When in China, access to anything outside of China could be problematic due to the internet censorship. I hope to share my experience and tools which can be implemented to minimize the effects of this on corporate environments.
The Great Firewall of China (GFW) is the web censorship technology used by the government of Mainland China (which is controlled by the Communist Party of China, CPC) to regulate the Internet domestically. It is the main instrument used by the government to achieve Internet censorship in China. Obviously, the reason why this was implemented was to block anything that is deemed as a risk to the Communist Party of China (CPC). Therefore, if your businesses is in an industry or area that could be seen as a risk to the CPC then you should certainly be concerned and even if you implement some of the recommendations below, you may find it hard to operate in mainland China due to the legal/political factors. On the positive side if your industry is not classified as “risky” by the CPC then you will benefit from my recommendation below.
When consulting in China, I like to use a high level network diagram similar to the one below. It illustrates that if you are in China you should have no issues with accessibility to other sites in China. However, accessing from China something that is outside of China (including Hong Kong) is where the problems begin. External traffic is “filtered”. Although in the diagram I put in a firewall and people refer to this filtering as “The Great Firewall of China” it is a complex system that includes firewalls, proxy servers, URL filters and many other tools.
Although business in China may not mind that many sites are blocked, the problem is that this complex Internet censorship system introduces a lot of latency and instability. This latency and instability causes users access issues to business sites and other company sites that are outside of china. It is worth noting that creating an VPN connection to a site outside of china may give you access to blocked sites (eg Facebook or Google) however you are still at the mercy of the latency and instability issues. It is really important to understand that the Chinese government does not want to make it hard for businesses to do access business data – this is merely collateral effect from controlling the public internet access. This is also the reason why the below solutions are legal.
How to overcome the collateral business impact of The Great Firewall of China?
There are four main options:
- Global MPLS network
- MPLS in China with a single site outside of china to internet breakout
- Providers such as oneAs1a – Application Acceleration Network (AAN)
- SD-WAN with Application Acceleration Network or MPLS
Global MPLS network
All MPLS networks going from mainland China to the outside, bypass the Great Firewall of China. A simple solutions is to have a global MPLS network. Note that in china only select ISPs will be able to give you an MPLS network and you may be better off using one of these in China with a Hong Kong Site and another ISP for your Global MPLS with an interconnection in Hong Kong. This is the most expensive solution; however, it certainly would give the best performance.
MPLS in China with a single site outside of china to internet breakout
You can use one of the select few ISPs in China (eg. China Telecom) to provide the MPLS network with an internet break out in Hong Kong. This solution will give you the benefit of bypassing the Great Firewall and once outside it, utilizing SD-WAN or VPN for to connect to the other sites.
Providers such as oneAs1a – Application Acceleration Network (AAN)
These providers manage an internet censoring system for the government. Think of it as an instance of the censoring system which is run to the same guidelines as the main system, however you pay to go through it and they guarantee the latency. Once you provide the IP addresses, the service provider routes them through their managed system. You pay for the bandwidth that you need. This is the most cost affective solution and it is very simple to setup. A great benefit of this is that you can be anywhere in China and receive the benefit of the solution. So you do not have to be in your office.
SD-WAN with Application Acceleration Network or MPLS
Globally SD-WAN is becoming the norm for inter-site connectivity. You could try and architect the network with it. Personally I don’t believe that SD-WAN alone will be able to give you much of a improvement on latency as each ISP in China will have to go through the “Great Firewall” which will be the bottle neck. However if you have multiple carriers and one with Application Acceleration Network (AAN) then SD-WAN could play a role. Similar if you have two link on a site in China (Internet and MPLS), SD-WAN could try and send some traffic down the internet link at the times that the latency is low. A good real life example of this would be if you ware replicating large amounts of data from a site in China to a site outside of China and you have a 10Mb MPLS (or AAN) link and a 100Mb internet link. During the night SD-WAN would utilize both links and result in a much better performance.
I hope this helps you architect your global network when working on mainland China. Every business will have slightly different requirements and if you would like any more information or if you have any questions, feel free to reach out.