REL02-BP01 Use highly available network connectivity for your workload public endpoints - AWS Well-Architected Framework (2022-03-31)

REL02-BP01 Use highly available network connectivity for your workload public endpoints

These endpoints and the routing to them must be highly available. To achieve this, use highly available DNS, content delivery networks (CDNs), API Gateway, load balancing, or reverse proxies.

Amazon Route 53, AWS Global Accelerator, Amazon CloudFront, Amazon API Gateway, and Elastic Load Balancing (ELB) all provide highly available public endpoints. You might also choose to evaluate AWS Marketplace software appliances for load balancing and proxying.

Consumers of the service your workload provides, whether they are end-users or other services, make requests on these service endpoints. Several AWS resources are available to enable you to provide highly available endpoints.

Elastic Load Balancing provides load balancing across Availability Zones, performs Layer 4 (TCP) or Layer 7 (http/https) routing, integrates with AWS WAF, and integrates with AWS Auto Scaling to help create a self-healing infrastructure and absorb increases in traffic while releasing resources when traffic decreases.

Amazon Route 53 is a scalable and highly available Domain Name System (DNS) service that connects user requests to infrastructure running in AWS such as Amazon EC2 instances, Elastic Load Balancing load balancers, or Amazon S3 buckets–and can also be used to route users to infrastructure outside of AWS.

AWS Global Accelerator is a network layer service that you can use to direct traffic to optimal endpoints over the AWS global network.

Distributed Denial of Service (DDoS) attacks risk shutting out legitimate traffic and lowering availability for your users. AWS Shield provides automatic protection against these attacks at no extra cost for AWS service endpoints on your workload. You can augment these features with virtual appliances from APN Partners and the AWS Marketplace to meet your needs.

Common anti-patterns:

  • Using public internet addresses on instances or containers and managing the connectivity to them via DNS.

  • Using Internet Protocol addresses instead of domain names for locating services.

  • Providing content (web pages, static assets, media files) to a large geographic area and not using a content delivery network.

Benefits of establishing this best practice: By implementing highly available services in your workload, you know that your workload will be available to your users.

Level of risk exposed if this best practice is not established: High

Implementation guidance

Ensure that you have highly available connectivity for users of the workload Amazon Route 53, AWS Global Accelerator, Amazon CloudFront, Amazon API Gateway, and Elastic Load Balancing (ELB) all provide highly available public facing endpoints. You may also choose to evaluate AWS Marketplace software appliances for load-balancing and proxying.

  • Ensure that you have a highly available connection to your users.

  • Ensure that you are using a highly available DNS to manage the domain names of your application endpoints.

    • If your users access your application via the internet, use service API operations to confirm the correct usage of Internet Gateways. Also confirm that the route tables entries for the subnets hosting your application endpoints are correct.

  • Ensure that you are using a highly available reverse proxy or load balancer in front of your application.

    • If your users access your application via your on-premises environment, ensure that your connectivity between AWS and your on-premises environment is highly available.

    • Use Route 53 to manage your domain names.

    • Use a third-party DNS provider that meets your requirements.

    • Use Elastic Load Balancing.

    • Use an AWS Marketplace appliance that meets your requirements.

Resources

Related documents:

Related videos: