Hands-On Lab: Defining and Exploring the AWS Global Infrastructure
Define the AWS global infrastructure
Hands-On Lab: Defining and Exploring the AWS Global Infrastructure
Welcome to this guided lab! The way you use AWS services for your cloud workloads is largely defined by the way AWS organizes its hardware, networking, and security infrastructure. In this lab, you will interact with the core components of the AWS Global Infrastructure: Regions, Availability Zones (AZs), and Global Services.
Prerequisites
Before starting this lab, ensure you have the following:
- AWS Account: An active AWS account. Free-tier eligibility is sufficient; we will not exceed it.
- AWS CLI Installed: The AWS Command Line Interface installed and configured with your credentials (
aws configure). - IAM Permissions: Your IAM user/role must have permissions for
ec2:DescribeRegions,ec2:DescribeAvailabilityZones,s3:CreateBucket,s3:DeleteBucket, andiam:ListUsers. - Terminal Access: A standard bash/zsh or PowerShell terminal.
Learning Objectives
By the end of this lab, you will be able to:
- Query and list available AWS Regions and Availability Zones (AZs) programmatically.
- Deploy a regional service resource (Amazon S3) and observe regional isolation.
- Interact with a global service (AWS IAM) and differentiate its behavior from regional services.
- Understand the structural hierarchy of the AWS Global Infrastructure.
Architecture Overview
The following diagrams illustrate the concepts we will be interacting with in this lab. The AWS Global Infrastructure is divided into Regions, which are further divided into independent Availability Zones.
Below is a hierarchical representation of how these physical structures are nested:
Step-by-Step Instructions
Step 1: Query Available AWS Regions
AWS performs its cloud magic using hundreds of thousands of servers maintained within physical data centers located in a widely distributed set of geographic regions. Let's list the regions currently available to your account.
aws ec2 describe-regions --output table[!TIP] Notice how some regions might not appear (like
us-gov-west-1). Deploying resources into GovCloud or Secret regions requires special permission and an isolated partition.
▶Console alternative
- Log in to the AWS Management Console.
- Click the Region Dropdown in the top-right corner of the navigation bar.
- Observe the list of available regions (e.g., US East (N. Virginia), Asia Pacific (Tokyo)).
📸 Screenshot Placeholder: The AWS Console Region Dropdown showing multiple geographic locations.
Step 2: Explore Availability Zones (AZs) within a Region
To ensure High Availability (HA) and avoid a single point of failure, AWS divides each Region into multiple isolated Availability Zones (AZs). Let's see the AZs inside us-east-1.
aws ec2 describe-availability-zones --region us-east-1 --output tableTake note of the ZoneName values (e.g., us-east-1a, us-east-1b). Each of these represents one or more discrete physical data centers with redundant power, networking, and connectivity.
▶Console alternative
- In the AWS Management Console, navigate to the VPC Dashboard.
- Ensure your region is set to
us-east-1(N. Virginia). - In the left-hand menu, click Subnets.
- Look at the Availability Zone column for the default subnets to see how they map to
us-east-1a,us-east-1b, etc.
📸 Screenshot Placeholder: VPC Subnets list highlighting the AZ column.
Step 3: Create a Regional Resource (Amazon S3)
According to the fundamental law of AWS, resources generally exist in one and only one region. While Amazon S3 bucket names must be globally unique, the actual data is physically stored in a specific Region. Let's create an S3 bucket in the us-west-2 (Oregon) region.
Note: Replace <YOUR_INITIALS> and <RANDOM_NUM> to make your bucket name globally unique.
aws s3 mb s3://brainybee-global-infra-lab-<YOUR_INITIALS>-<RANDOM_NUM> --region us-west-2▶Console alternative
- Navigate to the S3 Console.
- Click Create bucket.
- Enter your unique bucket name:
brainybee-global-infra-lab-<YOUR_INITIALS>-<RANDOM_NUM>. - Under AWS Region, select
US West (Oregon) us-west-2. - Leave all other settings as default and click Create bucket.
📸 Screenshot Placeholder: S3 bucket creation screen with the Region selector highlighted.
Step 4: Verify Regional Isolation
Try to query the location of the bucket to confirm it respects the regional boundary you defined.
aws s3api get-bucket-location --bucket brainybee-global-infra-lab-<YOUR_INITIALS>-<RANDOM_NUM>The output should explicitly return "us-west-2".
Step 5: Interact with a Global Service (AWS IAM)
Some AWS resources are not visibly tied to any one region. AWS Identity and Access Management (IAM) is a global service. Let's try to query IAM users. Notice that we do not need to specify a --region flag, because IAM operates across all regular AWS regions simultaneously.
aws iam list-usersIf you try to explicitly pass a region to a global endpoint, it generally ignores it or processes it globally anyway. IAM structural data (users, groups, roles) is replicated globally by AWS automatically.
▶Console alternative
- Navigate to the IAM Console.
- Look at the top-right corner where the Region Dropdown is located.
- Notice that the region is labeled Global and the dropdown is disabled. You cannot select a specific region for IAM.
📸 Screenshot Placeholder: IAM Console top navigation bar showing "Global" instead of a specific region.
Checkpoints
Let's verify your progress:
- Region Check: Run
aws configure get region. This shows your default local CLI region. Is it different fromus-west-2? If yes, it highlights that you can interact with remote regions via API flags. - S3 Check: Run
aws s3 ls. You should see your newly createdbrainybee-global-infra-labbucket in the list. - IAM Check: Think about this—if
us-west-2were to suffer a massive natural disaster and go offline, would you still be able to log in to AWS using your IAM user? (Answer: Yes, because IAM is a highly available global service.)
Teardown
[!WARNING] Remember to run the teardown commands to avoid ongoing charges and clutter in your AWS account. S3 buckets do not cost much when empty, but it is best practice to clean up.
To delete the regional S3 bucket you created:
aws s3 rb s3://brainybee-global-infra-lab-<YOUR_INITIALS>-<RANDOM_NUM> --force▶Console alternative
- Navigate to the S3 Console.
- Select the radio button next to your bucket:
brainybee-global-infra-lab-.... - Click Delete.
- Type the name of the bucket to confirm, then click Delete bucket.
Troubleshooting
| Common Error | Cause | Fix |
|---|---|---|
BucketAlreadyExists | S3 bucket names must be globally unique across all of AWS. Someone else has already taken the name you typed. | Change the <RANDOM_NUM> or <YOUR_INITIALS> to something highly unique. |
Unable to locate credentials | The AWS CLI is not configured with your access keys. | Run aws configure and provide your Access Key ID and Secret Access Key. |
AccessDenied | Your IAM user lacks the necessary permissions to list regions or create S3 buckets. | Attach the ReadOnlyAccess and AmazonS3FullAccess managed policies to your IAM user. |
Invalid parameter: us-east-1 when running describe-availability-zones | Typo in the region name, or your account doesn't have access to that region. | Ensure you are typing --region us-east-1 exactly. Use aws ec2 describe-regions to see valid spelling. |
Concept Review
| Concept | Scope | Example Service | High Availability Strategy |
|---|---|---|---|
| Global Service | Entire AWS Partition | IAM, CloudFront, Route 53 | Handled entirely by AWS across worldwide infrastructure. |
| Regional Service | Confined to one Region | Amazon S3, DynamoDB | Data is automatically replicated across multiple AZs within the same Region. |
| Zonal Service | Confined to one AZ | Amazon EC2, EBS Volumes | You must manually provision parallel resources in a second AZ (e.g., Load Balancer + Auto Scaling). |