Tutorial: Setting up AWS in China

For the last few months I was working for a customer that had a requirement: an application in AWS Cloud for his global organization, with users in Europe, USA, India and – China. Yes, China. We all know, that there is a AWS region in China, but most of us knows exactly this and nothing more. I was on the same page 3 months ago. Since then, I had a lot of fun working with AWS China regions, and in this blog post, I wanted to share my experiences and the curiosities I faced. But hey, you might ask – why to write a blog post about some specific AWS region? Well, when you login to AWS console on http://console.aws.amazon.com/ , you will see a number of regions you can switch to: But China is nowhere to be seen. Why? Because… well, yes – this is China. AWS China consists of two AWS regions: in Beijing, operated by Sinnet, and in Ningxia, operated by NWCD.  And yes, both regions are operated by 3rd parties. Amazon Web Services has created technology collaboration with Chinese companies to comply with China’s regulatory and legal requirements, which they couldn’t do on their own. Let’s take a look at the map: (source – Google Maps) Region in Beijing (2 Availability zones) is in GA since 2014, in Ningxia (3 availability zones) since 2017. The distance between those regions is approximately 1100km.

AWS vs. AWS China: the main differences

You need to understand one thing about AWS China: it is totally separated from AWS global. And when I say separated, I mean it.

• AWS China has its own different domain, www.amazonaws.cn
• AWS China has its own AWS support; separate ticketing system, separate personnel. If you were to ask AWS global support a question about AWS China, you will get answer based on documentation available on www.amazonaws.cn.
• AWS China regions have no direct connectivity with AWS global - with all consequences – so there is no VPC peering between AWS China and AWS global regions. There is no Private link that could use to reach global region. There is no S3 replication that you could launch between S3 in China and AWS global. In fact, S3 is also separated, so if you were preparing for the AWS exam and learned, that AWS S3 namespace is global… well, it is – but China has its own namespace
• IAM is unsurprisingly also separated: you can’t use a user in IAM global to login to AWS China region
• Documentation is separated, not just translated
• AWS China has no access to global Route53 service – obviously you can resolve DNS entries into IPs maintained in global Route53, but there is no Chinese API to global Route53
• AWS China can’t be simply connected with AWS global region using AWS managed VPN service because, well, in China, there is no AWS VPN service

Speaking of AWS services, let’s look at what is available in China: Looks nice and clean, unlike the dozens of services in AWS global, right? Yes, that is correct, not all AWS services are available in AWS China. Check here to find out which are and which are not. There are several crucial AWS services used by yourself daily in AWS global that you probably can’t imagine working without, and are not available in AWS China, such as:

• KMS & CloudHSM – no encryption, sorry
• VPN – only the one you build yourself on EC2 Instance
• EKS & Fargate – no managed Kubernetes
• AWS Marketplace – so no shopping there
• Machine learning
• Cloudfront or Edge locations
• AWS Certificate Manager & Secrets Manager

Some quite new services such as EFS, SFx, Macie, Elemental, Neptune are also not available. But hey – there is an AWS Snowmobile in Beijing! 😊 OK, so we now we know the differences in using AWS China. How do you use it, then?

Setting up your AWS China account

In AWS Global, all you need to do is to take your Credit Card, go to http://aws.amazon.com/ and open an account. But not in AWS China. First, you need a legal entity registered in China to open AWS account in China. This is a blocker for most of the people reading this anyway. Second, you need to decide, whether you need a full access account or whether internal access account is enough. The difference? Internal access means you are not going to serve anything to the external world - all ports to your EC2 instances are blocked, except 22/ssh and 3389/rdp. Also, there is no access to your S3 buckets via http(s) protocol. The easy answer would of course be “let’s go with full access”, but alas. In China, to serve content on Internet, you need to have either ICP recordal or ICP license. Long story short, these are permits from the Chinese government that are required to host website or serve service over Internet for non-commercial (ICP recordal) or commercial (ICP license) purposes. You can learn more about obtaining a permit in guides like this one by Kendra Schaefer. You can face “funny” situations, when trying to download a file from your S3 bucket into your EC2 instance within the same AWS account using wget with internal access… it’s not possible. Access via https is not opened even from your AWS resources. Via API (i.e. via cli → aws s3 cp ...) it works just fine, though. The rest should be simple – just go to www.amazonaws.cn and register new account, and setup a root password, right? Hold on… well, not quite. You will not get root account in AWS China regions. You will get a user with high privileges (let’s call it admin user) to do everything except things that only root can do (i.e. change support level plan – if you would like to do that, email AWS China support). OK, so you finally have it – after a bit of waiting, which could be days or weeks, depends on your luck –  your new shiny IAM user. Let’s login!

First impressions

First thing to note: when using AWS China from Europe, the console is quite slow. There are better and worse days, but it is significantly slower than the AWS global console.  Well, it needs to travel through the Great Firewall of China, right? Bandwidth is not great, so for example, downloading some files from repositories in US/EU, you should expect transfers ca 10-50KB/s. Console is a bit faster during China’s night hours, which in Europe means after 4 PM. Anyway – let’s go further. What is the first thing you do after creating new AWS account? Setup MFA for root, oh sorry, admin user. Another surprise: only virtual MFA is supported. Not a big issue for me, but worth noting. What is the second thing you do after creating new AWS account? Use it. And use it wise, with IaC, Infrastructure as Code. And there you'll find another surprise, if you would like to use Cloudformation stacks you’ve created for AWS global. ARNs are different in China, specifically Partition in ARN (2nd field). In AWS global they start with arn:aws:…. and in China it is arn:aws-cn:…. You might think that this is not very important… well, consider your Cloudformation templates that are explicitly using ARNs, i.e. IAM roles/policies, such as

ReadOnlyRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Statement:
      - Effect: Allow
        Principal:
          AWS: !Sub arn:aws:iam::${IAMAccountId}:root
      Action:
      - sts:AssumeRole
      Condition:
        BoolIfExists:
          aws:MultiFactorAuthPresent: "true"
   ManagedPolicyArns:
   - "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess"
   RoleName: !Sub "${AWS::AccountId}@ReadOnly"

You will need to change those ARNs from aws to aws-cn. That would be it – now you have your AWS account in one of AWS China regions, and it’s time to use it!

AWS China: the essential checklist

• Service API endpoints are different – so for example instead of ec2.amazonaws.com there is ec2.amazonaws.com.cn, but there are inconsistencies – i.e. when configuring IAM trust policy, ec2.amazonaws.com.cn exists, but there is no vpc-flow-logs.amazonaws.com.cn – instead, there is vpc-flow-logs.amazonaws.com
• Speaking of endpoints – those are the supported VPC endpoints
  • Codebuild
  • DynamoDB
  • ECS / ECS-AGENT / ECS-TELEMETRY
  • S3
  • SNS
  • but no EC2 VPC endpoint, believe it or not…
• Switching IAM roles in AWS Console is not available – get used to URLs that you copy and paste in the browser: https://signin.amazonaws.cn/switchrole?account=account_id_number&roleName=role_name&displayName=text_to_display
• Usually, when there's a service, it’s compatible with AWS global service. But not always: for example there is AWS config, but ConfigurationAggregator is not available. Good luck with gathering logs from all Regions/Accounts… as a good practice – always test a service in AWS China to make sure all features you require are there
• No AWS Organizations in AWS China, but consolidated billing is there
• There is an access from AWS China EC2 instance to global API endpoints (via https & Internet)
• You won’t be able to copy AMI from AWS global region
• Some EC2 instance types are not available in China – like t3, c5, m5
• Although you can’t use AWS managed VPN, you are allowed to use VPN on EC2 instance to establish an encrypted tunnel between AWS China and AWS global region, as long as this VPN is used only for your internal use... But this may be a topic for a blog post of its own 😊

Apart of that… it simply works 😊 It’s AWS after all, right?