Plenty of Global companies have a presence in China. China is a highly regulated environment and the task of integrating mainland China with a non-China environment is not trivial. What is possible in a “global” region might not be possible in China. The crucial question is how to connect to China in a way that ensures the best bandwidth, latency but also the security.
In this article, I will present three options for how to connect to China.
What is more, I performed Bandwidth and Latency tests for two options that I think are the most commonly used. The results are be presented in the article: https://cloud-cod.com/index.php/2023/11/06/china-connectivity-bandwidth-and-latency-tests/
Sitemap
General Information and Requirements
Based on the Aviatrix documentation https://docs.aviatrix.com/documentation/latest/planning-secure-networks/aviatrix-china-overview.html#aquire-china-icp-license :
“The Aviatrix Controller must be deployed in the China region, for example, AWS China Ningxia region. Currently, an Aviatrix Controller in the Global region (non-China) does not support Aviatrix Gateways deployment and management in the China region. Similarly, an Aviatrix Controller in the China region does not support Aviatrix Gateways deployment and management in the Global region. See Unsupported Topologies.
You must have an Internet Content Provider (ICP) license. An ICP license is required for opening a CSP account in the China region. For more information, see Acquiring a China ICP License.”
China Connectivity Design Options
Please notice the design options presented below are also relevant to AWS China.
Option#1 - the Public Internet
The simplest connectivity option leverages the Public
Internet as shown below.
Considerations:
- Traffic is flowing over the Public Internet and through the Great China Firewall
- Utilizing the Public Internet means the path is not optimal. Thus, the latency between the mainland China region and the non-China region would be negatively affected
- There is no dedicated Bandwidth (nothing is guaranteed)
- There is a BGPoIPSEC connection between Aviatrix
Transit Gateways in the mainland China VNET and the non-China VNET - Traffic is encrypted thanks to the IPSec algorithms
- Usually an appropriate solution for non-critical workloads
Option#2 - AliCloud VPC Peering
This solution leverages the AliCloud network as an Underlay for connectivity between the mainland China region and the non-China region. The AliCloud VPC Peering is used to get traffic from China to the outside World.
Considerations:
- Traffic is not flowing through the Public Internet and is NOT traversing the Great China Firewall
- AliCloud VPC Peering is used to route traffic between the mainland China region and the non-China region
- Additional Aviatrix Transits Gateways must be deployed in both the mainland China region and non-China region
- There is a BGPoIPSEC connection between Aviatrix Transit Gateways in the mainland China AliCloud VPC and the non-China AliCloud VPC
- Traffic is encrypted thanks to the IPSec algorithms
- The AliCloud China Transit Gateways have Aviatrix Transit Peering connections with Aviatrix Transit Gateways deployed in the mainland China Azure VNET
- The AliCloud non-China Transit Gateways have Aviatrix Transit Peering connections with Aviatrix Transit Gateways deployed in the non-China Azure VNET
- Latency is stable and predictable
- Bandwidth is stable and predictable
- The cost of traffic flowing through VPC Peering
- In theory, the maximum inter-region VPC Peering bandwidth is 1024 Mbps (https://www.alibabacloud.com/help/en/vpc/user-guide/overview-6)
- Perfect solution for critical traffic flows that require low latency
Option#3 - AliCloud CEN
The last option is quite similar to option#2 but instead of having the AliCloud VPC Peering the AliCloud CEN connectivity is leveraged. Please notice the AliCloud CEN connectivity offers higher bandwidth than AliCloud VPC Peering.
Considerations:
- Traffic is not flowing through the Public Internet and is NOT traversing the Great China Firewall
- AliCloud CEN (Cloud Enterprise Network https://www.alibabacloud.com/product/cen) is used to route traffic between the mainland China region and the non-China region
- Additional Aviatrix Transits Gateways must be deployed in both the mainland China region and non-China region
- There is a BGPoIPSEC connection between Aviatrix Transit Gateways in the mainland China AliCloud VPC and the non-China AliCloud VPC
- Traffic is encrypted thanks to the IPSec algorithms
- The AliCloud China Transit Gateways have Aviatrix Transit Peering connections with Aviatrix Transit Gateways deployed in the mainland China Azure VNET
- The AliCloud non-China Transit Gateways have Aviatrix Transit Peering connections with Aviatrix Transit Gateways deployed in the non-China Azure VNET
- Latency is stable and predictable
- Bandwidth is stable and predictable
- The cost is much higher than AliCloud VPC Peering (https://www.alibabacloud.com/pricing-calculator?spm=a3c0i.11197503.1194416010..63ec56d3KMFoY8#/commodity/cbn_bwp_pre_intl)
- If you want to know more about this solution please check out the Aviatrix Validated Design Document: https://aviatrix.com/resources/design-guides/aviatrix-validated-design-alicloud
- In theory, the maximum CEN bandwidth is 10Gbps
- Perfect solution for not only latency-sensitive flows but also for bandwidth intensive traffic flows
Summary
There is no good or bad design. It all depends on your company’s requirements and cost.
I hope this article was informative for you. If you are interested in comparing Bandwidth and Latency tests for option#1 (the Public Internet) and option#2 (AliCloud VPC Peering) please visit: https://cloud-cod.com/index.php/2023/11/06/china-connectivity-bandwidth-and-latency-tests/