This chapter covers S3 Multi-Region Access Points (MRAPs), a powerful feature that enables you to build globally resilient, low-latency applications using a single endpoint across multiple AWS regions. For the SOA-C02 exam, MRAPs are tested under Domain 2.2 (Reliability) as a key mechanism for implementing cross-region failover and multi-region data access. Expect 2-3 questions directly on MRAP configuration, routing behavior, and integration with S3 Cross-Region Replication (CRR). Mastering this topic is critical for scenarios requiring high availability and disaster recovery for S3-based workloads.
Jump to a section
Imagine a global airline with multiple regional hubs (e.g., New York, London, Tokyo). Passengers (clients) need to reach any hub, but the airline wants to provide a single, unified booking code (e.g., 'GLOBAL') that automatically routes each passenger to the nearest available hub. The airline deploys a 'Global Router' service that advertises this single code to all airports. When a passenger arrives at any airport and requests the code 'GLOBAL', the local air traffic control (DNS) checks a routing table that maps the passenger's origin to the best hub based on current weather, congestion, and distance. The passenger is then directed to that hub without knowing which physical hub they'll use. If a hub goes down (e.g., London fog), the router updates the mapping to reroute London-bound passengers to Paris or New York, all while the passenger still uses the same 'GLOBAL' code. This is exactly how S3 Multi-Region Access Points work: you create a single global access point hostname that uses AWS Global Accelerator's anycast IPs and S3's cross-region replication to route clients to the nearest or healthiest bucket replica, providing automatic failover and low latency across regions.
An S3 Multi-Region Access Point (MRAP) is a global endpoint that spans multiple S3 buckets in different AWS regions. It provides a single hostname (e.g., my-mrap.accesspoint.s3-global.amazonaws.com) that automatically routes requests to one of the underlying buckets based on configured routing policies (e.g., latency-based routing or failover order). MRAPs are built on top of AWS Global Accelerator, which uses anycast IP addresses and the AWS global network to route traffic to the optimal region. This allows applications to achieve low-latency access from anywhere in the world and automatic failover if a bucket or region becomes unavailable.
Why MRAPs Exist
Before MRAPs, achieving multi-region access required complex setups: you had to manage multiple regional endpoints, implement custom routing logic (e.g., using Route 53 latency routing), and handle failover manually or with custom health checks. MRAPs simplify this by providing a managed, single endpoint that abstracts the underlying bucket locations. They also integrate with S3 Cross-Region Replication (CRR) to ensure data is consistent across regions. The primary use cases are: - Global applications that need low-latency access to data from multiple regions (e.g., content delivery, user uploads). - Disaster recovery with automatic failover to a secondary region if the primary fails. - Compliance where data must remain in specific geographic regions while providing a unified access point.
How MRAPs Work Internally
When a client makes a request to an MRAP endpoint, the following happens: 1. DNS Resolution: The client resolves the MRAP hostname to one of the Global Accelerator’s anycast IP addresses. These IPs are advertised from multiple edge locations worldwide. 2. Traffic Routing: Global Accelerator routes the request over the AWS global network to the region that provides the best performance (based on latency, health, and routing policy). 3. Request Handling: The MRAP in that region receives the request and forwards it to the associated bucket. The MRAP applies any access point policies (e.g., IAM policies, block public access) before reaching the bucket. 4. Failover: If the primary region is unhealthy (e.g., bucket is unreachable), Global Accelerator fails over to the next region in priority order.
Key Components and Configuration
- MRAP Resource: A logical entity that groups multiple regional access points. Each regional access point is associated with a bucket in a specific region. - Regional Access Points: These are standard S3 access points that exist within a region. An MRAP can contain up to 10 regional access points across different regions. - Routing Policies: - Latency-based: Requests are routed to the region with the lowest latency for the client. - Failover order: You define an ordered list of regions; traffic goes to the first healthy region in the list. - Block Public Access: MRAPs inherit the block public access settings from the underlying buckets. You can also set block public access at the MRAP level. - Cross-Region Replication (CRR): While MRAPs do not replicate data themselves, they are typically used with CRR to keep buckets in sync. You must configure CRR separately.
Defaults and Limits
Default routing policy: Latency-based.
Maximum number of regional access points per MRAP: 10.
MRAPs per AWS account: 1,000.
Request rate: MRAPs can handle thousands of requests per second, but the underlying buckets have their own limits (e.g., 3,500 PUT/5,500 GET per second per prefix).
Pricing: You pay for data transfer through Global Accelerator (per GB) and for each MRAP (per hour). There is no additional charge for failover routing.
Configuration Steps
Create S3 buckets in the desired regions and enable versioning (required for CRR).
Configure Cross-Region Replication (optional but recommended for data consistency).
Create regional access points for each bucket.
Create the MRAP and add the regional access points. Specify the routing policy (latency or failover order).
Update your application to use the MRAP endpoint.
AWS CLI Example:
# Create an MRAP with latency-based routing
aws s3control create-multi-region-access-point \
--account-id 123456789012 \
--details '{
"Name": "my-mrap",
"PublicAccessBlock": {
"BlockPublicAcls": true,
"BlockPublicPolicy": true,
"IgnorePublicAcls": true,
"RestrictPublicBuckets": true
},
"Regions": [
{"Bucket": "my-bucket-us-east-1", "BucketRegion": "us-east-1"},
{"Bucket": "my-bucket-eu-west-1", "BucketRegion": "eu-west-1"}
]
}'Verification Commands
# List MRAPs
aws s3control list-multi-region-access-points --account-id 123456789012
# Describe an MRAP
aws s3control get-multi-region-access-points --account-id 123456789012 --name my-mrap
# Test connectivity (using curl with the MRAP hostname)
curl -I https://my-mrap.accesspoint.s3-global.amazonaws.com/my-objectInteraction with Related Technologies
AWS Global Accelerator: Provides the anycast IP and global network routing. MRAPs automatically create an accelerator in your account (you can see it in the Global Accelerator console).
S3 Cross-Region Replication: Keeps data synchronized across regions. MRAPs do not replicate; you must set up CRR separately. The exam often tests that MRAPs and CRR are complementary but independent.
IAM Policies: You can attach IAM policies to the MRAP to control access. These policies are evaluated before the bucket policies.
VPC Endpoints: MRAPs can be accessed via Gateway VPC Endpoints for S3 (not interface endpoints). This allows traffic from VPCs to stay within the AWS network.
Important Exam Considerations
MRAPs support only S3 standard buckets (not S3 on Outposts, S3 Glacier, etc.).
Versioning must be enabled on all buckets if you intend to use CRR.
Failover order routing: If you specify a failover order, all traffic goes to the first region unless it fails health checks. Health checks are performed by Global Accelerator (TCP health checks to the bucket endpoint).
Latency-based routing does not guarantee that the same client always goes to the same region; it can change based on network conditions.
Data consistency: MRAPs provide eventual consistency for PUT operations when using CRR. If you need strong consistency, consider using S3 Object Lock or write-through caching.
Common Pitfalls
Forgetting to enable CRR: Candidates often assume MRAPs automatically replicate data. They do not. You must configure CRR separately.
Misunderstanding routing policies: Latency-based and failover order are mutually exclusive. You cannot use both simultaneously.
Overlooking IAM permissions: The MRAP requires permissions to access the underlying buckets. If the MRAP fails with access denied, check the bucket policies and IAM roles.
Assuming all S3 features are supported: Features like S3 Object Lock, S3 Batch Operations, and S3 Inventory are not supported through MRAPs. You must interact directly with the regional buckets for those.
Create S3 Buckets in Multiple Regions
Start by creating S3 buckets in at least two AWS regions. Enable versioning on each bucket because CRR requires versioning. Configure appropriate bucket policies and block public access settings. The buckets can have different names, but it's best practice to use a consistent naming convention (e.g., my-app-us-east-1, my-app-eu-west-1). Ensure the buckets are in the same AWS account as the MRAP. Cross-account MRAPs are not supported.
Set Up Cross-Region Replication
Configure CRR to replicate objects from the primary bucket to secondary buckets. This ensures data is available in all regions. You need to create IAM roles for S3 to assume for replication. The replication configuration can be one-way or bi-directional. For bi-directional, you must set up two replication rules. Note that CRR is asynchronous; there is no SLA on replication time. For exam purposes, remember that MRAPs do not handle replication; it's a separate configuration.
Create Regional Access Points
For each bucket, create a regional S3 access point. The access point provides a separate endpoint and can have its own IAM policy. Use the AWS CLI or Console to create the access point. Example CLI: `aws s3control create-access-point --account-id 123456789012 --bucket my-bucket-us-east-1 --name my-ap-us-east-1`. The access point name must be unique within the account per region. Note that the access point policy can restrict access further.
Create the Multi-Region Access Point
In the S3 console, navigate to Multi-Region Access Points and create a new MRAP. Provide a name (e.g., my-mrap). Add the regional access points you created. Choose a routing policy: latency-based or failover order. For failover order, specify the priority of regions. You can also configure block public access settings at the MRAP level. The MRAP will generate a global endpoint hostname like my-mrap.accesspoint.s3-global.amazonaws.com.
Update Application to Use MRAP Endpoint
Replace the regional bucket URLs in your application with the MRAP endpoint. For example, instead of `https://my-bucket-us-east-1.s3.amazonaws.com`, use `https://my-mrap.accesspoint.s3-global.amazonaws.com`. The application will automatically be routed to the optimal region. Test connectivity from different geographic locations to verify low-latency routing. Monitor the MRAP in CloudWatch for metrics like ActiveRegion and RequestCount.
Enterprise Scenario 1: Global Media Streaming Platform
A video streaming service stores user-uploaded content in S3 and serves it globally. They deploy buckets in us-east-1, eu-west-1, and ap-southeast-1. Using an MRAP with latency-based routing, users automatically fetch content from the nearest region, reducing latency by 60%. CRR ensures all regions have the same content. In production, they handle 10,000 requests per second. One challenge: when a new video is uploaded, it takes time to replicate to all regions. To mitigate, they use S3 Event Notifications to invalidate a CDN cache only after replication completes. Misconfiguration: initially, they set the MRAP without enabling CRR, causing users in Asia to get 404 errors for new uploads until replication was configured.
Enterprise Scenario 2: Financial Services Disaster Recovery
A financial institution requires automatic failover for regulatory reporting data. They have a primary bucket in us-east-1 and a secondary in us-west-2. They configure an MRAP with failover order (us-east-1 first, then us-west-2). They use CRR for one-way replication. During a simulated us-east-1 outage, Global Accelerator health checks detect the failure within 30 seconds and route traffic to us-west-2. The application experiences a brief interruption but recovers automatically. They monitor using CloudWatch alarms on the MRAP's ActiveRegion metric. A common mistake: they initially set the health check interval too long (default 10 seconds), causing longer failover times. They reduced it to 2 seconds for faster detection.
Enterprise Scenario 3: E-commerce Multi-Region Write
An e-commerce platform allows users to upload product images from anywhere. They deploy buckets in three continents and use an MRAP with latency-based routing for reads. However, writes go directly to a primary bucket (us-east-1) to avoid conflicts, and CRR replicates to other regions. They use a custom DNS to differentiate: writes go to a regional endpoint, reads to the MRAP. This hybrid approach ensures strong consistency for writes while benefiting from low-latency reads. Misconfiguration: they initially attempted to use MRAP for writes as well, but because CRR is eventually consistent, users sometimes saw stale data. They switched to direct writes to the primary.
What SOA-C02 Tests on MRAPs
Under Domain 2.2 (Reliability), the exam focuses on: - Objective 2.2.1: Implement multi-region solutions for disaster recovery. MRAPs are a key service for automatic failover. - Objective 2.2.2: Configure cross-region replication and data synchronization. The exam tests that MRAPs do not replicate data; CRR does. - Objective 2.2.3: Monitor and troubleshoot multi-region access. You may be asked about CloudWatch metrics like ActiveRegion and FailoverCount.
Common Wrong Answers and Why Candidates Choose Them
"MRAPs automatically replicate data across regions." This is the #1 trap. Candidates confuse MRAPs with CRR. Reality: MRAPs provide routing only; replication must be configured separately.
"MRAPs support all S3 storage classes." Wrong. MRAPs only work with S3 Standard buckets. They do not support Glacier, Deep Archive, or S3 One Zone-IA. Candidates often assume full compatibility.
"You can use both latency-based and failover order routing simultaneously." Incorrect. You must choose one routing policy during MRAP creation. The exam presents scenarios where you need to decide which policy to use.
"MRAPs provide strong consistency for writes." False. Because CRR is eventually consistent, MRAPs provide eventual consistency. The exam tests understanding of consistency models.
Specific Numbers and Terms on the Exam
Maximum 10 regional access points per MRAP.
1,000 MRAPs per account.
Global Accelerator health check interval: default 10 seconds, minimum 2 seconds.
**MRAP endpoint format: *.accesspoint.s3-global.amazonaws.com.**
Routing policies: `latency-based` and `failover-order`.
Edge Cases and Exceptions
If all regions are unhealthy: MRAP returns a 503 Service Unavailable error.
If a bucket is deleted: The MRAP will fail health checks for that region and failover to the next.
Cross-account MRAPs: Not supported. All buckets must be in the same account.
VPC Endpoints: Only Gateway VPC Endpoints for S3 are supported (not Interface endpoints).
How to Eliminate Wrong Answers
If the question mentions "automatic replication" or "data sync", the answer is likely CRR, not MRAP.
If the question asks about routing traffic to the nearest region, choose latency-based routing.
If the question asks about failover in a specific order, choose failover-order routing.
Watch for answers that claim MRAPs work with non-standard storage classes; those are wrong.
MRAPs provide a single global endpoint for accessing multiple S3 buckets across regions.
MRAPs do NOT replicate data; configure S3 Cross-Region Replication separately.
Choose between latency-based and failover-order routing policies during creation.
Maximum 10 regional access points per MRAP; maximum 1,000 MRAPs per account.
MRAPs only support S3 Standard buckets; not Glacier or One Zone-IA.
All buckets must be in the same AWS account.
Global Accelerator health checks detect region failures; default interval is 10 seconds (min 2).
MRAP endpoint format: <name>.accesspoint.s3-global.amazonaws.com.
MRAPs provide eventual consistency due to CRR latency.
Use Gateway VPC Endpoints for S3 to access MRAPs from VPCs.
These come up on the exam all the time. Here's how to tell them apart.
S3 Multi-Region Access Points (MRAP)
Provides a single global endpoint for routing requests.
Does not replicate data; only routes traffic.
Supports latency-based and failover-order routing.
Built on AWS Global Accelerator for anycast IPs.
Requires separate CRR configuration for data sync.
S3 Cross-Region Replication (CRR)
Replicates objects from source to destination buckets.
Does not provide a global endpoint; you manage separate endpoints.
No routing policy; it's a replication mechanism.
Uses S3 service internally, not Global Accelerator.
Works independently; can be used without MRAPs.
Mistake
MRAPs automatically replicate data across regions.
Correct
MRAPs provide a single endpoint for routing requests to multiple buckets, but they do not replicate data. You must configure S3 Cross-Region Replication separately to keep buckets in sync.
Mistake
MRAPs support all S3 storage classes.
Correct
MRAPs only support S3 Standard buckets. They do not support S3 Intelligent-Tiering, S3 One Zone-IA, S3 Glacier, or S3 Deep Archive. Buckets must be Standard.
Mistake
You can have both latency-based and failover-order routing active at the same time.
Correct
When creating an MRAP, you must choose one routing policy: either latency-based or failover-order. You cannot combine them.
Mistake
MRAPs provide strong read-after-write consistency.
Correct
Because MRAPs rely on CRR for data synchronization, which is eventually consistent, reads from different regions may not see the latest write immediately. Strong consistency is not guaranteed.
Mistake
MRAPs can be used with buckets in different AWS accounts.
Correct
All buckets associated with an MRAP must belong to the same AWS account. Cross-account MRAPs are not supported.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, MRAPs do not replicate data. They only route requests to the appropriate region based on the routing policy. To keep data synchronized across regions, you must configure S3 Cross-Region Replication (CRR) separately. The exam often tests this distinction: MRAPs are for routing, CRR is for replication.
Two routing policies: latency-based and failover-order. Latency-based routes each request to the region with the lowest network latency from the client. Failover-order routes traffic to the first healthy region in a user-defined priority list. You must choose one when creating the MRAP; you cannot use both simultaneously.
No. MRAPs only support S3 Standard buckets. The underlying buckets must be S3 Standard. If you need to store data in Glacier, you must transition objects after they are in the bucket, but the bucket itself must be Standard. The exam may present a scenario with non-standard storage classes as a distractor.
MRAP failover is managed by AWS Global Accelerator. It performs TCP health checks on the regional endpoints. If a region fails health checks (e.g., bucket is unreachable), Global Accelerator routes traffic to the next healthy region based on the routing policy. For latency-based, it simply picks the next lowest latency region; for failover-order, it follows the priority list. The default health check interval is 10 seconds, configurable down to 2 seconds.
The MRAP endpoint follows the format: `<mrap-name>.accesspoint.s3-global.amazonaws.com`. For example, if your MRAP is named 'my-mrap', the endpoint is `my-mrap.accesspoint.s3-global.amazonaws.com`. This hostname resolves to an anycast IP from AWS Global Accelerator.
No. All regional access points associated with an MRAP must belong to the same AWS account. This is a limitation. If you need cross-account access, you must use bucket policies or IAM roles, but the MRAP itself cannot span accounts.
Key metrics include ActiveRegion (which region is currently receiving traffic), RequestCount, and FailoverCount. You can set CloudWatch alarms on ActiveRegion changes to detect failover events. The exam may ask you to identify the metric that indicates a region change.
You've just covered S3 Multi-Region Access Points — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?