Creating a Multi-Region Application with Amazon Services – Part 3, Application Management and Monitoring

{"value":"In Part 1 of this series, we built a foundation for your multi-Region application using Amazon Web Services [ compute, networking, and security](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/). In Part 2, we integrated [Amazon Web Services data and replication services](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-2-data-and-replication/) to move and sync data between Amazon Web Services Regions.\n\nIn Part 3, we cover Amazon Web Services services and features used for messaging, deployment, monitoring, and management.\n\n#### Developer tools\nAutomation that uses infrastructure as code (IaC) removes manual steps to create and configure infrastructure. It offers a repeatable template that can deploy consistent environments in different Regions.\n\nIaC with [Amazon Web Services CloudFormation StackSets ](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) uses a single template to create, update, and delete [stacks across multiple accounts and Regions](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) in a single operation. When writing an [ Amazon Web Services CloudFormation](http://aws.amazon.com/cloudformation) template, you can change the deployment behavior by pairing parameters with conditional logic. For example, you can set a “standby” parameter that, when “true,” limits the number of [ Elastic Compute Cloud (Amazon EC2)](https://aws.amazon.com/ec2/)) instances in an [ Amazon EC2 Auto Scaling](https://aws.amazon.com/ec2/autoscaling/) group deployed to a standby Region.\n\nApplications with deployments that span multiple Regions can use [ cross-Region actions](https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-create-cross-region.html) in [ Amazon Web Services CodePipeline](https://aws.amazon.com/codepipeline/) for a consistent release pipeline. This way you won’t need to set up different actions in each Region. [ EC2 Image Builder ]( EC2 Image Builder ) and [Amazon Elastic Container Registry (Amazon ECR)](http://aws.amazon.com/ecr/) have cross-Region copy features to help with consistent AMI and image deployments, as covered in[ Part 1](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/).\n\n#### **Event-driven architecture**\nDecoupled, event-driven applications produce a more extensible and maintainable architecture by having each component perform its specific task independently.\n\n[Amazon EventBridge](https://aws.amazon.com/eventbridge/), a serverless event bus, can send events between Amazon Web Services resources. By utilizing [cross-Region event routing](https://aws.amazon.com/blogs/compute/introducing-cross-region-event-routing-with-amazon-eventbridge/), you can share events between workloads in [different Regions](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-region.html) (Figure 1) and [accounts](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html). For example, you can share health and utilization events across Regions to determine which Regional workload deployment is best suited for requests.\n\n\n\nIf your event-driven application relies on pub/sub messaging, [ Amazon Simple Notification Service (Amazon SNS)](https://aws.amazon.com/sns/)can fan out to multiple destinations. When the destination targets are [ Amazon Simple Queue Service (Amazon SQS)](https://aws.amazon.com/sqs/) queues or [Amazon Web Services Lambda](https://aws.amazon.com/lambda/) functions, [Amazon SNS](https://aws.amazon.com/cn/sns/?trk=cndc-detail) can [notify recipients in different Regions.](notify recipients in different Regions.). For example, you can send messages to a central SQS queue that processes orders for a multi-Region application.\n\n#### **Monitoring and observability**\nObservability becomes even more important as the number of resources and deployment locations increases. Being able to quickly identify the impact and root cause of an issue will influence recovery activities, and ensuring your observability stack is resilient to failures will help you make these decisions. When building on Amazon Web Services, you can pair the health of Amazon Web Services services with your application metrics to obtain a more complete view of the health of your infrastructure.\n\n[Amazon Web Services Health dashboards ](https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/) and [APIs ](https://docs.aws.amazon.com/health/latest/ug/health-api.html) show account-specific events and scheduled activities that may affect your resources. These events cover all Regions, and can expand to include all accounts in your [Amazon Web Services Organization](https://aws.amazon.com/organizations/). EventBridge can monitor events from [ Amazon Web Services Health](https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html) to take immediate actions based on an event. For example, if multiple services are reporting as degraded, you could set the EventBridge event target to an [ Amazon Web Services Systems Manager automated runbook]( Amazon Web Services Systems Manager automated runbook) that prepares your disaster recovery (DR) application for failover.\n\n[Amazon Web Services Trusted Advisor ](https://aws.amazon.com/premiumsupport/technology/trusted-advisor/) offers actionable alerts to optimize cost, increase performance, and improve security and fault tolerance. Trusted Advisor shows results across all Regions and can generate a report that shows an aggregated view of all check results [across all accounts within an organization.](https://docs.aws.amazon.com/awssupport/latest/user/organizational-view.html).\n\nTo maintain visibility over an application deployed across multiple Regions and accounts, you can create a [Trusted Advisor dashboard](https://aws.amazon.com/blogs/mt/multi-account-aws-trusted-advisor-summaries-now-available-aws-systems-manager-explorer/) and an[operations dashboard](https://aws.amazon.com/blogs/aws/aws-systems-manager-explorer-a-multi-account-multi-region-operations-dashboard/) with [ Amazon Web Services Systems Manager Explorer](https://aws.amazon.com/systems-manager/features/#Explorer). The operations dashboard offers a unified view of resources, such as Amazon EC2, [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/), and [Amazon Web Services Config ](https://aws.amazon.com/config/) data. You can combine the metadata with [Amazon Athena](https: //aws.amazon.com/cn/athena/?trk=cndc-detail) to create a[multi-Region and multi-account inventory view ](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory-query.html) of resources.\n\nYou can view metrics from applications and resources deployed across multiple Regions in the CloudWatch console. This makes it easy to create graphs and dashboards for multi-Region applications.[ Cross-account functionality](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html) is also available in CloudWatch, so you can create a centralized view of dashboards, alarms, and metrics across your organization.\n\n[Amazon OpenSearch Service ](https://aws.amazon.com/opensearch-service/)aggregates unstructured and semi-structured log files, messages, metrics, documents, configuration data, and more.[ Cross-cluster replication](https://docs.aws.amazon.com/opensearch-service/latest/developerguide/replication.html) replication replicates indices, mappings, and metadata in an active-passive setup from one OpenSearch Service domain to another. This reduces latency across Regions and ensures high availability of your data.\n\n[Amazon Web Services Resilience Hub](https://aws.amazon.com/resilience-hub/) assesses and tracks the resiliency of your application. It checks how well an application will maintain availability when performing a Regional failover. For example, it can check if an application has cross-Region replication configured on [Amazon Simple Storage Service (Amazon S3)](http://aws.amazon.com/s3) buckets or that [Amazon Relational Database Service (Amazon RDS)](http://aws.amazon.com/rds) instances have a cross-Region read-replica. Figure 2 shows an output of a Resilience Hub assessment. It recommends use of[ Route 53 Application Recovery Controller](https://aws.amazon.com/route53/application-recovery-controller/) ([covered in Part 1](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/)) to ensure the [Amazon EC2 Auto Scaling ](https://aws.amazon.com/cn/ec2/autoscaling/?trk=cndc-detail)group in a Region is scaled and ready to accept traffic before we fail over to it.\n\n\n\nFigure 2. Resilience Hub recommendations\n\n#### **Management: Governance**\nGrowing an application into a new country means there may be additional data privacy laws and regulations to follow. These will vary depending on the country, and we encourage you to investigate with your legal team to fully understand how this affects your application.\n\n[Amazon Web Services Control Tower ](https://aws.amazon.com/controltower/) supports data compliance by providing [guardrails to control and meet data residency requirements](https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html). These guardrails are a collection of Service Control Policies (SCPs) and Amazon Web Services Config rules. You can implement them independently of Amazon Web Services Control Tower if needed. Additional security-centric multi-Region services are [ covered in](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/)[part 1](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/).\n\nAmazon Web Services Config provides a detailed view of the configuration and history of Amazon Web Services resources. An Amazon Web Services Config aggregator collects configuration and compliance data from [multiple accounts and Regions](https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html) into a central account. This centralized view offers a comprehensive view of the compliance and actions on resources, regardless of which account or Region they reside in.\n\n#### **Management: Operations**\nSeveral [Amazon Web Services Systems Manager](https://aws.amazon.com/systems-manager/) capabilities allow for easier administration of Amazon Web Services resources, especially as applications grow. Systems Manager Automation simplifies common maintenance and deployment tasks for Amazon Web Services resources with automated runbooks. These runbooks automate actions on resources [across Regions and accounts](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation-multiple-accounts-and-regions.html). You can pair [Systems Manager Patch Manager ](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html)with Systems Manager Patch Manager to ensure instances maintain the [ latest patches across accounts and Regions](https://aws.amazon.com/blogs/mt/centralized-multi-account-and-multi-region-patching-with-aws-systems-manager-automation/). Figure 3 shows Systems Manager running several automation documents on a multi-Region architecture.\n\n\n\nFigure 3. Using Systems Manager automation from a central operations Amazon Web Services account to automate actions across multiple Regions\n\n#### **Bringing it together**\nAt the end of each part of this blog series, we build on a sample application based on the services covered. This shows you how to bring these services together to build a multi-Region application with Amazon Web Services services. We don’t use every service mentioned, just those that fit the use case.\n\nWe built this example to expand to a global audience. It requires high availability across Regions, and favors performance over strict consistency. We have chosen the following services covered in this post to accomplish our goals, building on our foundation from [part 1 ](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/) and [part 2](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-2-data-and-replication/):\n- CloudFormation StackSets to deploy everything with IaC. This ensures the infrastructure is deployed consistently across Regions.\n- Amazon Web Services Config rules provide a centralized place to monitor, record, and evaluate the configuration of our resources.\n- For added observability, we created dashboards with CloudWatch dashboard, Personal Health dashboard, and Trusted Advisor dashboard.\n\n\n\nFigure 4. Building an application with multi-Region services\n\nWhile our primary objective is expanding to a global audience, we note that some of the services such as CloudFormation StackSets rely on Region 1. Each Regional deployment is set up for static stability, but if there were an outage in Region 1 for an extended period of time, our DR playbook would outline how to make CloudFormation changes in Region 2.\n\n#### **Summary**\nMany Amazon Web Services services have features to help you build and manage a multi-Region architecture, but identifying those capabilities across 200+ services can be overwhelming.\n\nIn this 3-part blog series, we’ve explored Amazon Web Services services with features to assist you in building multi-Region applications. In Part 1, we built a foundation with Amazon Web Services security, networking, and compute services. In Part 2, we added in data and replication strategies. Finally, in Part 3, we examined application and management layers.\n\n**Ready to get started?** We’ve chosen some [ Amazon Web Services Solutions](https://aws.amazon.com/solutions/implementations/?solutions-all.sort-by=item.additionalFields.sortDate&solutions-all.sort-order=desc&awsf.AWS-Product%20Category=*all&awsf.AWS-Industry=*all&awsf.Content-Type=*all&solutions-all.q=multi-region&solutions-all.q_operator=AND), [Amazon Web Services Blogs](https://aws.amazon.com/blogs/?awsf.blog-master-category=*all&awsf.blog-master-learning-levels=*all&awsf.blog-master-industry=*all&awsf.blog-master-analytics-products=*all&awsf.blog-master-artificial-intelligence=*all&awsf.blog-master-aws-cloud-financial-management=*all&awsf.blog-master-business-applications=*all&awsf.blog-master-compute=*all&awsf.blog-master-customer-enablement=*all&awsf.blog-master-customer-engagement=*all&awsf.blog-master-database=*all&awsf.blog-master-developer-tools=*all&awsf.blog-master-devops=*all&awsf.blog-master-end-user-computing=*all&awsf.blog-master-mobile=*all&awsf.blog-master-iot=*all&awsf.blog-master-management-governance=*all&awsf.blog-master-media-services=*all&awsf.blog-master-migration-transfer=*all&awsf.blog-master-migration-solutions=*all&awsf.blog-master-networking-content-delivery=*all&awsf.blog-master-programming-language=*all&awsf.blog-master-sector=*all&awsf.blog-master-security=*all&awsf.blog-master-storage=*all&filtered-posts.q=multi-region&filtered-posts.q_operator=AND), and[ Well-Architected labs ](https://wellarchitectedlabs.com/reliability/disaster-recovery/) to help you!\n\n#### **Other posts in this series**\n- [Creating a Multi-Region Application with Amazon Web Services Services – Part 1, Compute, Networking, and Security](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/)\n- [Creating a Multi-Region Application with Amazon Web Services Services – Part 2, Data and Replication](https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-2-data-and-replication/)\n\n#### **Related information**\n- [Creating Disaster Recovery Mechanisms Using Amazon Route 53](https://aws.amazon.com/blogs/networking-and-content-delivery/creating-disaster-recovery-mechanisms-using-amazon-route-53/)\n- [Disaster Recovery Blog Series](https://aws.amazon.com/blogs/architecture/tag/disaster-recovery-series/)\n- [Amazon Web Services Observability Tools](https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-lens/aws-observability-tools.html)\n\n\n\n**Joe Chapman**\nJoe is a Sr. Solutions Architect with Amazon Web Services. He primarily serves Amazon Web Services EdTech customers, providing architectural guidance and best practice recommendations for new and existing workloads. Outside of work, he enjoys going on new adventures while traveling the world.\n\n\n\n**Seth Eliot**\nAs Principal Reliability Solutions Architect with Amazon Web Services Well-Architected, Seth helps guide Amazon Web Services customers in how they architect and build resilient, scalable systems in the cloud. He draws on 10 years of experience in multiple engineering roles across the consumer side of Amazon.com, where as Principal Solutions Architect he worked hands-on with engineers to optimize how they use Amazon Web Services for the services that power Amazon.com. Previously he was Principal Engineer for Amazon Fresh and International Technologies. Seth joined Amazon in 2005 where soon after, he helped develop the technology that would become Prime Video. You can follow Seth on twitter @setheliot, or on LinkedIn at https://www.linkedin.com/in/setheliot/.","render":"<p>In Part 1 of this series, we built a foundation for your multi-Region application using Amazon Web Services <a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/\\" target=\\"_blank\\"> compute, networking, and security</a>. In Part 2, we integrated <a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-2-data-and-replication/\\" target=\\"_blank\\">Amazon Web Services data and replication services</a> to move and sync data between Amazon Web Services Regions.</p>\\n<p>In Part 3, we cover Amazon Web Services services and features used for messaging, deployment, monitoring, and management.</p>\n<h4><a id=\\"Developer_tools_4\\"></a>Developer tools</h4>\\n<p>Automation that uses infrastructure as code (IaC) removes manual steps to create and configure infrastructure. It offers a repeatable template that can deploy consistent environments in different Regions.</p>\n<p>IaC with <a href=\\"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html\\" target=\\"_blank\\">Amazon Web Services CloudFormation StackSets </a> uses a single template to create, update, and delete <a href=\\"https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html\\" target=\\"_blank\\">stacks across multiple accounts and Regions</a> in a single operation. When writing an <a href=\\"http://aws.amazon.com/cloudformation\\" target=\\"_blank\\"> Amazon Web Services CloudFormation</a> template, you can change the deployment behavior by pairing parameters with conditional logic. For example, you can set a “standby” parameter that, when “true,” limits the number of <a href=\\"https://aws.amazon.com/ec2/\\" target=\\"_blank\\"> Elastic Compute Cloud (Amazon EC2)</a>) instances in an <a href=\\"https://aws.amazon.com/ec2/autoscaling/\\" target=\\"_blank\\"> Amazon EC2 Auto Scaling</a> group deployed to a standby Region.</p>\\n<p>Applications with deployments that span multiple Regions can use <a href=\\"https://docs.aws.amazon.com/codepipeline/latest/userguide/actions-create-cross-region.html\\" target=\\"_blank\\"> cross-Region actions</a> in <a href=\\"https://aws.amazon.com/codepipeline/\\" target=\\"_blank\\"> Amazon Web Services CodePipeline</a> for a consistent release pipeline. This way you won’t need to set up different actions in each Region. [ EC2 Image Builder ]( EC2 Image Builder ) and <a href=\\"http://aws.amazon.com/ecr/\\" target=\\"_blank\\">Amazon Elastic Container Registry (Amazon ECR)</a> have cross-Region copy features to help with consistent AMI and image deployments, as covered in<a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/\\" target=\\"_blank\\"> Part 1</a>.</p>\\n<h4><a id=\\"Eventdriven_architecture_11\\"></a><strong>Event-driven architecture</strong></h4>\\n<p>Decoupled, event-driven applications produce a more extensible and maintainable architecture by having each component perform its specific task independently.</p>\n<p><a href=\\"https://aws.amazon.com/eventbridge/\\" target=\\"_blank\\">Amazon EventBridge</a>, a serverless event bus, can send events between Amazon Web Services resources. By utilizing <a href=\\"https://aws.amazon.com/blogs/compute/introducing-cross-region-event-routing-with-amazon-eventbridge/\\" target=\\"_blank\\">cross-Region event routing</a>, you can share events between workloads in <a href=\\"https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-region.html\\" target=\\"_blank\\">different Regions</a> (Figure 1) and <a href=\\"https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-cross-account.html\\" target=\\"_blank\\">accounts</a>. For example, you can share health and utilization events across Regions to determine which Regional workload deployment is best suited for requests.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/2c1fc855553d49b09d3f5103e95b67ae_image.png\\" alt=\\"image.png\\" /></p>\n<p>If your event-driven application relies on pub/sub messaging, <a href=\\"https://aws.amazon.com/sns/\\" target=\\"_blank\\"> Amazon Simple Notification Service (Amazon SNS)</a>can fan out to multiple destinations. When the destination targets are <a href=\\"https://aws.amazon.com/sqs/\\" target=\\"_blank\\"> Amazon Simple Queue Service (Amazon SQS)</a> queues or <a href=\\"https://aws.amazon.com/lambda/\\" target=\\"_blank\\">Amazon Web Services Lambda</a> functions, [Amazon SNS](https://aws.amazon.com/cn/sns/?trk=cndc-detail) can [notify recipients in different Regions.](notify recipients in different Regions.). For example, you can send messages to a central SQS queue that processes orders for a multi-Region application.</p>\\n<h4><a id=\\"Monitoring_and_observability_20\\"></a><strong>Monitoring and observability</strong></h4>\\n<p>Observability becomes even more important as the number of resources and deployment locations increases. Being able to quickly identify the impact and root cause of an issue will influence recovery activities, and ensuring your observability stack is resilient to failures will help you make these decisions. When building on Amazon Web Services, you can pair the health of Amazon Web Services services with your application metrics to obtain a more complete view of the health of your infrastructure.</p>\n<p><a href=\\"https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/\\" target=\\"_blank\\">Amazon Web Services Health dashboards </a> and <a href=\\"https://docs.aws.amazon.com/health/latest/ug/health-api.html\\" target=\\"_blank\\">APIs </a> show account-specific events and scheduled activities that may affect your resources. These events cover all Regions, and can expand to include all accounts in your <a href=\\"https://aws.amazon.com/organizations/\\" target=\\"_blank\\">Amazon Web Services Organization</a>. EventBridge can monitor events from <a href=\\"https://docs.aws.amazon.com/health/latest/ug/what-is-aws-health.html\\" target=\\"_blank\\"> Amazon Web Services Health</a> to take immediate actions based on an event. For example, if multiple services are reporting as degraded, you could set the EventBridge event target to an [ Amazon Web Services Systems Manager automated runbook]( Amazon Web Services Systems Manager automated runbook) that prepares your disaster recovery (DR) application for failover.</p>\\n<p><a href=\\"https://aws.amazon.com/premiumsupport/technology/trusted-advisor/\\" target=\\"_blank\\">Amazon Web Services Trusted Advisor </a> offers actionable alerts to optimize cost, increase performance, and improve security and fault tolerance. Trusted Advisor shows results across all Regions and can generate a report that shows an aggregated view of all check results <a href=\\"https://docs.aws.amazon.com/awssupport/latest/user/organizational-view.html\\" target=\\"_blank\\">across all accounts within an organization.</a>.</p>\\n<p>To maintain visibility over an application deployed across multiple Regions and accounts, you can create a <a href=\\"https://aws.amazon.com/blogs/mt/multi-account-aws-trusted-advisor-summaries-now-available-aws-systems-manager-explorer/\\" target=\\"_blank\\">Trusted Advisor dashboard</a> and an<a href=\\"https://aws.amazon.com/blogs/aws/aws-systems-manager-explorer-a-multi-account-multi-region-operations-dashboard/\\" target=\\"_blank\\">operations dashboard</a> with <a href=\\"https://aws.amazon.com/systems-manager/features/#Explorer\\" target=\\"_blank\\"> Amazon Web Services Systems Manager Explorer</a>. The operations dashboard offers a unified view of resources, such as Amazon EC2, <a href=\\"https://aws.amazon.com/cloudwatch/\\" target=\\"_blank\\">Amazon CloudWatch</a>, and <a href=\\"https://aws.amazon.com/config/\\" target=\\"_blank\\">Amazon Web Services Config </a> data. You can combine the metadata with [Amazon Athena](https: //aws.amazon.com/cn/athena/?trk=cndc-detail) to create a<a href=\\"https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-inventory-query.html\\" target=\\"_blank\\">multi-Region and multi-account inventory view </a> of resources.</p>\\n<p>You can view metrics from applications and resources deployed across multiple Regions in the CloudWatch console. This makes it easy to create graphs and dashboards for multi-Region applications.<a href=\\"https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/Cross-Account-Cross-Region.html\\" target=\\"_blank\\"> Cross-account functionality</a> is also available in CloudWatch, so you can create a centralized view of dashboards, alarms, and metrics across your organization.</p>\\n<p><a href=\\"https://aws.amazon.com/opensearch-service/\\" target=\\"_blank\\">Amazon OpenSearch Service </a>aggregates unstructured and semi-structured log files, messages, metrics, documents, configuration data, and more.<a href=\\"https://docs.aws.amazon.com/opensearch-service/latest/developerguide/replication.html\\" target=\\"_blank\\"> Cross-cluster replication</a> replication replicates indices, mappings, and metadata in an active-passive setup from one OpenSearch Service domain to another. This reduces latency across Regions and ensures high availability of your data.</p>\\n<p><a href=\\"https://aws.amazon.com/resilience-hub/\\" target=\\"_blank\\">Amazon Web Services Resilience Hub</a> assesses and tracks the resiliency of your application. It checks how well an application will maintain availability when performing a Regional failover. For example, it can check if an application has cross-Region replication configured on <a href=\\"http://aws.amazon.com/s3\\" target=\\"_blank\\">Amazon Simple Storage Service (Amazon S3)</a> buckets or that <a href=\\"http://aws.amazon.com/rds\\" target=\\"_blank\\">Amazon Relational Database Service (Amazon RDS)</a> instances have a cross-Region read-replica. Figure 2 shows an output of a Resilience Hub assessment. It recommends use of<a href=\\"https://aws.amazon.com/route53/application-recovery-controller/\\" target=\\"_blank\\"> Route 53 Application Recovery Controller</a> (<a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/\\" target=\\"_blank\\">covered in Part 1</a>) to ensure the [Amazon EC2 Auto Scaling ](https://aws.amazon.com/cn/ec2/autoscaling/?trk=cndc-detail)group in a Region is scaled and ready to accept traffic before we fail over to it.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/388f939f0afe488883d74bcd9cc58249_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 2. Resilience Hub recommendations</p>\n<h4><a id=\\"Management_Governance_39\\"></a><strong>Management: Governance</strong></h4>\\n<p>Growing an application into a new country means there may be additional data privacy laws and regulations to follow. These will vary depending on the country, and we encourage you to investigate with your legal team to fully understand how this affects your application.</p>\n<p><a href=\\"https://aws.amazon.com/controltower/\\" target=\\"_blank\\">Amazon Web Services Control Tower </a> supports data compliance by providing <a href=\\"https://docs.aws.amazon.com/controltower/latest/userguide/data-residency-guardrails.html\\" target=\\"_blank\\">guardrails to control and meet data residency requirements</a>. These guardrails are a collection of Service Control Policies (SCPs) and Amazon Web Services Config rules. You can implement them independently of Amazon Web Services Control Tower if needed. Additional security-centric multi-Region services are <a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/\\" target=\\"_blank\\"> covered in</a><a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/\\" target=\\"_blank\\">part 1</a>.</p>\\n<p>Amazon Web Services Config provides a detailed view of the configuration and history of Amazon Web Services resources. An Amazon Web Services Config aggregator collects configuration and compliance data from <a href=\\"https://docs.aws.amazon.com/config/latest/developerguide/aggregate-data.html\\" target=\\"_blank\\">multiple accounts and Regions</a> into a central account. This centralized view offers a comprehensive view of the compliance and actions on resources, regardless of which account or Region they reside in.</p>\\n<h4><a id=\\"Management_Operations_46\\"></a><strong>Management: Operations</strong></h4>\\n<p>Several <a href=\\"https://aws.amazon.com/systems-manager/\\" target=\\"_blank\\">Amazon Web Services Systems Manager</a> capabilities allow for easier administration of Amazon Web Services resources, especially as applications grow. Systems Manager Automation simplifies common maintenance and deployment tasks for Amazon Web Services resources with automated runbooks. These runbooks automate actions on resources <a href=\\"https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-automation-multiple-accounts-and-regions.html\\" target=\\"_blank\\">across Regions and accounts</a>. You can pair <a href=\\"https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-patch.html\\" target=\\"_blank\\">Systems Manager Patch Manager </a>with Systems Manager Patch Manager to ensure instances maintain the <a href=\\"https://aws.amazon.com/blogs/mt/centralized-multi-account-and-multi-region-patching-with-aws-systems-manager-automation/\\" target=\\"_blank\\"> latest patches across accounts and Regions</a>. Figure 3 shows Systems Manager running several automation documents on a multi-Region architecture.</p>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/ce0e349165b3447bb8641929411c2e0d_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 3. Using Systems Manager automation from a central operations Amazon Web Services account to automate actions across multiple Regions</p>\n<h4><a id=\\"Bringing_it_together_53\\"></a><strong>Bringing it together</strong></h4>\\n<p>At the end of each part of this blog series, we build on a sample application based on the services covered. This shows you how to bring these services together to build a multi-Region application with Amazon Web Services services. We don’t use every service mentioned, just those that fit the use case.</p>\n<p>We built this example to expand to a global audience. It requires high availability across Regions, and favors performance over strict consistency. We have chosen the following services covered in this post to accomplish our goals, building on our foundation from <a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/\\" target=\\"_blank\\">part 1 </a> and <a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-2-data-and-replication/\\" target=\\"_blank\\">part 2</a>:</p>\\n<ul>\\n<li>CloudFormation StackSets to deploy everything with IaC. This ensures the infrastructure is deployed consistently across Regions.</li>\n<li>Amazon Web Services Config rules provide a centralized place to monitor, record, and evaluate the configuration of our resources.</li>\n<li>For added observability, we created dashboards with CloudWatch dashboard, Personal Health dashboard, and Trusted Advisor dashboard.</li>\n</ul>\\n<p><img src=\\"https://dev-media.amazoncloud.cn/8e768f8f6b394b80b1b9e5858a1674ed_image.png\\" alt=\\"image.png\\" /></p>\n<p>Figure 4. Building an application with multi-Region services</p>\n<p>While our primary objective is expanding to a global audience, we note that some of the services such as CloudFormation StackSets rely on Region 1. Each Regional deployment is set up for static stability, but if there were an outage in Region 1 for an extended period of time, our DR playbook would outline how to make CloudFormation changes in Region 2.</p>\n<h4><a id=\\"Summary_67\\"></a><strong>Summary</strong></h4>\\n<p>Many Amazon Web Services services have features to help you build and manage a multi-Region architecture, but identifying those capabilities across 200+ services can be overwhelming.</p>\n<p>In this 3-part blog series, we’ve explored Amazon Web Services services with features to assist you in building multi-Region applications. In Part 1, we built a foundation with Amazon Web Services security, networking, and compute services. In Part 2, we added in data and replication strategies. Finally, in Part 3, we examined application and management layers.</p>\n<p><strong>Ready to get started?</strong> We’ve chosen some <a href=\\"https://aws.amazon.com/solutions/implementations/?solutions-all.sort-by=item.additionalFields.sortDate&amp;solutions-all.sort-order=desc&amp;awsf.AWS-Product%20Category=*all&amp;awsf.AWS-Industry=*all&amp;awsf.Content-Type=*all&amp;solutions-all.q=multi-region&amp;solutions-all.q_operator=AND\\" target=\\"_blank\\"> Amazon Web Services Solutions</a>, <a href=\\"https://aws.amazon.com/blogs/?awsf.blog-master-category=*all&amp;awsf.blog-master-learning-levels=*all&amp;awsf.blog-master-industry=*all&amp;awsf.blog-master-analytics-products=*all&amp;awsf.blog-master-artificial-intelligence=*all&amp;awsf.blog-master-aws-cloud-financial-management=*all&amp;awsf.blog-master-business-applications=*all&amp;awsf.blog-master-compute=*all&amp;awsf.blog-master-customer-enablement=*all&amp;awsf.blog-master-customer-engagement=*all&amp;awsf.blog-master-database=*all&amp;awsf.blog-master-developer-tools=*all&amp;awsf.blog-master-devops=*all&amp;awsf.blog-master-end-user-computing=*all&amp;awsf.blog-master-mobile=*all&amp;awsf.blog-master-iot=*all&amp;awsf.blog-master-management-governance=*all&amp;awsf.blog-master-media-services=*all&amp;awsf.blog-master-migration-transfer=*all&amp;awsf.blog-master-migration-solutions=*all&amp;awsf.blog-master-networking-content-delivery=*all&amp;awsf.blog-master-programming-language=*all&amp;awsf.blog-master-sector=*all&amp;awsf.blog-master-security=*all&amp;awsf.blog-master-storage=*all&amp;filtered-posts.q=multi-region&amp;filtered-posts.q_operator=AND\\" target=\\"_blank\\">Amazon Web Services Blogs</a>, and<a href=\\"https://wellarchitectedlabs.com/reliability/disaster-recovery/\\" target=\\"_blank\\"> Well-Architected labs </a> to help you!</p>\\n<h4><a id=\\"Other_posts_in_this_series_74\\"></a><strong>Other posts in this series</strong></h4>\\n<ul>\\n<li><a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-1-compute-and-security/\\" target=\\"_blank\\">Creating a Multi-Region Application with Amazon Web Services Services – Part 1, Compute, Networking, and Security</a></li>\\n<li><a href=\\"https://aws.amazon.com/blogs/architecture/creating-a-multi-region-application-with-aws-services-part-2-data-and-replication/\\" target=\\"_blank\\">Creating a Multi-Region Application with Amazon Web Services Services – Part 2, Data and Replication</a></li>\\n</ul>\n<h4><a id=\\"Related_information_78\\"></a><strong>Related information</strong></h4>\\n<ul>\\n<li><a href=\\"https://aws.amazon.com/blogs/networking-and-content-delivery/creating-disaster-recovery-mechanisms-using-amazon-route-53/\\" target=\\"_blank\\">Creating Disaster Recovery Mechanisms Using Amazon Route 53</a></li>\\n<li><a href=\\"https://aws.amazon.com/blogs/architecture/tag/disaster-recovery-series/\\" target=\\"_blank\\">Disaster Recovery Blog Series</a></li>\\n<li><a href=\\"https://docs.aws.amazon.com/wellarchitected/latest/management-and-governance-lens/aws-observability-tools.html\\" target=\\"_blank\\">Amazon Web Services Observability Tools</a></li>\\n</ul>\n<p><img src=\\"https://dev-media.amazoncloud.cn/8bb18bb729a6431397adbc50e1b1f8fe_image.png\\" alt=\\"image.png\\" /></p>\n<p><strong>Joe Chapman</strong><br />\\nJoe is a Sr. Solutions Architect with Amazon Web Services. He primarily serves Amazon Web Services EdTech customers, providing architectural guidance and best practice recommendations for new and existing workloads. Outside of work, he enjoys going on new adventures while traveling the world.</p>\n<p><img src=\\"https://dev-media.amazoncloud.cn/b349f5e50a0a4b1da9147bd8aae9df3b_image.png\\" alt=\\"image.png\\" /></p>\n<p><strong>Seth Eliot</strong><br />\\nAs Principal Reliability Solutions Architect with Amazon Web Services Well-Architected, Seth helps guide Amazon Web Services customers in how they architect and build resilient, scalable systems in the cloud. He draws on 10 years of experience in multiple engineering roles across the consumer side of Amazon.com, where as Principal Solutions Architect he worked hands-on with engineers to optimize how they use Amazon Web Services for the services that power Amazon.com. Previously he was Principal Engineer for Amazon Fresh and International Technologies. Seth joined Amazon in 2005 where soon after, he helped develop the technology that would become Prime Video. You can follow Seth on twitter @setheliot, or on LinkedIn at https://www.linkedin.com/in/setheliot/.</p>\n"}