Part 1 and Part 2, this series discussed how to prepare Amazon EC2 infrastructure for business-critical applications. We did this by clustering them across two availability zone (AZs), within the same Amazon Web Services region. Although this qualifies you for the 99.99% AWS Compute SLA it does not protect you from an entire region going down. As we saw in the Dec. 7 AWS Outage, relying only on one AWS region can put you at risk if the entire region goes down.
This installment will explain how to prepare your EC2 infrastructure for two different regions. This is the first step to ensure your business-critical applications can withstand the failure of an entire AWS region. Part 4 will expand the SQL Server failover cluster instance, (FCI), by adding a third node to this region. You can use asynchronous block level replication to have automatic failover to the second region in case of a region failure. This will ensure that there is minimal downtime and no data loss.
Although it may not be able to protect you from all AWS outages, having the ability of failover across multiple regions does offer greater protection than a single-region deployment. We will be covering multicloud configurations in a future installment. Multicloud deployments eliminate the cloud provider as a single point for failure.
This article refers to cloud resources that were created during Part 1 and Part 2. You will need to have completed the previous articles or have a similar environment so you can follow the steps below.
Create a VPC
If you’ve been following this series, you may have noticed that we created a VPC (VPC) in the US East with the following subnets:
AZ1: 10.0.1.0/24AZ2 : 10.0.2.0/24AZ3 : 10.0.3.0/24AZ3 : 10.0.3.0/24AZ4 Because a single VPC can’t span regions, we must create a new VPC in another region and create a Peering link to connect the two regions. AWS doesn’t recommend which regions should not be peered, unlike Azure’s paired areas. You can choose the regions that make the most sense to you. The region with the most value to peer with will be determined by proximity, cost and data residency laws. We will use the existing VPC in the US East region (Ohio), to create a VPC for US East (N. Virginia), and use that region as our second.
We will create a single subnet within this AZ. When creating this VPC, it is important to remember that subnet ranges must not overlap with other subnets in your region.
We will create a VPC in this new region and a Subnet, as shown below.
VPC 10.2.0.0/16AZ1 22.214.171.124/24
You must enable auto-assignment public IPv4 addresses. You must also create an Internet gateway to allow resources from this VPC to access the public Internet.
VPC peering connections can be created and accepted
Create a peering connection from either one of the regions. Before you start this process, ensure you have the VCP ID for the VPC in your other region.
You will see a pending peering invitation from the other region. Select the request and click “Accept request” in the Action menu.
Next, modify your route tables to allow each VPC to route to the other VPC.
Editing the route table for the new VPC should include a route to the new Internet gateway.
Update Security Groups
Update the security group in your original VPC. Add a rule to allow all inbound traffic from your new VPC.
Create a new Security Group to be associated with the VPC. Add rules to allow traffic from remote VPCs and within the same VPC. You can also allow RDP access. Jump boxes allow direct RDP access for more secure settings.