If you’ve ever tried to move data between AWS Global and AWS China, you know it’s not just a matter of turning on replication. Cross-region replication doesn’t work. VPNs add complexity. And regulatory hurdles make everything feel… fragile.
So when I was asked to design a solution to sync S3 data into China — with no persistent infrastructure, no credential sharing, and full compliance — I knew I had to get creative.
And that’s how this surprisingly simple, serverless architecture was born.
💡The Problem That Sparked the Idea
Imagine you have a product that stores user-uploaded files in AWS Global (say Virginia), but your operations team or customer base in China needs access to those files.
There’s no direct S3-to-S3 path between the two regions. No magic checkbox.
I needed something lightweight, scalable, and compliant. And preferably serverless.
✨The Spark: What If China Pulled the File?
Instead of replicating or pushing data directly into China — which could trigger compliance alarms — what if we inverted the flow?
What if the China side pulled the file?
All it would need is a valid presigned URL.
🛠️ The Architecture That Emerged
Here’s the flow I built — and it’s simpler than you’d expect:
1. A file lands in the S3 bucket (Global).
2. That triggers a Lambda function, which generates a presigned URL.
3. The Lambda POSTs this URL to an API endpoint in AWS China.
4. The China-side API (API Gateway + Lambda) pulls the file using the URL and uploads it into an S3 bucket in the China region.
Why This Works Surprisingly Well
✅ Regulation-Friendly : Data enters China through a controlled pull initiated inside the region.
✅ No Credential Crossing : Global Lambda doesn’t need AWS China credentials (and vice versa).
✅ Purely Serverless : No EC2, no queues, no databases — just events and functions.
✅ Scalable by Design : Works for any number of files, assuming reasonable frequency and size.
Implementation in Brief
🌍 Global AWS Lambda (Triggered by S3)
- Enable S3 event notifications on object creation.
- Lambda creates a presigned URL and POSTs it to the China API endpoint.
🇨🇳 AWS China Lambda (Receives URL & Uploads to S3)
- API Gateway receives the request.
- Lambda parses the presigned URL.
- Downloads the file (requests.get) and uploads to S3 China using standard SDK.
💡 Tip: Use environment variables to keep API URLs and bucket names flexible and secure.
Lessons and Watch-outs
⚠️ Presigned URL Expiry : China-side must download quickly after receiving the URL.
🔒 API Security : Use IP allowlists, tokens, and rate limiting to protect the China endpoint.
🔁 Retries : Build retry logic in case downloads fail or take too long.
🎉 Final Thoughts
Sometimes the best solution is the least flashy one. This “push + pull” model won’t handle terabytes per hour, but it elegantly solves the problem of syncing S3 data across geopolitical and regulatory lines — without spinning up heavy infrastructure.
If you’re dealing with similar constraints, this might just be the bridge you’re looking for.
Want code samples or IaC templates? Drop a comment or DM.
If this sparked ideas for your own AWS setup, hit the 👏 or drop a comment — I’d love to hear how you’re bridging the cloud divide.