For those in London wondering where is best for UK based customers, it seems, for London at least, this could be an improvement over Dublin (where Frankfurt is slower), as Paris is roughly 70 miles closer. Of course, depending on where / when [1] a UK-based data centre is released, I'd imagine that would be faster still.
Currently Ireland vs. Frankfurt is (more data needed of course)[2]:
Europe (Ireland): 25 ms 27 ms 24 ms
Europe (Frankfurt): 39 ms 39 ms 42 ms
And Frankfurt is about 100 miles further than Dublin.
For anyone using Virgin Media as their ISP, the Dublin DC will perform more predictably, if not faster, because of VM's "give preference to data originating inside the UK/Ireland and don't give two shits about anything else" attitude.
If you run a data heavy service, PoP inside the UK or Ireland is a must if you want to avoid throttling and heavy-handed traffic shapping.
I've found latency in the UK can be about a third lower than Ireland. I used Bytemark for testing in my recent book but Azure have UK regions now [0] and DO have had a London DC for a couple of years [1]. AWS UK is currently just "coming soon" [2] but Werner has said "end of 2016 (or early 2017)" [3].
It's hardly surprising. Everything on the UK internet goes through London anyway. If you have a DC in Manchester and an end-user in Liverpool, the link normally goes Manchester - London - Liverpool.
It's not a great situation, having everything so centralised on London, but it's a small enough country that it doesn't have a huge effect on latency. It would make no sense for AWS to locate in a non-London region when everything would then have to be backhauled to London.
There is fibre outside London, but most of the main end-user ISPs have just the one POP and it's normally in Docklands. Everything ends up going through there one way or another.
Not every decision is about cost minimisation. There's a resiliency motivation to place DCs in separate flood plains and separate power grids if possible. Whether AWS is following that, I cannot say.
We (I am part of the AWS team) pay a lot of attention to that; our "Overview of Security Practices" paper[1] says:
"Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by Region). In addition to discrete uninterruptable power supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers."
London does have food risk back in the 80's when I worked for British Telecom we moved our central London DC(next to London bridge station) out to Add to crickelwood for that reason.
Of course later on the IRA bombed the building next door to us - we survived ok the modems just rest them selves
I've always assumed that availability zones would not necessarily be in the same building or even site in a given region, but something I've wondered is what does the network look like between zones?
Does inter-AZ traffic traverse only fiber that you wholly own? Does AWS send traffic over some shared links in some cases? If only some cases, which cases?
What is the state of the temporary spy laws in France?
Shouldn't it at least be mentioned in the announcement that the french government can pretty much ask Amazon for any of your data without a warrant. Or is the situation better than a year ago?
EDIT: Warrant is apparently needed as noplay said.
They need warrant to get access to your server. What they can do is to collect metadata in some points of the network, they don't need amazon to do that, because they target end users.
But it's probably not a good idea to host in France if you have not reason to do that. Like NSA, french secret service just don't care about laws. But if you target french customer that's good news you have one more alternative for hosting without trouble with regulation about data.
If you're referring to the current "state of emergency" (état d'urgence) it has been extended multiple times already since nov '15, and allows warrantless searches (perquisition administrative).
The last extension is effective since 2016-07-26 and is supposed to last 6 months.
In France, we have some consideration toward power separation. Police and secret services can collect your data mostly without a warrant. Government can exceptionally ask the police some data, but if there are abuses, the judicial power will intervene.
I meant government as in government agencies, not strictly under the direct control of the actual group of humans making up the government.
I guess "government" interprets to different things in different countries, what I wrote above is a very american viewpoint.
In my country (SE), a member of government can be relieved of her duties if she even mentions that an agency should act in a certain way (as the government only should make up policies and not interfere in the daily businesses of the agencies).
Still no further info on the London region since their announcement post[1] said:
> Today, I am excited to add the United Kingdom to that list! The AWS UK region will be our third in the European Union (EU), and we're shooting to have it ready by the end of 2016 (or early 2017). This region will provide even lower latency and strong data sovereignty to local users.
> This will be the fourth AWS Region in Europe. We currently have two other Regions in Europe — EU (Ireland) and EU (Frankfurt) and an additional Region in the UK expected to launch in the coming months.
Since UK is about to be outside of the EU it's likely this has been put on hold?
I don't know what the facts are but I'm guessing the UK accounts for a large slice of data currently being routed via Ireland, so it isn't going to be on hold for long?
I know you can target Ireland as the API endpoint for SES, but in light of Brexit and all the issues still with Safe Harbour, hopefully having a UK offering will make me a lot happier with routing email sends (data wise).
I do sincerely wished Amazon would have consider changing their AWS service management UI and workflow as well as epanding their servers around the globe.
Currently it is an incredibly inefficient design of a service management trying to do everything yet many are dependent for using it.
I found visualization very much helpful when complexity rises. APIs stays powerful but do not support a human admin for monitoring and server setups (including IAM users, Services, Tasks, Clusters, Launching EC2 instances, ECR setup for docker, AIM, Loadbalancing, Security groups, Roles etc all multiplied to X regions).
Again, if you're large enough to be in multiple regions, all of this should be configured via the APIs using a configuration management system of some sort.
" if you're large enough to be in multiple regions, all of this should be configured via the APIs"
Is the suggestion to recreate what Amazon Console has done (using APIs) in every large organisation using AWS because Amazon Console is not good enough?
My point here is: there exists something called 'Amazon Console'. I argue it is a good thing to have if done properly easing the service management as visualized management is more human friendly and APIs more computer friendly. If there exists a bad visualized service management (e.g. Amazon Console) it is the lack of skills of the humans developing it not because managing a vast complex clusters is easier through APIs/CLI and impossible/wrong via UI.
I'm not sure what a console that performs the current tasks and spans multiple regions at once would look like, or that it would make things feel simpler.
is not helpful and confusing for new users. This is because all the mentioned services are a mix of dependent (e.g. ECS depends on EC2), independent(e.g. IAM & EC2), security, services acting like plugins.
The documents for all of these services can be a sequel novel. If you have been with AWS since 2012 you may have gradually been updated by each service that was getting blindly added but for a new user or a startup aiming to setup something or test the scalability of their application ASAP it is a nightmare.
The other day I found out (in a hard way) that you cannot launch an EC2 instance with an AWS container agent from the default launch page but you need to go to the launch page via the document link which puts extra parameters in the url...
Having said all that I believe the improvement needs to be more fundamental than couple of bullet points.
Its worth commenting that we here in Microsoft Azure team (our cloud platform) have data centers in 30 regions including UK, Germany, etc. https://azure.microsoft.com/en-us/regions/
Our platform is very mature now I wish more folks would give it a shot.
I don't know how it currently compares with AWS but some time ago the disk IO was a lot slower, and the prices were way higher.
Does anyone know of recent comparisons?
> p.s. we also take EU people data privacy very seriously.
Hmmm. I find that very hard to believe.
MS is going to have to be _very_ good for a _long_ time to overcome firing the late Caspar Bowden (then MS' chief privacy adviser) for telling regional managers that the NSA can pwn their customers' data. https://twitter.com/casparbowden/status/542588420611379201
So this is great however I have a very large concern.
In a U.S. AWS data center, I am very confident (right now) that my encryption keys and encrypted data will never be given out to any governmental agency. Even with a warrant, they can not access my data unencrypted.
What will Amazon do when the French government says hand us all of your keys or else...
As our data is all extremely sensitive financial information, we really can not even take that chance until we know.
Clarification: We send all data over HTTPS with AES 256 encryption.
If authorities have a warrant for data, can we hand them the encrypted data and say the keys are in the U.S. and we can't give them to you?
1) They are in a key management service (not AWS). Highly unlikely somebody will get both access to the keys and the data together. They are also rotated periodically.
2) Well lately, I'm not. The Apple/FBI case was somewhat assuring. And I believe that to date, AWS has not handed over any data or keys without permission.
3) More theoretical advice about the new French region. What are the laws about privacy and how will that work. We just saw what Germany ruled on with WhatsApp. And really just asking the question because it needs to be asked. I don't actually expect an ultimate answer, just discussion about it.
> 2) Well lately, I'm not. The Apple/FBI case was somewhat assuring. And I believe that to date, AWS has not handed over any data or keys without permission.
How would you know? The NSL would prevent Amazon from being able to say anything about it.
If you're that concerned about your security, you shouldn't be using a cloud provider.
The Apple FBI case only happened because Apple was physically unable to hand over the data, since they had no access to it. If you have the keys, you have access to the data presumably, and you'll be giving it up once you're compelled to by the government (see Lavabit).
Would you feel better if NSA gets your data using a warrant signed by a secret court and gags Amazon using a NSL? Why do you think that US agencies can ask Lavabit to hand encryption keys, but the same can't happen with Amazon?
Comparing with the US I don't remember that France has any gag laws.
All Internet traffic in and out of Israel goes through three undersea cables connecting the country with Turkey, Greece, and Italy, and as such suffer from the kind of lag that happens when you're separated from your destination server by a couple thousand kilometers, usually more. There are no local cloud providers and the local entrepreneurial culture (which is MASSIVE for such a small country) either has to pay for cloud resources in Europe or has to pay for local non-cloud hosting, which is orders of magnitude more expensive and running on relatively ancient hardware (the local VPS shops have little incentive to upgrade).
Amazon will come to Israel if they deem it profitable. They aren't exactly Google Fiber though, so I think they would avoid locating themselves in areas with poor connectivity options in the first place.
Not really, from AWS perspective it's about locating regions close to potential customers with $$$ and a desire for a local region. That desire might be due to regulatory requirements or poor connectivity to other regions.
To figure out where the next AWS regions are going, go down the wikipedia list of countries by GDP and try to think which large markets are not well served yet:
In the Middle East there are several markets larger than Israel, and putting a region in Israel will probably not be tenable for Egypt, Saudi Arabia and the like.
There is no region in Africa...
Russia & Eastern Europe is not that well served...
But most of the Middle East and Africa aren't wired up well enough to begin with let alone have strong entrepreneurial cultures to push for local cloud adoption. Israel has a booming startup culture, they just all must use European clouds if they decide to go with a cloud infrastructure (and the vast majority of them do).
Fast connections there are also few and far between in the Middle East and Africa. In Israel, LTE is ubiquitous in urban areas, most residences have either DOCSIS 3.0 or Fiber-to-the-curb, and a nationwide FTTH infrastructure is being built out currently. Domestic connections are great - the problem is just that almost nothing is hosted domestically.
Eastern Europe / Western Russia sounds like a good idea to me, although I'm not familiar with their local Internet topologies.
Nothing in NZ either, 2500KM minimum for our data to go to get to any of the large cloud service providers in Sydney. Worth the lag though for the cost savings.
Currently Ireland vs. Frankfurt is (more data needed of course)[2]:
And Frankfurt is about 100 miles further than Dublin.But for a quick test, this looks like a good tool: http://www.cloudping.info/
Will be interested to test this once released to see UK / Paris vs. Dublin.
[1] Article states UK region "due in coming months". No location announced?
[2] Hitting ec2.eu-west-1.amazonaws.com vs. ec2.eu-central-1.amazonaws.com.