# Plan your deployment Plan your deployment This section describes the Region, [Cost](cost.md), [Security](security-1.md), and [Quotas](quotas.md) considerations for planning your deployment. ## Supported AWS Regions Supported AWS Regions This Guidance uses services which may not be currently available in all AWS Regions. Launch this Guidance in an AWS Region where required services are available. For the most current availability by Region, refer to the [AWS Regional Services List](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/). **Supported Regions for deployment in AWS Regions** | Region ID | Region Name | | --- | --- | | us-east-1 | US East (N. Virginia) | | us-east-2 | US East (Ohio) | | us-west-1 | US West (N. California) | | us-west-2 | US West (Oregon) | | ap-south-1 | Asia Pacific (Mumbai) | | ap-northeast-2 | Asia Pacific (Seoul) | | ap-southeast-1 | Asia Pacific (Singapore) | | ap-southeast-2 | Asia Pacific (Sydney) | | ap-southeast-4 | Asia Pacific (Melbourne) | | ap-northeast-1 | Asia Pacific (Tokyo) | | ca-central-1 | Canada (Central) | | ca-west-1 | Canada (Calgary) | | eu-central-1 | Europe (Frankfurt) | | eu-west-1 | Europe (Ireland) | | eu-west-2 | Europe (London) | | eu-west-3 | Europe (Paris) | | eu-north-1 | Europe (Stockholm) | | sa-east-1 | South America (São Paulo) | | il-central-1 | Israel (Tel Aviv) | **Supported Regions for deployment in AWS China Regions** | Region ID | Region Name | | --- | --- | | cn-north-1 | China (Beijing) Region Operated by Sinnet | | cn-northwest-1 | China (Ningxia) Region Operated by NWCD | # Cost Cost You are responsible for the cost of the AWS services used while running this Guidance, which can vary based on whether you are transferring Amazon S3 objects or Amazon ECR images. The Guidance automatically deploys an additional Amazon CloudFront Distribution and an Amazon S3 bucket for storing the static website assets in your account. You are responsible for the incurred variable charges from these services. For full details, refer to the pricing webpage for each AWS service you will be using in this Guidance. The following examples demonstrate how to estimate the cost. Two example estimates are for transferring Amazon S3 objects, and one is for transferring ECR images. **Cost of an Amazon S3 transfer task** For an Amazon S3 transfer task, the cost can vary based on the total number of files and the average file size. Example 1: As of this revision, transfer 1 TB of S3 files from AWS Oregon Region (`us-west-2`) to AWS Beijing Region (`cn-north-1`), and the average file size is **50MB**. Total files: \$120,480 Average speed per Amazon EC2 instance: \$11GB/min Total Amazon EC2 instance hours: \$117 hours | AWS service | Dimensions | Cost | | --- | --- | --- | | Amazon EC2 | \$10.0084 per hour (t4g.micro) | \$10.14 | | Amazon S3 | \$1 12 GET requests \$1 10 PUT request per file GET: \$10.0004 per 1000 request PUT: \$10.005 per 1000 request | \$10.12 | | Amazon DynamoDB | \$12 write requests per file \$11.25 per million write | \$10.05 | | Amazon SQS | \$12 request per file \$10.40 per million requests | \$10.01 | | Data Transfer Out | \$10.09 per GB | \$192.16 | | Others (For example, CloudWatch, Secrets Manager, etc.) | | \$1 \$11 | | | TOTAL | \$1 \$194.48 | Example 2: As of this revision, transfer 1 TB of S3 files from AWS Oregon region (`us-west-2`) to Mainland China Beijing Region (`cn-north-1`), and the average file size is **10KB**. Total files: \$1107,400,000 Average speed per Amazon EC2 instance: \$16MB/min (\$110 files per sec) Total Amazon EC2 instance hours: \$13000 hours | AWS Service | Dimensions | Cost | | --- | --- | --- | | Amazon EC2 | \$10.0084 per hour (t4g.micro) | \$125.20 | | Amazon S3 | \$1 2 GET requests \$1 1 PUT request per file GET: \$10.0004 per 1000 request PUT: \$10.005 per 1000 request | \$1622.34 | | Amazon DynamoDB | \$12 write requests per file \$11.25 per million write | \$1268.25 | | Amazon SQS | \$12 request per file \$10.40 per million requests | \$185.92 | | Data Transfer Out | \$10.09 per GB | \$192.16 | | Others (For example, CloudWatch, Secrets Manager, etc.) | | \$120 | | | TOTAL | \$1 \$11,113.87 | **Cost of an Amazon ECR transfer task** For an Amazon ECR transfer task, the cost can vary based on network speed and total size of ECR images. Example 3: As of this revision, transfer 27 Amazon ECR images (\$13 GB in total size) from AWS Ireland Region (`eu-west-1`) to AWS Beijing Region (`cn-north-1`). The total runtime is about 6 minutes. | AWS Service | Dimensions | Cost | | --- | --- | --- | | AWS Lambda | \$10.0000004 per 100ms | \$10.000072 (35221.95 ms) | | AWS Step Functions | \$10.000025 per state transition (\$1 60 state transitions per run in this case) | \$10.0015  | | Fargate | \$10.04048 per vCPU per hour \$10.004445 per GB per hour (0.5 vCPU 1GB Memory) | \$10.015 (\$1 2200s) | | Data Transfer Out | \$10.09 per GB | \$10.27 | | Others (for example, CloudWatch, Secrets Manager, etc.) | Almost 0 | \$10 | | | TOTAL | \$1 \$10.287 | # Security Security When you build systems on AWS infrastructure, security responsibilities are shared between you and AWS. This [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) reduces your operational burden because AWS operates, manages, and controls the components including the host operating system, the virtualization layer, and the physical security of the facilities in which the services operate. For more information about AWS security, see [AWS Cloud Security](https://aws.amazon.com/security/). ## IAM roles IAM roles AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This Guidance creates IAM roles that grant the Guidance's AWS Lambda functions, Amazon API Gateway, and Amazon Cognito access to create regional resources. ## Amazon CloudFront Amazon CloudFront This Guidance deploys a web console [hosted](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html) in an Amazon S3 bucket. To help reduce latency and improve security, this Guidance includes an Amazon CloudFront distribution with an origin access identity, which is a CloudFront user that provides public access to the Guidance's website bucket contents. For more information, refer to [Restricting Access to Amazon S3 Content by Using an Origin Access Identity](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) in the *Amazon CloudFront Developer Guide*. # Quotas Quotas ## Quotas for AWS services in this Guidance Quotas for AWS services in this Guidance Make sure you have sufficient quota for each of the services [implemented in this Guidance](aws-services-in-this-solution.md). For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). Choose one of the following links to go to the page for that service. To view the service quotas for all AWS services in the documentation without switching pages, view the information in the [Service endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/aws-general.pdf#aws-service-information) page in the PDF instead. ## AWS CloudFormation quotas AWS CloudFormation quotas Your AWS account has AWS CloudFormation quotas that you should be aware of when launching the stack in this Guidance. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this Guidance successfully. For more information, refer to [AWS CloudFormation quotas](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html) in the *AWS CloudFormation User Guide*.