Developer Tools

Why AWS API Endpoints Differ by Region - The Design of Global and Regional Services

We explain the design reasons behind the separation of regional endpoints like ec2.us-east-1.amazonaws.com and global endpoints like iam.amazonaws.com, as well as the existence of dual-stack and FIPS endpoints.

約 6 分で読めます

The Design Intent Behind Regional Endpoints

Most AWS services have independent API endpoints for each region. For EC2, these look like ec2.us-east-1.amazonaws.com and ec2.ap-northeast-1.amazonaws.com, with the region code included in the URL. This design has two intentions. First, fault isolation. Each region's endpoint runs on independent infrastructure, so if the EC2 API in us-east-1 experiences a failure, the EC2 API in ap-northeast-1 is unaffected. If all regions shared a single global endpoint, a failure at that endpoint would cascade to all regions. Second, data locality. API requests are processed by the control plane in that region, so requests don't need to cross continents. When you call the EC2 API in the Tokyo region, the request is processed by the Tokyo control plane, minimizing latency. SDKs send requests to the endpoint of the configured region by default, so developers rarely need to be aware of endpoint URLs.

The Special Design of Global Services

IAM, Route 53, CloudFront, WAF (for CloudFront), and STS global endpoints use URLs without region codes (iam.amazonaws.com, route53.amazonaws.com). The reason these services are global is that by nature they manage resources not tied to any specific region. IAM users and roles apply across the entire AWS account and don't belong to a specific region. Route 53 hosted zones are also global resources. However, the control planes of global services physically run in some region. IAM's control plane is concentrated in us-east-1, and during the 2021 us-east-1 outage, IAM management operations were affected. STS is an interesting exception. STS has both a global endpoint (sts.amazonaws.com) and regional endpoints (sts.ap-northeast-1.amazonaws.com). AWS recommends using regional STS endpoints because the global endpoint is processed in us-east-1, meaning STS calls from other regions would also be affected during a us-east-1 outage.

The Complexity of S3 Endpoints

S3 endpoints are the most complex among AWS services. Two URL formats exist: path-style (s3.amazonaws.com/bucket-name/key) and virtual-hosted-style (bucket-name.s3.amazonaws.com/key). AWS has recommended virtual-hosted-style since 2020, and newer SDKs use virtual-hosted-style by default. Furthermore, S3 has both regional endpoints (s3.ap-northeast-1.amazonaws.com) and a legacy global endpoint (s3.amazonaws.com). The legacy global endpoint redirects to us-east-1, so accessing buckets in other regions results in a 307 redirect, adding extra latency. When S3 Transfer Acceleration is enabled, yet another endpoint (bucket-name.s3-accelerate.amazonaws.com) is used. This endpoint routes data through CloudFront edge locations to improve upload speeds over long distances. S3's dual-stack endpoint (s3.dualstack.region.amazonaws.com) supports both IPv4 and IPv6.

FIPS Endpoints - Encryption Requirements for the US Government

AWS provides FIPS (Federal Information Processing Standards) 140-2 compliant endpoints for many services. FIPS endpoints use FIPS 140-2 certified cryptographic modules for TLS communication. The URL format appends fips to the standard endpoint (e.g., ec2-fips.us-east-1.amazonaws.com, s3-fips.us-east-1.amazonaws.com). FIPS endpoints are primarily needed by US federal government agencies and their contractors. Regulations like FedRAMP and FISMA require FIPS 140-2 compliant encryption for government data communications. Private companies may also be required to use FIPS endpoints when doing business with the government. There is no functional difference between FIPS endpoints and standard endpoints. The only difference is the cipher suites used during the TLS handshake. On FIPS endpoints, cryptographic algorithms not approved by FIPS 140-2 (such as ChaCha20) are disabled. The performance impact is negligible.

VPC Endpoints - API Access Without the Public Internet

Normally, when an EC2 instance calls an AWS API, the request goes through an Internet Gateway or NAT Gateway to the public internet and reaches the AWS API endpoint. With VPC Endpoints (PrivateLink), requests complete within AWS's private network without traversing the public internet. There are two types of VPC Endpoints. Gateway Endpoints are exclusive to S3 and DynamoDB and work by adding entries to route tables. There is no additional charge. Interface Endpoints (PrivateLink) create an ENI (Elastic Network Interface) in the VPC, enabling API access via private IP addresses. They cost $0.01 per hour plus data processing charges. The security benefit of VPC Endpoints is that API requests are not exposed to the public internet. In environments like financial institutions and healthcare organizations where data paths must be strictly controlled, VPC Endpoints are essential. There's also a cost benefit of reducing NAT Gateway data processing charges ($0.045/GB). To systematically learn about AWS endpoint design, specialized books (Amazon) can be helpful.

Related Services

AWS IAMAn authentication and authorization service for securely managing access to AWS resourcesAmazon S3A scalable object storage serviceAmazon EC2A compute service that provides virtual servers in the cloud

Related Articles

Why AWS APIs Return XML - The Evolution from Query APIs to REST JSONExplore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.Why AWS Builds Regions Where It Does - The Hidden Criteria Behind Data Center Site SelectionWe explain the criteria AWS considers when deciding region locations, including power supply, geopolitical risk, data sovereignty legislation, network connectivity, and natural disaster risk, with concrete examples from specific regions.AWS Fault Domain Design - How the Three-Layer Structure of AZs, Regions, and Partitions Protects AvailabilityLearn why AWS infrastructure is designed with three layers of fault domains - AZs (fault isolation), Regions (geographic separation), and Partitions (political separation) - and how far failures propagate at each layer, with real-world examples.

More on This Topic

How AI-DLC Transforms Software Development - A Practical Guide to the Inception, Construction, and Operation PhasesAn overview of the AI-DLC methodology that places AI at the center of the development process. Learn about the three phases of Inception, Construction, and Operation, and how to put them into practice with Kiro and Amazon Q Developer.Hands-On with the AI-DLC Unicorn Gym Workshop - Learning AI-DLC Through Team DevelopmentA complete look at the hands-on workshop where you experience AI-DLC through three days of team development. Learn how to run Mob Elaboration and Mob Construction, and how to leverage open-source workflows.Visually Design Serverless Applications with AWS Application Composer - Automatic IaC Template GenerationLearn about visual design of serverless architectures with Application Composer, automatic SAM template generation, and VS Code integration.Artifact Repository Management - Building a Secure Package Management Platform with AWS CodeArtifactLearn how to build and operate an artifact repository using AWS CodeArtifact. This guide covers centralizing package management for npm, Maven, PyPI, and more, along with building secure build pipelines through CodeBuild integration.How AWS API Throttling Works - The Token Bucket Algorithm and the Truth Behind 429 ErrorsLearn how AWS API rate limiting is implemented using the token bucket algorithm, understand the concept of burst capacity, explore differences in throttling limits across services, and discover practical strategies to avoid throttling.Why AWS APIs Return XML - The Evolution from Query APIs to REST JSONExplore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.Browser-Based Shell Environment - Instant CLI Access with AWS CloudShellExplains the browser-based shell environment powered by AWS CloudShell. Covers the CLI environment available instantly from the AWS Management Console, pre-installed development tools, automatic IAM authentication integration, secure file management, and practical tips for improving operational efficiency.IaC with Programming Languages Using AWS CDK - Designing Constructs and StacksLearn about defining infrastructure with TypeScript/Python using CDK, choosing between L1/L2/L3 constructs, and testing techniques.

Similar Articles and Services

AWS PrivateLinkConnect privately from your VPC to AWS services and third-party services without traversing the internetPrivate Connectivity with AWS PrivateLink - VPC Endpoints and Endpoint ServicesConnect to AWS services privately without traversing the internet. Learn about free Gateway Endpoints and building Endpoint Services.AWS PrivateLinkA networking feature that enables private connectivity from within a VPC to AWS services and third-party services without traversing the internetWhat Is the VPC .2 Resolver? - AWS Internal DNS and Its Relationship with Route 53 ResolverLearn what the DNS resolver at the CIDR+2 address inside a VPC actually is, how it works with private hosted zones, how Route 53 Resolver endpoints enable hybrid DNS, and how to use DNS query logs.Amazon.com Is AWS's Biggest Customer - How Internal Dogfooding Drives Service QualityStarting from the fact that Amazon.com's e-commerce site, Prime Video, and Alexa all run on AWS, this article explores how internal dogfooding elevates service quality and how Prime Day's traffic demands have shaped AWS's architecture.