Amazon S3 is a simple cloud storage solution enabling effortless storage and retrieval of large amounts of data from different geographies. It’s engineered for scalability, durability, and security, making it a popular option for data storage and distribution.
In addition, Amazon Web Services (AWS) offers numerous tools to help with file and object replication. A popular replication solution for AWS is Amazon S3 Replication, a robust feature that replicates objects and their metadata across multiple S3 buckets.
When used for cross-region replication (CRR), the feature enables seamless replication of objects across S3 buckets in different regions. Many organizations use cross-region replication for a number of reasons:
- Meeting geographical compliance requirements: Cross-region replication allows you to adhere to compliance mandates that necessitate the storage of specific data in geographically dispersed regions.
- Minimizing latency and enhancing user experience: By moving data physically closer to end-users through replication, latency can be minimized, resulting in an improved experience for users accessing the data.
- Disaster recovery and data redundancy: Cross-region replication is an integral component of disaster recovery strategies, ensuring data integrity, and mitigating data loss through backups and active/passive or active/active failover strategies.
However, there are some complexities with replicating S3 objects across regions. Some users find it slow and unpredictable; others find cost to be the challenge because cross-region transfer rates can be difficult to calculate.
In addition, one consideration when setting up CRR is how best to achieve recovery point objectives (RPOs) and recovery time objectives (RTOs) for high availability and disaster recovery (DR) —and overall performance and data accessibility requirements. You may or may not be able to achieve those using conventional CRR tools from AWS.
In this article, I will share five simple steps on how to set up S3 CRR, and I’ll also share an option for making S3 CRR replicate faster.
Setting up Amazon S3 cross-region replication
Step 1: Creating S3 buckets in different regions
Creating new S3 buckets is a straightforward process and can easily be accomplished by following these steps:
1. Log into the AWS Management Console.
2. Select the S3 service.
3. Choose “Buckets” from the menu on the left and select “Create bucket.”
4. Configure the new bucket by:
- Choosing a descriptive bucket name that includes the region and “source” or “destination” for clarity.
- Select the buckets region.
- Enabling versioning in the menu for both the source and destination buckets.
Repeat the process to create another bucket for a different region.
Step 2: Configuring replication rules
1. Select the source bucket and navigate to:
- “Management” → “Replication rules” → “Create replication rule.”
2. Provide a descriptive name for the rule and choose “Enabled” to implement the rule immediately.
3. A priority number can also be assigned to a rule(s) — the lower the number, the higher the priority of the rule.
- For example, the S3 objects under a priority 1 rule will be replicated ahead of a priority 2 rule.
4. Once a rule is enabled, select the destination bucket.
- Note that if the destination bucket is owned by a different AWS cross-account, a few extra steps are required.
5. Define the buckets or objects to replicate, using optional filters to fine tune selections based on prefixes. Step-by-step instructions on how to do this can be found in AWS’ replication configuration tutorial.
6. Choose the storage class for the replicated objects in the destination bucket. Amazon offers 8 different classes to choose from.
Step 3: Managing identity and access management permissions
AWS Identity and Access Management (IAM) enables role/permission-based access to services and resources. For the process of replication to be successful, the IAM role associated with the replication configuration must have sufficient permissions to write new objects to the new destination bucket.
If you’ve used S3 Replication before, an IAM role for your profile already exists, which you can select from the “Choose from existing IAM roles” option. If not, a new IAM role will need to be created that grants read and replication authority for Amazon S3.
In the example below from AWS’ documentation, DOC-EXAMPLE-BUCKET1 is the source bucket and DOC-EXAMPLE-BUCKET2 is the destination. The policy grants access to Amazon S3 to retrieve the replication configuration and list the bucket content. It also lets S3 get a specific object version and the access control lists (ACLs) associated with it, as well as replicate and delete markers to the destination bucket.
Step 4: Exploring additional features
Amazon S3 Replication also offers a few optional features that are helpful and should be considered by users. They include:
- Encryption: Amazon S3 offers Server-Side Encryption (SSE-S3) for every bucket. Since January 5, 2023, all new object uploads are automatically encrypted at no cost and with no impact on performance. However, AWS Key Management Service (KMS) is also available for server-side encryption. If you use KMS encryption, the KMS keys will be needed to decrypt in the source bucket and re-encrypt in the destination
- S3 Replication Time Control (S3 RTC): This feature guarantees 99.99% of objects will be replicated within 15 minutes. It’s useful for meeting business and compliance requirements, so you can enable it if you rely
- Replication metrics and notifications: This option gives you detailed metrics to track the replication progress minute-by-minute, including bytes and operations pending, replication latency, and more. Note that you’re going to be monitoring the progress through Amazon CloudWatch, which comes with separate fees.
Step 5: Review and test
After considering the additional features, review all replication settings (Steps 1 thru 3). To test if everything’s working correctly, upload a new object to the source bucket to see if the object is replicated to the destination.
If there are no issues, upload the rest of your objects and monitor the replication.
If replication metrics and notifications have been enabled in the previous step, you can also use Amazon CloudWatch to get more detailed info about each replication rule, as well as the source and destination buckets.
Speeding up the replication process
Amazon S3 CRR is a powerful feature included with the service. However, it can also be a challenge due to its complexity. In addition to the issues some users have experienced, other challenges include meeting RPOs for warm and hot DR and interoperability with other object storage solution providers.
Fortunately, there’s a solution that can help.
Tackling the cross-region replication challenge using a new approach like a replication solution that uses peer-to-peer (P2P) architecture with native WAN optimization offers an organically scalable design. Besides being between 3 to 10 times faster than traditional replication solutions, these types of solutions offer benefits such as:
- Greater flexibility – Can be used with any cloud provider (AWS, Google Cloud, Microsoft Azure, etc.) and in any environment (on-prem or hybrid cloud). In some cases, it can be used with a variety of object storage offerings.
- Ease of setup and use – Can be deployed on existing infrastructure without the need to purchase new hardware or migrate data, and replication can begin in as little as two hours.
- Secure by default – Encrypts data at rest and in transit using AES 256.
Using a P2P architecture with built in WAN optimization helps avoid two common issues found among conventional replication solutions:
- Client-server architectures where only one device or instance (the hub) can replicate data across the entire environment.
- “Follow-the-sun” models where replication can only occur sequentially between, at most 2 devices (e.g., Device 1 must replicate objects to Device 2, which then replicates them to Device 3, etc.).
In the examples above, replication is always limited by the slowest device. Each replication instance also creates a single point of failure: if the device replicating the data fails, the entire transfer fails.
In addition, most CRR solutions rely on TCP for transfers over the WAN. The distance between regions and end-users creates latency and potentially packet loss. This further slows down replication speeds since TCP struggles with latency and loss. Conventional replication solutions that rely on TCP, including S3 Replication, may struggle to the point where transfers slow down or fail completely. So, implementer beware when it comes to conventional CRR.