I am building a Web site that will have users in the US and in Europe. I setup an Amazon Virtual Private Cloud (VPC) in the US-east region, and another VPC in Europe-west region. I also configured Amazon Route 53 DNS with the latency-based option, so users will be directed to the nearest VPC. Most requests will be served locally, but for some requests the application servers will need to fetch some data in the other region. To be more precise, my web site will allow users to send messages to each other, and although most messages will probably stay in the same region, some users will occasionally send messages to users in the other region. So there will need to be some communication between the VPCs.
I can see 4 options:
- if Amazon had an option to transparently and securely connect VPCs across different regions through a VPN, that would be ideal. But I have not seen this option anywhere (it's march 2013). Have I missed something? Is it on their roadmap?
- I could setup my own VPN connection between the two VPCs. For redundancy, I would need at least 2 VMs in the US and 2 VMs in Europe, and setup OpenVPN on these VMs. I'm afraid that throughput and latency would be impacted, and it would be another 4 VMs to manage (and pay).
- I could just configure my app servers to open database connections across the Internet. I would have to use SSL connections for security and setup some authentication and firewalling. I'm afraid the SSL connections would be bad for performance, unless I use some pooler to keep them alive, perhaps.
- I could implement webservices and have the app servers fetch the required data through those webservices. Communications would have to be HTTPS. This seems somewhat cleaner than option 3, but at the same time it's a lot more complicated. Frankly, I'm not sure it's worth the trouble.
What solution would you recommend? Any other idea?
Thanks
Amazon VPC doesn't currently provide a method to connect multiple VPC's - you haven't missed anything there.
If you decide to go the VPN route there are a couple of articles regarding setting this up between VPCs - one utilizes IPsec and the other OpenVPN.
I would actually recommend using SSH tunnels with port redirection from your app servers to the database servers. You can use a tool such as autossh to ensure that the SSH tunnel is always up. You avoid the overhead of SSL negotiation for each database connection.