AWS Global vs Regional vs AZ resources

AWS Global, Regional, AZ resource Availability

  • AWS provides a lot of services and these services are either Global, Regional, or Availability Zone specific and cannot be accessed outside.
  • Most of the AWS-managed services are regional-based services with few exceptions being Global (e.g. IAM, Route53, CloudFront, etc) or AZ bound.

Global vs Regional vs AZ Resource locations

AWS Global vs Regional vs AZ

AWS Networking Services

  • Virtual Private Cloud
    • VPC – Regional
      • VPCs are created within a region
    • Subnet – Availability Zone
      • A subnet can span only a single Availability Zone
    • Security groups – Regional
      • A security group is tied to a region and can be assigned only to instances in the same region.
    • VPC Endpoints – Regional
      • VPC Gateway & Interface Endpoints cannot be created between a VPC and an AWS service in a different region.
    • VPC PeeringRegional
      • VPC Peering can be performed across VPC in the same account of different AWS accounts but only within the same region. They cannot span across regions
      • VPC Peering can now span inter-region
    • Elastic IP Address – Regional
      • Elastic IP addresses created within the region can be assigned to instances within the region only.
    • Elastic Network Interface – Availability Zone
  • Route 53Global
    • Route53 services are offered at AWS edge locations and are global
  • CloudFrontGlobal
    • CloudFront is the global content delivery network (CDN) services are offered at AWS edge locations
  • ELB, ALB, NLB, GWLB – Regional
    • Elastic Load Balancer distributes traffic across instances in multiple Availability Zones in the same region
    • Use Route 53 to route traffic to load balancers across regions.
  • Direct Connect Gateway – Global
    • is a globally available resource that can be created in any Region and accessed from all other Regions.
  • Transit Gateway – Regional
    • is a Regional resource and can connect VPCs within the same AWS Region.
    • Transit Gateway Peering can be used to attach TGWs across regions.
  • AWS Global Accelerator – Global
    • is a global service that supports endpoints in multiple AWS Regions.

AWS Compute Services

  • EC2
    • Resource Identifiers – Regional
      • Each resource identifier, such as an AMI ID, instance ID, EBS volume ID, or EBS snapshot ID, is tied to its region and can be used only in the region where you created the resource.
    • Instances – Availability Zone
      • An instance is tied to the Availability Zones in which you launched it. However, note that its instance ID is tied to the region.
    • EBS Volumes – Availability Zone
      • Amazon EBS volume is tied to its Availability Zone and can be attached only to instances in the same Availability Zone.
    • EBS Snapshot – Regional
      • An EBS snapshot is tied to its region and can only be used to create volumes in the same region and has to be copied from one region to another if needed.
    • AMIs – Regional
      • AMI provides templates to launch EC2 instances
      • AMI is tied to the Region where its files are located with Amazon S3. For using AMI in different regions, the AMI can be copied to other regions
    • Auto Scaling – Regional
      • Auto Scaling spans across multiple Availability Zones within the same region but cannot span across regions
  • Cluster Placement GroupsAvailability Zone
    • Cluster Placement groups can span across Instances within the same Availability Zones
  • ECSRegional
  • ECRRegional
    • Images can be pushed/pulled within the same AWS Region.
    • Images can also be pulled between Regions or out to the internet with additional latency and data transfer costs.

AWS Storage Services

  • S3 – Global but Data is Regional
    • S3 buckets are created within the selected region
    • Objects stored are replicated across Availability Zones to provide high durability but are not cross-region replicated unless done explicitly.
    • S3 cross-region replication can be used to replicate data across regions.
  • DynamoDB – Regional
    • All data objects are stored within the same region and replicated across multiple Availability Zones in the same region
    • Data objects can be explicitly replicated across regions using cross-region replication
  • DynamoDB Global Tables – Across Regions
    • is a new multi-master, cross-region replication capability of DynamoDB to support data access locality and regional fault tolerance for database workloads
  • Storage Gateway – Regional
    • AWS Storage Gateway stores volume, snapshot, and tape data in the AWS region in which the gateway is activated

AWS Identity & Security Services

  • Identity Access Management – IAM
    • Users, Groups, Roles, Accounts – Global
      • Same AWS accounts, users, groups, and roles can be used in all regions
    • Key Pairs – Global or Regional
      • EC2 created key pairs are specific to the region
      • RSA key pair can be created and uploaded that can be used in all regions
  • Web Access Firewall – WAFGlobal
    • protect web applications from common web exploits and is offered at AWS edge locations globally.
  • AWS GuardDuty – Regional
    • findings remain in the same Regions where the underlying data was generated.
  • Amazon Detective – Regional
  • Amazon Inspector – Regional
  • Amazon Macie – Regional
    • must be enabled on a region-by-region basis and helps view findings across all the accounts within each Region.
    • verifies that all data analyzed is regionally based and doesn’t cross AWS regional boundaries.
  • AWS Security Hub – Regional.
    • supports cross-region aggregation of findings via the designation of an aggregator region.
  • AWS Migration Hub – Regional.
    • runs in a single home region, however, can collect data from all regions

AWS Management & Governance Tools

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not need to be recreated in the second region? (Choose 2 answers)
    1. Route 53 Record Sets
    2. IAM Roles
    3. Elastic IP Addresses (EIP) (are specific to a region)
    4. EC2 Key Pairs (are specific to a region)
    5. Launch configurations
    6. Security Groups (are specific to a region)
  2. When using the following AWS services, which should be implemented in multiple Availability Zones for high availability solutions? Choose 2 answers
    1. Amazon DynamoDB (already replicates across AZs)
    2. Amazon Elastic Compute Cloud (EC2)
    3. Amazon Elastic Load Balancing
    4. Amazon Simple Notification Service (SNS) (Global Managed Service)
    5. Amazon Simple Storage Service (S3) (Global Managed Service)
  3. What is the scope of an EBS volume?
    1. VPC
    2. Region
    3. Placement Group
    4. Availability Zone
  4. What is the scope of AWS IAM?
    1. Global (IAM resources are all global; there is not regional constraint)
    2. Availability Zone
    3. Region
    4. Placement Group
  5. What is the scope of an EC2 EIP?
    1. Placement Group
    2. Availability Zone
    3. Region (An Elastic IP address is tied to a region and can be associated only with an instance in the same region. Refer link)
    4. VPC
  6. What is the scope of an EC2 security group?
    1. Availability Zone
    2. Placement Group
    3. Region (A security group is tied to a region and can be assigned only to instances in the same region)
    4. VPC


25 thoughts on “AWS Global vs Regional vs AZ resources

    1. Elastic load balancing needs you to add subnets in all availability zones, that need to be supported, so that it can route requests to. Rest are either global or taken care by AWS itself.

  1. Hi Jayendrapatil,

    I have double checked that S3 is a global service. Can you please confirm on this?


    1. S3 is a global service, I have marked it regional in terms of data hosting. Updated the text to make it clearer
      When you create a bucket you have to specify the region. Also, the data is replicated within the same region. You have to exclusively perform a cross region replication.

    2. It has a global name space, but it’s a regional service. You can access your data only in one region. The name has to be unique globally.

    3. S3 is a global service but objects are stored in S3 are region-specific, but you can access the data in S3 from Globally

    1. Thanks Rick, security groups are created and used within VPC, but it can be used within peered VPC as well.
      Refer AWS documentation –

      A security group is tied to a region and can be assigned only to instances in the same region. You can't enable an instance to communicate with an instance outside its region using security group rules. Traffic from an instance in another region is seen as WAN bandwidth.

    1. Yup Dan, i have listed only for VPC as EC2-Classic is no more relevant and does not come in exams.

  2. Hi Jayendra,

    Your Blog is Awesome to prepare for AWS Certifications. Currenlty i am preparing for AWS SA Pro.

    In VPC Peering topic, Currenlty inter region VPC Peering is Supported. So Could you update your blog?

  3. For Q #6 – “What is the scope of an EC2 security group?” The answer should be VPC and not Region. When you create a security-group, AWS asks you to specify the VPC for which it applies. Also, you can create multiple VPCs within the same region but cannot use a Security Group from 1 VPC for instances in another VPC in the same region.

    1. Thanks Swapnil. Agreed to the comment. But the grouping here is primarily between Global, Regional and AZs.
      A VPC is within a region and spans across multiple AZs. Also Security group can span across Peered VPCs.

    1. thanks Steve for pointing out, seems left out during the previous update.

    1. Workdoc does not work as Object Storage, Option A seems to be relevant option.

Comments are closed.