AWS Local Zones allow you to place resources closer to your users, and seamlessly connect to the full range of services in the AWS Region, using familiar APIs and tool sets. When you create a subnet in a Local Zone, you extend the VPC to that Local Zone.
To use a Local Zone, you use the following process:
-
Opt in to the Local Zone.
-
Create a subnet in the Local Zone.
-
Launch resources in the Local Zone subnet, so that your applications are closer to your users.
The following diagram illustrates a VPC in the US West (Oregon) (us-west-2)
Region that spans Availability Zones and a Local Zone.
When you create a VPC, you can choose to assign a set of Amazon-provided public IP addresses to the VPC. You can also set a network border group for the addresses that limits the addresses to the group. When you set a network border group, the IP addresses can't move between network border groups. Local Zone network traffic will go directly to the internet or to points-of-presence (PoPs) without traversing the Local Zone's parent Region, enabling access to low-latency computing. For the complete list of Local Zones and their corresponding parent Regions, see Available Local Zones in the AWS Local Zones User Guide.
The following rules apply to Local Zones:
-
The Local Zone subnets follow the same routing rules as Availability Zone subnets, including route tables, security groups, and network ACLs.
-
Outbound internet traffic leaves a Local Zone from the Local Zone.
-
You must provision public IP addresses for use in a Local Zone. When you allocate addresses, you can specify the location from which the IP address is advertised. We refer to this as a network border group, and you can set this parameter to limit the addresses to this location. After you provision the IP addresses, you cannot move them between the Local Zone and the parent Region (for example, from
us-west-2-lax-1atous-west-2). -
If the Local Zone supports IPv6, you can request IPv6 Amazon-provided IP addresses and associate them with the network border group for a new or existing VPC. For the list of Local Zones that support IPv6, see Considerations in the AWS Local Zones User Guide
-
You can't create VPC endpoints in Local Zone subnets.
For more information about working with Local Zones, see the AWS Local Zones User Guide.
Considerations for internet gateways
Take the following information into account when you use internet gateways (in the parent Region) in Local Zones:
-
You can use internet gateways in Local Zones with Elastic IP addresses or Amazon auto-assigned public IP addresses. The Elastic IP addresses that you associate must include the network border group of the Local Zone. For more information, see Associate Elastic IP addresses with resources in your VPC.
You cannot associate an Elastic IP address that is set for the Region.
-
Elastic IP addresses that are used in Local Zones have the same quotas as Elastic IP addresses in a Region. For more information, see Elastic IP addresses.
-
You can use internet gateways in route tables that are associated with Local Zone resources. For more information, see Routing to an internet gateway.
Access Local Zones using a Direct Connect gateway
Consider the scenario where you want an on-premises data center to access resources that are in a Local Zone. You use a virtual private gateway for the VPC that's associated with the Local Zone to connect to a Direct Connect gateway. The Direct Connect gateway connects to an AWS Direct Connect location in a Region. The on-premises data center has an AWS Direct Connect connection to the AWS Direct Connect location.
Note
Traffic that is destined for a subnet in a Local Zone using Direct Connect does not travel through the parent Region of the Local Zone. Instead, traffic takes the shortest path to the Local Zone. This decreases latency and helps make your applications more responsive.
You configure the following resources for this configuration:
-
A virtual private gateway for the VPC that is associated with the Local Zone subnet. You can view the VPC for the subnet on the subnet details page in the Amazon Virtual Private Cloud Console, or use the describe-subnets
command. For information about creating a virtual private gateway, see Create a target gateway in the AWS Site-to-Site VPN User Guide.
-
A Direct Connect connection. For the best latency performance, AWS recommends that you use the Direct Connect location closest to the Local Zone to which you'll be extending your subnet.
For information about ordering a connection, see Cross connects in the AWS Direct Connect User Guide.
-
A Direct Connect gateway. For information about creating a Direct Connect gateway, see Create a Direct Connect gateway in the AWS Direct Connect User Guide.
-
A virtual private gateway association to connect the VPC to the Direct Connect gateway. For information about creating a virtual private gateway association, see Associating and disassociating virtual private gateways in the AWS Direct Connect User Guide.
-
A private virtual interface on the connection from the AWS Direct Connect location to the on-premises data center. For information about creating a Direct Connect gateway, see Creating a private virtual interface to the Direct Connect gateway in the AWS Direct Connect User Guide.
Connect Local Zone subnets to a transit gateway
You can't create a transit gateway attachment for a subnet in a Local Zone. The following diagram shows how to configure your network so that subnets in the Local Zone connect to a transit gateway through the parent Availability Zone. Create subnets in the Local Zones and subnets in the parent Availability Zones. Connect the subnets in the parent Availability Zones to the transit gateway, and then create a route in the route table for each VPC that routes traffic destined for the other VPC CIDR to the network interface for the transit gateway attachment.
Note
Traffic destined for a subnet in a Local Zone that originates from a transit gateway will first traverse the parent Region.
Create the following resources for this scenario:
-
A subnet in each parent Availability Zone. For more information, see Create a subnet.
-
A transit gateway. For more information, see Create a transit gateway in Amazon VPC Transit Gateways.
-
A transit gateway attachment for each VPC using the parent Availability Zone. For more information, see Create a transit gateway attachment to a VPC in Amazon VPC Transit Gateways.
-
A transit gateway route table associated with the transit gateway attachment. For more information, see Transit gateway route tables in Amazon VPC Transit Gateways.
-
For each VPC, an entry in the subnet route tables of the Local Zone subnets that have the other VPC CIDR as the destination, and the ID of the network interface for the transit gateway attachment as the target. To find the network interface for the transit gateway attachment, search the descriptions of your network interfaces for the ID of the transit gateway attachment. For more information, see Routing for a transit gateway.
The following is an example route table for VPC 1.
| Destination | Target |
|---|---|
|
|
|
|
|
|
The following is an example route table for VPC 2.
| Destination | Target |
|---|---|
|
|
|
|
|
vpc2-attachment-network-interface-id |
The following is an example of the transit gateway route table. The CIDR blocks for each VPC propagate to the transit gateway route table.
| CIDR | Attachment | Route type |
|---|---|---|
|
|
|
propagated |
|
|
|
propagated |
