also known as a CNAME, to your CloudFront distributions, and then use that domain name in the URLs for your content. Furthermore, note that the CloudFront partition in AWS China validates whether the DNS record of the Alternate Domain Name points to a distribution that is not the distribution that you are creating or modifying. This validation also considers distributions within the Global CloudFront partition. The workaround used here is to point the DNS record for the Alternate Domain Name to the Global Application Load Balancer via Geolocation routing policy for requests from China (See Step 4 in the previous section.
- In Amazon Route 53 (China) create a Public Hosted Zone for www.example.cn
- Create two CNAME records using Geolocation routing policy for the record www. The location Default should point to the previously created Amazon CloudFront distribution xyz.cloudfront.net via CNAME. The second record for the location China points to the previously created Amazon CloudFront distribution xyz.cloudfront.cn in the China partition via CNAME.
- In Amazon Route 53 (Global) update the CNAME record for www.example.com that pointed to the Application Load Balancer as an interim step, second record for the location China points to the to the previously created Amazon CloudFront distribution xyz.cloudfront.cn in the China partition.
The following diagram explains the high-level full architecture.
Figure 1: Solution architecture diagram
Now, we are going to show how the traffic flow in this architecture works according to the four use-cases we are focusing on.
Use cases
1. Users inside China accessing www.example.cn
Figure 2: Use case for Users inside China accessing www.example.cn
- The DNS zone example.cn is served by Amazon Route 53 (China) and authoritative nameservers inside China. Therefore, DNS query originating from users inside China stay inside China and are served by Amazon Route 53 DNS servers inside China.
- Due to the Geolocation routing policy in Route 53, traffic for www.example.cn is steered towards the CloudFront (China) distribution xyz.cloudfront.cn. Route 53 will route the request to a CloudFront edge location inside China. Typical CloudFront caching behavior will apply at this step.
- The Application Load Balancer, serving as the origin for CloudFront does not have to invoke any forwarding rules in this case.
- The Application Load Balancer connects to the back-end to fulfill the request.
As a result, users from China leverage Amazon Route 53 servers and Amazon CloudFront edge locations inside China, while using the .cn domain and therefore don’t have to traverse the network regional boundaries.
2. Global users (outside China) accessing www.example.com
Figure 3: Use case for Global users (outside China) accessing www.example.com
- The DNS zone example.com is served by Amazon Route 53 and authoritative nameservers outside China. Therefore, DNS query originating from users outside China stay outside China and are served by Amazon Route 53 DNS servers outside China.
- Due to the Geolocation routing policy in Route 53, traffic for www.example.com is steered towards the CloudFront distribution xyz.cloudfront.net. Route 53 will route the request to a CloudFront edge location outside China. Typical CloudFront caching behavior will apply at this step.
- The Application Load Balancer, serving as the origin for CloudFront does not have to invoke any forwarding rules in this case.
- The Application Load Balancer connects to the back-end to fulfill the request.
Users from outside China leverage Global Amazon Route 53 servers and Amazon CloudFront edge locations outside China, while using the .com domain and don’t have to traverse the network regional boundaries.
3. Users inside China accessing www.example.com
Figure 4: Use case for Users inside China accessing www.example.com
- The DNS zone example.com is served by Amazon Route 53 and authoritative nameservers outside China. Therefore, DNS query originating from users inside China have to traverse network boundaries and be served by authoritative Amazon Route 53 DNS servers outside China.
- Due to the Geolocation routing policy in Route 53, traffic for www.example.com is steered towards the CloudFront distribution xyz.cloudfront.cn. Route 53 will route the request to a CloudFront edge location inside China. Typical CloudFront caching behavior will apply at this step.
- The redirect action configured on the ALB within the AWS China region will issue a redirect from www.example.com to www.example.cn. Within the client this triggers a new request for www.example.cn.
- The DNS zone example.cn is served by Amazon Route 53 (China) and authoritative nameservers inside China. Therefore, DNS query for this zone originating from users inside China stay inside China and are served by Amazon Route 53 DNS servers inside China.
- Due to the Geolocation routing policy in Route 53, traffic for www.example.cn is steered towards the CloudFront (China) distribution xyz.cloudfront.cn. Route 53 will route the request to a CloudFront edge location inside China. Typical CloudFront caching behavior will apply at this step.
- The Application Load Balancer, serving as the origin for CloudFront does not have to invoke any forwarding rules in this case.
- The Application Load Balancer connects to the back-end to fulfill the request.
In this use case, only the initial DNS query will cross the network boundary. From there on users from inside China leverage CloudFront edge locations and origins inside China. To ensure that subsequent requests stay inside China – including any DNS resolution – users are redirected to the www.example.cn domain.
4. Global users (outside China) accessing www.example.cn
Figure 5: Use case for Global users (outside China) accessing www.example.cn
- The DNS zone example.cn is served by Amazon Route 53 (China) and authoritative nameservers inside China. Therefore, DNS query originating from users outside China have to traverse network boundaries and be served by authoritative Amazon Route 53 DNS servers inside China.
- Due to the Geolocation routing policy in Route 53, traffic for www.example.cn is steered towards the CloudFront distribution xyz.cloudfront.net. Route 53 will route the request to a CloudFront edge location outside China. Typical CloudFront caching behavior will apply at this step.
- The redirect action configured on the ALB within the AWS China region will issue a redirect from www.example.cn to www.example.com. Within the client this triggers a new request for www.example.com.
- The DNS zone example.com is served by Amazon Route 53 and authoritative nameservers outside China. Therefore, DNS query for this zone originating from users outside China stay outside China and are served by Amazon Route 53 DNS servers outside China.
- Due to the Geolocation routing policy in Route 53, traffic for www.example.com is steered towards the CloudFront distribution xyz.cloudfront.net. Route 53 will route the request to a CloudFront edge location outside China. Typical CloudFront caching behavior will apply at this step.
- The Application Load Balancer, serving as the origin for CloudFront does not have to invoke any forwarding rules in this case.
- The Application Load Balancer connects to the back-end to fulfill the request.
In this use case, only the initial DNS query will cross the network boundary. From there on users from outside China leverage CloudFront edge locations and origins outside China. To ensure that subsequent requests stay outside China – including any DNS resolution – users are redirected to the www.example.com domain.
Validation
Amazon Route 53 Geolocation route user traffic to either the AWS Global partition or AWS China partition This is a key component of the presented design here. Validating the correct behavior of this routing policy for users within and outside of China can be accomplished using RIPE Atlas. RIPE Atlas is a global network of hardware devices, called probes and anchors, that actively measure Internet connectivity. Anyone can access this data via Internet traffic maps, streaming data visualizations, and an API. RIPE Atlas users can also perform customized measurements to gain valuable data about their own networks.
In the case of the design here, the validation will use the fact that the CloudFront endpoints within China and outside China use different TLS certificates. These certificates therefore provide different certificate fingerprints, which can be identified during a connection, allowing identification of the CloudFront Point of Presence (POP) partition. While using different TLS certificates is fully transparent to end-users, it enables easy identification via RIPE Atlas customized SSL/TLS measurements whether the CloudFront Global or CloudFront China distribution was used from a probe’s location.
Figure 6: Mapping of RIPE Atlas probes to CloudFront Global (blue) and CloudFront China (red) points of presence locations due to Route 53 Geolocation routing
The preceding map was generated with a RIPE Atlas customized measurement. Each RIPE Atlas probe – for which the probe’s host specifies the location – that connected to the CloudFront Global partition due to the Route 53 Geolocation policy is colored in blue. RIPE Atlas probes that connect to the CloudFront China partition are colored in red.
The result is as expected, where RIPE Atlas probes within China are served by the CloudFront China partition, while probes outside China are served by the CloudFront Global partition.
Using a RIPE Atlas user-defined test for Ping from the same set of RIPE Atlas probes against both the .cn and .com endpoints shows the expected near identical performance behavior for probes within and outside China for both .cn and .com endpoints.
Figure 7: Ping round trip times (RTT) from RIPE Atlas probes against the .com endpoint
Figure 8: Ping round trip times (RTT) from RIPE Atlas probes against the .cn endpoint.
Additional considerations and limitations
- Refer to Getting Started with AWS Services in AWS China (Beijing) Region and AWS China (Ningxia) Region to help you understand and get started using AWS services in Beijing and Ningxia Regions in China.
- For feature parity between the services available in AWS Commercial and China regions refer to Feature Availability and Implementation Differences section in the respective AWS Documentation.
- Amazon Route 53 uses EDNS0 to estimate the location of a user.
Summary
In this blog post, we have shown architecture patterns for getting the best user experience and performance for customers who want to deploy applications globally, including China regions. Four different approaches are available and we have listed benefits and constraints of each. Finally, with Amazon Route 53 and CloudFront it is seamless to deliver a multi-region and performance optimized architecture for users inside China regions and globally.