Question posted in 
I am planning to deploy my infrastructure in multiple regions to comply with data protection policies.
Here’s the approach I am considering:
- Deploy the infrastructure in the primary region.
- For the additional region, create a new database in the target area and migrate customer data to this database.
- Set up a separate ECS service in primary region, which connects to the database via VPC peering.
- Create a new URL for the application in this region, e.g., app-jp.example.com for the Japan region.
- Add a load balancer rule to forward traffic for app-jp.example.com to the new ECS service.
Is this approach correct, or am I missing something? Are there additional best practices or considerations I should be aware of?
2
Answers
Well, your approach is solid and you might consider few points before which is important.
Make sure the databases in the additional region comply with local data residency regulations (e.g. GDPR in Europe, APPI in Japan). In some cases, it may be required to store and process all customer data within the region itself, including backups and fail over mechanisms.
Consider cross-region data transfer (e.g., VPC peering) is encrypted, and consider additional security measures like IAM roles and network access control lists (ACLs).
Finally setup centralized logging with cloudwatch across regions.
Consider the delay caused by the amount of network traffic transferred between the application and database and also by the network distance itself between the primary and secondary region. Depending on the nature of the network service, maybe the best solution is to deploy the application for the secondary region together with the database. Also, if the application for the second location is in the primary region consider the delay for client’s request caused by the network distance between location and client (can be additionally 100-150 msec in some cases).