Larger failure modes - AWS Outposts High Availability Design and Architecture Considerations

This document is in the process of being updated. In the interim, some of the content might not be accurate.

Larger failure modes

To design HA architectures to mitigate larger failure modes like rack, data center, Availability Zone (AZ), or Region failures, you should deploy multiple Outposts with sufficient infrastructure capacity in separate data centers with independent power and WAN connectivity. You anchor the Outposts to different Availability Zones (AZs) within an AWS Region or across multiple Regions. You should also provision resilient and sufficient site-to-site connectivity between the locations to support synchronous or asynchronous data replication and workload traffic redirection. Depending on your application architecture, you can use globally available Amazon RouteĀ 53 DNS and regionally available Elastic Load Balancing services to direct traffic to the desired location and automate traffic redirection to surviving locations in the event of large-scale failures.

There are networking limitations that you should be aware of when designing and deploying application workloads across multiple Outposts. Resources on two separate Outposts cannot communicate with each other by transiting traffic through the Region. Resources on two separate Outposts deployed within the same VPC cannot communicate with each other across the customer network. Resources on two separate Outposts deployed in different VPCs can communicate with each other across the customer network.

The following two figures illustrate the blocked and successful network paths.

Diagram showing single VPC multiple-outpost network paths

Single VPC multiple-outpost network paths

Outpost-to-Outpost traffic transiting the Region is blocked as this is an anti-pattern. Such traffic would incur egress charges in both directions and likely have much higher latency than simply routing the traffic across the Customer WAN.

Resources on multiple Outposts in the same VPC cannot communicate with each other. The traffic between Outpost in the same VPC will always follow the local VPC CIDR route through the Region where it will be blocked.

You should use separate VPCs to deploy resources on multiple Outposts to allow you to route Outpost-to-Outpost traffic across your local on-premises and WAN networks.

Diagram showing multiple-VPC multiple-Outpost network paths

Multiple-VPC multiple-Outpost network paths

Recommended practices for protecting against larger failure modes:

  • Deploy multiple Outposts anchored to multiple AZs and Regions.

  • Use separate VPCs for each Outpost in a multi-Outpost deployment.